Installing Windows Azure Directory Sync (dirsync) Tool
Office 365 depends on Azure Active Directory for authentication to all its clouds offering. Hence it is absolutely mandatory to prepare your users in the cloud before you start using any of their cloud services. Though Microsoft offers a free domain for each subscription, but they are actually child domain of onmicrosoft.com. Hence in most cases, we need to keep our owned domain associated to Office 365 services and therefore the directory synchronization is the first step in achieving this. Every existing on-premise infrastructure will have a deployment of Active Directory to which all network objects depends. It’s not easy to give up such setup and adopt cloud Active Directory. Hence Microsoft has neatly provided tools to sync up the users to cloud along with their passwords and other attributes.
Directory Synchronization Road Map
By using the Microsoft Azure Active Directory Sync tool, your company’s administrators can keep your on-premises Active Directory continuously synchronized with Azure AD. Directory synchronization is intended as an ongoing relationship between your on-premises environment and Azure AD. Active Directory synchronization should be considered a long-term commitment to coexistence scenarios between your on-premises Active Directory and cloud. After you have activated directory synchronization, you can only edit synchronized objects in your on-premises environment.
1. Preparation Work
a) Permission required
- You need a domain admin account to your on-premise Active Directory
- You need a tenant admin account to your office 365 subscription
b) Download DirSync
- Log into the Office 365 Admin Portal
- Navigate to Users & Groups > Manage>Active Directory synchronization Set Up
- Click the download button in step 4
c) Activate Directory Synchronization – you must activate Directory synchronization before running dirsync tool.
For Office 365 customer:
- Log into the Office 365 Admin Portal
- Navigate to Users & Groups > Active Directory synchronization Set Up
- Click the “Activate” button in step 3
If you are an Azure customer:
- Log into the Azure portal
- Navigate to Active Directory > Directory Integration
- Click “Activate” in step 2
d) Hardware Software requirements for dirsync tool installation
- It must be installed on a 64-bit Windows Server OS (Windows 2008 and higher)
- It must be joined to Active Directory
- It can now be a domain controller, but if it is then you need to follow the additional instructions in the Best Practices for Deploying and Managing the Windows Azure Active Directory Sync Tool.
- It can be a virtual machine
The full list of requirements/details can be found in Prepare for directory synchronization
e) Before you begin you need the following information Ready
- A Windows Azure Active Directory/Office 365 user account that is a member of the Company Administrator group
- An Active Directory user account that is a member of the Enterprise Administrators group in all domains in your on-premises Active Directory Forest
2. Setting up DirSync
a) Extract the installation binaries
- Unpack the DirSync installation binaries
- Run DirSync.exeusing elevated administrative permission.
- Click Next to move on.
- Accept the EULA
- Specify the install path
- Install the components
- This will also install SQL Server 2012 Express SP1, the FIM Sync Engine.
3. Configuring DirSync
- Once installation is completed, it will prompt to start the configuration wizard.
If you are installing the Directory Sync tool on a Domain Controller (supported from Directory Sync tool build 6567.0018), follow these steps:
- De-select the “Start Configuration Wizard Now” checkbox
- Log-off (not restart) from your current session and re-login
- Launch the “Directory Sync Configuration” by running as administrator
- Click Next to proceed.
- Provide Windows Azure Active Directory/Office 365 global admin credentials. Before the Sync to is configured, you need an office 365 account with global admin permission to allow the sync tool to authenticate with Azure
- Provide on-premises Active Directory credentials. The Active Directory credential must be Enterprise admins which will create the necessary service account in the local AD.
- Hybrid Deployment – There are various features throughout Office 365 and Azure AD that depends on Hybrid Deployment being enabled. You need to decide if you want those features.
- Password Sync– You can choose to enable Password Sync for your tenant.
This lets your users sign into Azure Active Directory (and associated services like Office 365, CRM Online and InTune) with the same password as they use on-premises.
If you want to enable this, select the “Enable Password Sync” checkbox.
- startsynchronizing
- If you want to start sync’ing now, select the “Synchronize your directories now” checkbox, and then click “Finish”.
Very good article, Subhendu. One question: Does the corporate AD need to be on-premise or can the corporate AD be in Azure cloud as well?
if I have 2 domains x and y ( x is on-premise and y is on Azure), is it possible to put them in the same forest, in sync, so that I can control the users from only one place and set up shared mailbox from x to y users?
Niraj: Corporate AD can be hosted any where including Azure hosting while any means of public connectivity from your corporate AD to Windows Azure AD/Office 365 tenant is good to get your Corporate AD synced to the Azure Tenant. There are several scenarios where you might be leveraging Azure to host your corporate AD. However like on premise AD, corporate AD hosted in Azure too do not require any private tunnel or VPN to perform directory sync. Its only when you want to leverage Azure hosted AD to authenticate on Premise network object, you need a Private Tunnel between on-premise network and Windows Azure Network where your AD is hosted.
Mihai: Your scenario demands Multiforest Directory sync and this is very much possible. Your Domain topology would remain as it would exist, like your domain X and domain y can be under the same forest or different forest. However mail boxes or exchange server may exists for each of those domain but its your existing domain topology that would decide whether you need single forest sync or multi forest syn.
Here is a good article that you can follow:
https://msdn.microsoft.com/en-us/library/azure/dn510976.aspx
My company decided to get rid off sp 2013 farm.Does any one know how to rehost on-premises SharePoint 2013 farm to Azure SharePoint 2016 farm ?
Can you clarify pro and cons
Thanks
Ravi
Hi Ravi,
if you want to move your SP 2013 Farm to 2016, then there are 2 ways to go about:
1. Migrate your sp2013 to Sharepoint Online
2. Migrate your SP2013 to SP2016 FARM and use the proven database detach attach method. You can choose any cloud platform/hosting/co-lo to setup your new SP FARM. The only hitch in this process is that you need to ensure that your new SP 2016 FARM should be able to connect to your existing Active Directory Server, even if your organization may have AD synchronised to Azure Active Directory. SP2016 FARM will not work as Azure AD Joined, and hence you have to join the new FARM to join to your On-prem AD.
Corporate AD can be hosted in any IAAS platform. Hosting your AD in server and setting up the necessary networking is all that is needed to choose where you want to keep. Today’s Digital transformation demands Organization to move their core infrastructure into cloud while keeping sync with existing on-prem infra in a hybrid model. Hence the workloads can move to cloud but controls can be kept on-prem