Configuring an Exchange Hybrid Deployment Migrating to Office 365 (Exchange Online) (Part 7)

If you would like to read the other parts of this article series please go to:

Introduction

In part 6 of this multi-part article series revolving around Exchange hybrid deployment based migrations to Office 365 or more precisely Exchange Online, we converted our Office 365 domain to a federated domain as well as installed the Directory Synchronization (DirSync) tool.

In this part 7, we will continue where we left off in part 6. That is we will configure and enable the Directory Synchronization (DirSync) tool. Then we will verify that the DirSync tool does the job it is supposed to do by looking at the behind the scene mechanisms of the DirSync engine.

Let’s get going…

Configuring and enabling the Directory Synchronization Tool     

So back in part 6 of this article series, we activated directory synchronization for our Office 365 tenant. As you may also recall, I mentioned it can take several hours from when we activate support for directory synchronization until it is actually activated. So let’s verify this has been activated before we continue configuring the DirSync tool.

To do this, log on to the Office 365 Portal and then click “Users” and then “Set up” under Active Directory synchronization. Under step 3, you should see “Active Directory synchronization is activated”.

Image
Figure 1:
Active Directory Synchronization has been activated for out tenant

You can also verify this by connecting to the Office 365 tenant using Windows PowerShell and then enter the following command:

Get-MsolCompanyInformation | fl DirectorySynchronizationEnabled

Image
Figure 2:
Verifying Active Directory synchronization activation via Windows PowerShell

If directory synchronization has been activated, let’s switch back to the server on which we have installed the DirSync tool. From there launch the the DirSync tool via the “Directory Sync Configuration” shortcut.

Image
Figure 3: Launching DirSync Configuration

On the Welcome page, click “Next

Image
Figure 4:
Microsoft Online Services Directory Synchronization Configuration Wizard – Welcome page

On the Microsoft Services Online Credentials page, enter the credentials for tenant account with Global Administrator permissions.

Important:
It’s recommended to create a dedicated service account for this purpose. You can create it directly in Office 365 or in your on-premise Active Directory. The important thing is that this account is added to the Office 365 Global Administrator role group.

Click “Next”.

Image
Figure 5: Entering the Credentials for a service account used to sync with the Office 365 tenant

Now we need to specify the credentials for an account with administrator permissions in the on-premise Active Directory. You can use any account with such permissions as the credentials are only used to set permissions for the DirSync tool not saved.

When you have entered the credentials, click “Next”.

Image
Figure 6:
Specifying the credentials for an administrator account in the on-premise Active Directory

We’re now taken to the Exchange hybrid deployment page. If the DirSync Configuration setup wizard detects Exchange 2010 SP1 (or later) servers in the on-premise Active Directory we will be able to tick “Enable Exchange hybrid deployment”.

Note:
If the setup wizard doesn’t detect any Exchange 2010 SP1 (or later) servers, the tick box will be greyed out. Since we, in this article series, are dealing with an Exchange hybrid deployment based configuration, we have deployed two Exchange 2010 SP2 servers that will act as Exchange hybrid deployment servers. You’re right, we haven’t actually reached the point, where we configure the hybrid deployment servers, we have just performed a basic Exchange 2010 installation on each of the two hybrid servers and applied the latest updates. Configuring load balancing for the servers as well as preparing them for a hybrid configuration will be done later in this article series.

When ticking the “Enable Exchange hybrid deployment” box, we allow DirSync to perform write-back from Office 365 to the on-premise Active Directory for certain attributes. This is in order to allow support for features such as archive on-premise mailboxes in the cloud, off-board mailboxes from the cloud to on-premise Exchange servers, have on-premise filtering software take advantage of user made safe and blocked senders in the cloud and UM online voice mail.

With Exchange hybrid deployment enabled, write-back will be performed for the following attributes:

Write-Back attribute

Exchange “full fidelity” feature

SafeSendersHash
  BlockedSendersHash
  SafeRecipientHash

Filtering Coexistence: Writes back on-premises filtering and online safe and blocked sender data from clients. 

msExchArchiveStatus

Online Archive: Enables customers to archive mail in Microsoft Online.

ProxyAddresses
  (LegacyExchangeDN <online LegacyDn> as X500)

Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.

msExchUCVoiceMailSettings

Enable Unified Messaging (UM) – Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.

Table 1

When you have ticked “Enable Exchange hybrid deployment”, click “Next”.

Image
Figure 7:
Enabling Exchange hybrid deployment support in the DirSync tool

The DirSync installer will now configure the DirSync management agents that imports Active Directory user, contact and group objects to the Dirsync metaverse stored in the database configured for the DirSync Server and from here exports them to the Office 365 tenant.

Image
Figure 8:
DirSync tool installer configures respective management agents etc.

When the Dirsync tool configuration has completed, click “Next”.

Image
Figure 9:
The DirSync tool configuration is complete

Now make sure “Synchronize directories now” is selected and then click “Finish”. This will initiate the first synchronization from the on-premise Active Directory to the metaverse and the export from the metaverse to the Office 365 tenant.

Image
Figure 10:
Selecting to synchronize objects from Active Directory to Office 365

You will receive the warning shown in Figure 11, which includes a link to a TechNet page that explains how you can verify synchronization works properly. Click “OK”.

Image
Figure 11: Warning message explaining how to verify synchronization is occurring properly

When it comes to verifying synchronization, what I usually do first is to launch the Dirsync UI shell by navigating to “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell” and double-click on “miisclient” as shown in Figure 12.

Image
Figure 12:
Launching the MIIS client

In the “Synchronization Service Manager on DIRSYNC” console, you can see the status for the last run of each management agent. You can also see the number of added, updated and deleted objects etc.

If you have MIIS/ILM/FIM experience this is proberly the best place to look in order to verify synchronization is running as expected.

Image
Figure 13:
Synchronization Service Manager on DIRSYNC server

Besides the Synchronization Service Manager console, you can also look in the Application log. Here you can see event IDs that can give you a quick indication of the health state for the directory synchronization.

Image
Figure 14:
Directory Synchronization related event IDs in the Application log

Finally, we can check the Office 365 portal for when the last directory synchronization occurred (Figure 15).

Image
Figure 15:
Checking the time for the last synchronization in the Office 365 portal

You can also try to update a few attributes for a couple of users or create new users to see if the changes are reflected on the Office 365 user. To force a synchronization, see the next section.

Forcing a Directory Synchronization

Since delta synchronizations from your on-premise Active Directory forest to Office 365 are scheduled to run every 3 hours, there may be situations where you want to force a synchronization. This can be done using the “Start-OnlineCoexistenceSync” cmdlet. But in order to run this cmdlet, you must first launch a Windows Powershell 2.0 console on the server and then navigate to “C:\Program Files\Microsoft Online Directory Sync” folder and from here run the “DirSyncConfigshell.psc1” script.

Image
Figure 16:
Windows Powershell 2.0 console

This will open another Windows Powershell console where you can enter the “Start-OnlineCoexistenceSync” cmdlet. Doing so will immediately force a synchronization.

Image
Figure 17:
Running the Start-OnlineCoexistenceSync cmdlet

Alright, we have now reached the end of part 7 of this multi-part article series. You deserve a break!

If you would like to read the other parts of this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top