Office 365 Directory Synchronization
What is Dir Sync:
If you are already using Active Directory in your on premise environment, you probably have invested a lot of time creating user accounts, populating their attributes and adding them to the appropriate groups. Directory Synchronization takes all that information, users, groups, contacts, email addressesess, phone numbers, names, etc and synchronizes it from your Active Directory to Office 365. The synchronization is ongoing which allows you to continue to manage users, groups and contacts from your local Active Directory. The synchronization is 1 way (from Active Directory to Office 365) and at this time, once enabled, cannot be disabled.
Installation and Configuration
The installation of Directory Sync is very straight forward. It’s pretty much a next, next, next install, with you only having to choose the install path. The install process installs several components behind the scenes:
· Microsoft Online Directory Synchronization, which is really just Identity Lifecycle Manager 2007
· Microsoft SQL Server 2008 R2
· Microsoft Online Services Sign-In Assistant
When the installation is complete, you’ll need to launch the configuration wizard to configure the synchronization. Again not a lot of options, you must specify your Office 365 Credentials, your Active Directory Credentials and choose whether or not you’ll be using Rich Coexistence. The Rich Coexistence option is only available if you have Exchange 2010. Enabling Rich Coexistence also allows the Microsoft Online Directory Sync tool write Access to your local Active Directory.
During the installation, an account named MSOL_AD_Sync is created in the Users OU in the Active Directory. This is the account that Dir Sync uses to interact with the Active Directory. The Enterprise Admin Credentials specified during the configuration are not used on an ongoing basis. If you selected the Rich Coexistence Option, there is a group created, MS_AD_Sync_RichCoexistence.
The MSOL_AD_Sync User account has the following permissions granted:
· Replicate Directory Changes
· Replication Synchronization
· Replicating Directory Changes All
MS_AD_Sync_RichCoexistence has the following permissions granted:
· Write msExchangeSafeRecipientsHash on User objects
· Write msExchangeBlockedSendersHash on Users objects
· Write msExchUCVoiceMailSettings on Users objects
· Write msExchArchiveStatus on Users objects
· Write msExchSafeSendersHash on Users objects
· Write ProxyAddresses on User,Contact, and Group objects
How we can view and modify the Dir Sync configuration
The key thing to realize is that Directory Synchronization is really just Microsoft Identity Lifecycle Manager 2007. You can launch the configuration interface by running:
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell\miisclient.exe
Operations Console
Upon launching the MIIS Client you will see the Operations Area. The Microsoft Online Directory Synchronization uses 2 Management agents. The SourceAD management agent reads the information from the source Active Directory. The TargetWebService management agent writes the information to the Microsoft Online Directory. The operations area will allow you see a log of what the Management Agents have done. In this example we’ll take a look at the initial synchronization which is located at the bottom of the history and has a Profile Name of Full Import Full Sync. Once selected, in the lower left pane of the window you’ll see Synchronization Statistics which allow you to see what objects have been synchronized as well as which objects have been filtered out and therefore won’t be synchronized to the Metaverse and Microsoft Online.
Source AD Management Agent
Adds
In the image above there are 193 Adds. This appears to be all the objects read from the Active Directory. Not all of these objects will be replicated to Microsoft Online as filters (explained later) will prevent them from synchronizing. Clicking on the Adds will allow you to see what objects have been read as shown below.
Projections
The Projections show which objects have been written to the Metaverse. In the example above you’ll see that of the 193 objects read, only 14 are written to the Metaverse. Just because an object is written to the Metaverse does not mean it will be written to Microsoft Online, as the TargetWebService also has filter rules when synchronizing from the Metaverse to Microsoft Online. Again you can click on Projections to see what objects have been written to the Metaverse.
Filtered Disconnectors
Filtered Disconnectors show the objects what are not synchronized due to the objects matching a defined filter rule.
TargetWebService
The TargetWebService is the Agent that reads information from the Metaverse and writes information to Microsoft Online. You’ll notice in the Agent Operations log that the TargetWebService performs 2 operations on each run, an import and an export.
Clicking on the Profile name Export and then clicking Adds, appears to show what has actually been synchronized to Microsoft Online. In this case 7 objects were synchronized to Microsoft Online. This screenshot is from the same session as earlier, in which 14 objects were written to the Metaverse, but as you see above, only 7 were synchronized to Microsoft Online. The reason is that the objects did not have a display Name specified. When you click Adds, you’ll notice that the objects GUIDs are listed instead of names, but you can click on the GUID to display the objects properties
Metaverse Search
The Metaverse Search area will allow you see the objects, and their attributes, that have been synchronized to the Metaverse. To see the objects, simply click the Search button.
The Search Results will show all objects in the Metaverse. In the image above you’ll notice that 14 objects are in the Metaverese and displayName is only column displayed. You can click on the Column settings link to display additional attributes. You can also limit the search by changing the Scope by Object Type drop down list or clicking the Add Clause action to filter by attribute.
The Metaverse search area could be useful if you are trying to determine why certain objects aren’t synchronizing to Microsoft Online.
Joiner
The Joiner will allow you to see the objects which have not been synchronized. Selecting the Management Agent SourceAD and Disconnector Type Disconnectors, and then clicking search will display all the disconnectors.
Controlling the Frequency of Directory Synchronization
By default the Directory Synchronization runs every 3 hours. If you want to increase or decrease the frequency you will need to modify the following file:
C:\program files\Microsoft Online Directory Sync\Microsoft.Online.DirSync.Scheduler.exe.Config
Just open with notepad and you’ll see a line that looks like:
<add key=”SyncTimeInterval” value=”3:0:0″ />
By default the SyncTimeInterval is set to 3 hours. If you wanted it to run every 30 minutes you’d change the value to “0:30:0”. We wouldn’t recommend going any lower than 15-30 minutes.
Port
We need to open 443 towards internet for Dir Sync to work.
No comments:
Post a Comment