If you would like to read the other parts of this article series please go to:
- Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 9)
- Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 10)
- Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 11)
- Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 13)
Introduction
In part 6 of this multi-part article series revolving around Exchange hybrid deployment based migrations to Office 365 or more precisely Exchange Online, we converted our Office 365 domain to a federated domain as well as installed the Directory Synchronization (DirSync) tool.
In this part 7, we will continue where we left off in part 6. That is we will configure and enable the Directory Synchronization (DirSync) tool. Then we will verify that the DirSync tool does the job it is supposed to do by looking at the behind the scene mechanisms of the DirSync engine.
Let’s get going…
Configuring and enabling the Directory Synchronization Tool
So back in part 6 of this article series, we activated directory synchronization for our Office 365 tenant. As you may also recall, I mentioned it can take several hours from when we activate support for directory synchronization until it is actually activated. So let’s verify this has been activated before we continue configuring the DirSync tool.
To do this, log on to the Office 365 Portal and then click “Users” and then “Set up” under Active Directory synchronization. Under step 3, you should see “Active Directory synchronization is activated”.
Figure 1: Active Directory Synchronization has been activated for out tenant
You can also verify this by connecting to the Office 365 tenant using Windows PowerShell and then enter the following command:
Get-MsolCompanyInformation | fl DirectorySynchronizationEnabled
Figure 2: Verifying Active Directory synchronization activation via Windows PowerShell
If directory synchronization has been activated, let’s switch back to the server on which we have installed the DirSync tool. From there launch the the DirSync tool via the “Directory Sync Configuration” shortcut.
Figure 3: Launching DirSync Configuration
On the Welcome page, click “Next”
Figure 4: Microsoft Online Services Directory Synchronization Configuration Wizard – Welcome page
On the Microsoft Services Online Credentials page, enter the credentials for tenant account with Global Administrator permissions.
Important:
It’s recommended to create a dedicated service account for this purpose. You can create it directly in Office 365 or in your on-premise Active Directory. The important thing is that this account is added to the Office 365 Global Administrator role group.
Click “Next”.
Figure 5: Entering the Credentials for a service account used to sync with the Office 365 tenant
Now we need to specify the credentials for an account with administrator permissions in the on-premise Active Directory. You can use any account with such permissions as the credentials are only used to set permissions for the DirSync tool not saved.
When you have entered the credentials, click “Next”.
Figure 6: Specifying the credentials for an administrator account in the on-premise Active Directory
We’re now taken to the Exchange hybrid deployment page. If the DirSync Configuration setup wizard detects Exchange 2010 SP1 (or later) servers in the on-premise Active Directory we will be able to tick “Enable Exchange hybrid deployment”.
Note:
If the setup wizard doesn’t detect any Exchange 2010 SP1 (or later) servers, the tick box will be greyed out. Since we, in this article series, are dealing with an Exchange hybrid deployment based configuration, we have deployed two Exchange 2010 SP2 servers that will act as Exchange hybrid deployment servers. You’re right, we haven’t actually reached the point, where we configure the hybrid deployment servers, we have just performed a basic Exchange 2010 installation on each of the two hybrid servers and applied the latest updates. Configuring load balancing for the servers as well as preparing them for a hybrid configuration will be done later in this article series.
When ticking the “Enable Exchange hybrid deployment” box, we allow DirSync to perform write-back from Office 365 to the on-premise Active Directory for certain attributes. This is in order to allow support for features such as archive on-premise mailboxes in the cloud, off-board mailboxes from the cloud to on-premise Exchange servers, have on-premise filtering software take advantage of user made safe and blocked senders in the cloud and UM online voice mail.
With Exchange hybrid deployment enabled, write-back will be performed for the following attributes:
Write-Back attribute |
Exchange “full fidelity” feature |
SafeSendersHash |
Filtering Coexistence: Writes back on-premises filtering and online safe and blocked sender data from clients. |
msExchArchiveStatus |
Online Archive: Enables customers to archive mail in Microsoft Online. |
ProxyAddresses |
Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange. |
msExchUCVoiceMailSettings |
Enable Unified Messaging (UM) – Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services. |
Table 1
When you have ticked “Enable Exchange hybrid deployment”, click “Next”.
Figure 7: Enabling Exchange hybrid deployment support in the DirSync tool
The DirSync installer will now configure the DirSync management agents that imports Active Directory user, contact and group objects to the Dirsync metaverse stored in the database configured for the DirSync Server and from here exports them to the Office 365 tenant.
Figure 8: DirSync tool installer configures respective management agents etc.
When the Dirsync tool configuration has completed, click “Next”.
Figure 9: The DirSync tool configuration is complete
Now make sure “Synchronize directories now” is selected and then click “Finish”. This will initiate the first synchronization from the on-premise Active Directory to the metaverse and the export from the metaverse to the Office 365 tenant.
Figure 10: Selecting to synchronize objects from Active Directory to Office 365
You will receive the warning shown in Figure 11, which includes a link to a TechNet page that explains how you can verify synchronization works properly. Click “OK”.
Figure 11: Warning message explaining how to verify synchronization is occurring properly
When it comes to verifying synchronization, what I usually do first is to launch the Dirsync UI shell by navigating to “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell” and double-click on “miisclient” as shown in Figure 12.
Figure 12: Launching the MIIS client
In the “Synchronization Service Manager on DIRSYNC” console, you can see the status for the last run of each management agent. You can also see the number of added, updated and deleted objects etc.
If you have MIIS/ILM/FIM experience this is proberly the best place to look in order to verify synchronization is running as expected.
Figure 13: Synchronization Service Manager on DIRSYNC server
Besides the Synchronization Service Manager console, you can also look in the Application log. Here you can see event IDs that can give you a quick indication of the health state for the directory synchronization.
Figure 14: Directory Synchronization related event IDs in the Application log
Finally, we can check the Office 365 portal for when the last directory synchronization occurred (Figure 15).
Figure 15: Checking the time for the last synchronization in the Office 365 portal
You can also try to update a few attributes for a couple of users or create new users to see if the changes are reflected on the Office 365 user. To force a synchronization, see the next section.
Forcing a Directory Synchronization
Since delta synchronizations from your on-premise Active Directory forest to Office 365 are scheduled to run every 3 hours, there may be situations where you want to force a synchronization. This can be done using the “Start-OnlineCoexistenceSync” cmdlet. But in order to run this cmdlet, you must first launch a Windows Powershell 2.0 console on the server and then navigate to “C:\Program Files\Microsoft Online Directory Sync” folder and from here run the “DirSyncConfigshell.psc1” script.
Figure 16: Windows Powershell 2.0 console
This will open another Windows Powershell console where you can enter the “Start-OnlineCoexistenceSync” cmdlet. Doing so will immediately force a synchronization.
Figure 17: Running the Start-OnlineCoexistenceSync cmdlet
Alright, we have now reached the end of part 7 of this multi-part article series. You deserve a break!
If you would like to read the other parts of this article series please go to: