Exchange Server 2016 and Microsoft Cloud (Part 9)

If you would like to be notified of when Anderson Patricio releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

In the previous article we checked our environment to support the synchronization process. In this article we will complete the Azure AD Connect tool configuration and enable the synchronization. We will cover the steps required to filter the replication using Organization Units.

Having the directory synchronized between on-premises and Microsoft Azure, we will enforce the recipient validation at EOP level to improve security and reduce bandwidth utilization on the Exchange site.

Azure AD Connect configuration…

After installing the tool, the first time that it is executed a wizard will show up and the administrator has the ability to configure the tool. In this article, we will keep it simple and configure using the basic settings, however the tool gives you flexibility to customize a lot of options along the way. Here are the steps to configure the AD Connect tool:

  1. In the Welcome to Azure AD Connect page. This is the welcome page to configure the Azure AD Connect, and part of this configuration is to configure the service component responsible for the synchronization. Accept the license agreement by clicking on I agree to the license terms and privacy notice and click next.
  2. In the Express Settings page. Here is one of the new features of Azure AD Connect which is a great improvement when compared with all previous versions where the administrator can use Express Settings which will configure identity and password synchronization from the on-premise environment with Azure Active Directory/Office 365. All attributes will be synchronized and the initial synchronization will start as part of the installation process. Click on Use Express Settings, as shown in the image below.

Image
Express Settings is the preferred option when using a single domain and no special features are required because it configures most of the components automatically

  1. In the Connect to Azure AD page. We will add the credentials of the user that we created in the previous article (make sure to write the username using the following format [email protected]). The wizard will validate if the credentials are correct before moving to the next page. Click Next.
  2. In the Connect to AD DS page. Now it is time to enter the current Active Directory domain credentials. This account should be a member of enterprise administrator and domain admins group. At this time, enter the credentials using DOMAIN\username. Click Next.
  3. In the Ready to configure page. A summary of all tasks that will be performed are being listed, make sure to uncheck the option Start the synchronization process when configuration completes and Exchange hybrid deployment (your configuration should be similar to the image below) and then click Install.

Image
Summary of the changes and the administrator has the ability to start the synchronization as soon as the wizard is completed

  1. In the Configuration complete page. The final page of the wizard informs the configuration was complete. In the image below we will notice that the synchronization is disable, and we will configure filtering first before enabling and validating the synchronization.

Image
Final page of the synchronization wizard.

Configuring filtering based on Organization Units…

Before synchronizing for the first time between on-premise and Azure Active Directory, it is good practice to define which Organization Units (OUs) will be synchronized. Although we can synchronize the entire domain, we probably don’t want to synchronize some vendors, service accounts, built-in accounts, right? The main reason is that they may never be used, and second they may cause replication errors.

If we open the Microsoft Azure Directory Connect icon that is located on your desktop, the initial page after the initial configuration is the Additional Tasks. Using Azure Active Directory Connect provides several tasks within the wizard that help the administrator to change the settings of the synchronization in a few steps.

In the past, using DirSync (Directory Synchronization Tool) the administrator was required to use the Synchronization Service Manager (miisclient.exe) to define which OUs could be synchronized with Azure Active Directory, but nowadays we can do the same process within the Azure AD Connect tool. In the main page, select customize synchronization options and click Next.

Image
Additional Tasks page provides easy access to administrators to perform some configuration changes in the synchronization process.

In the Connect to Azure AD page. Type in the Azure Active Directory credentials that was designed to be the service account for synchronization, in our article series we defined the [email protected], and then click Next.

In the Connect your directories page. Enter the credential information of your Active Directory (the credential entered must be Enterprise Administrator), and then click Next.

In the Domain and OU filtering page. Here we can select the Directory from the list that we added in the previous page, and we can use the default setting which is Sync all domains and OUs which is not a good idea, or use the Sync selected domains and OUs and pick only the OUs that have objects that are worth being synchronized with Azure Active Directory.

In the image below, we can see that we are selecting only Toronto OI for the simple fact that all our objects are being created on that OU. We can always go back on this page and add/remove OUs. After selecting the OUs to be synchronized, click on Next.

Image
Filtering synchronization based on Organization Units

In the Optional features page. Here the administrator can select additional features that can be configured as part of the synchronization process. For now, just click Next.

In the Ready to configure page. Let’s select Start the synchronization process when configuration completes and that will allow the replication to start. Keep in mind that we decided not to synchronize during the initial configuration. Click on Install.

Image
Configuring the synchronization to start automatically after completing the current wizard

In the Configuration complete page. A message similar to Azure AD Connect configuration succeeded. The synchronization process has been initiated will be displayed which means that we the synchronization process is about to start and we need to validate the results of our configuration. Click on Exit to complete the configuration.

Validating the synchronization process…

In order to validate the synchronization from on-premise, the best way is using miisclient.exe which is located by default at C:\Program Files\Microsoft Azure AD Sync\UIShell. Open Synchronization Service Manager and click on Operations tab, and a list of all recent operations will be listed, as shown in the image below. The administrator can use that same information for troubleshooting purposes.

Image
Checking the last replication processes that occurred between on-premises and Azure Active Directory

If we want to check the synchronization status from Office365 side. Just look at the main page of the Admin Center Preview, a frame named DirSync Status will provide the last time the synchronization and password synchronization has occurred and a green color means healthy status. We can go a little bit further by clicking on DirSync Status title and a page with detailed information will be displayed.

Image
Synchronization status on the main page of Admin Center Preview / Admin

Another way is comparing the objects from the Organization Unit that we configured to be synchronized with the Active Users in Office 365 as shown in the image below.

Image
Comparing the objects between on-premises and Office 365

Configuring Exchange Online Protection

In the previous article of this series, we configured the domain as Internal Relay to make sure that all mail addressed to any recipient at @infralab.org was being received in Office 365 and then forwarded to the on-premises Exchange Server(s) because at that time we did not have the objects synchronized in Office 365.

Now that we complete the synchronization, we can move the task to Office365 servers to accept messages only from valid recipients, and by doing that we save on bandwidth where only valid messages will cross the link between Office365 and Exchange Server on-premise.

In order to accomplish that, logged on Admin Center Preview, click on Admin Centers, and then Exchange. In Exchange Admin Center, click on mail flow, accepted domains and double click on the desired domain. Change the type to authoritative and click on Save. Wait a few minutes, and then try to send a message to a non-existent user from the Internet and the NDR that you will receive is something like this: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup

Image
Configuring the domain to accept messages addressed only to valid recipients

Wrapping it up…

Continuing the process that we started in the previous article, we were able to finish the synchronization between Active Directory on-premises and Azure Active Directory/Office 365. We configured OU filtering using the new Azure AD Connect tool.

We covered some methods to check if the replication is working properly on both sides of the fence, and we finished up the article by configuring EOP to block any message that is not addressed to a valid recipient.

If you would like to be notified of when Anderson Patricio releases the next part in this article series please sign up to our MSExchange.org Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top