Deploying an Exchange 2013 Hybrid Lab Environment in Windows Azure (Part 22)

If you would like to read the other parts in this article series please go to:


In part 21 of this article series revolving around what the Windows Azure service is all about as well as how you deploy an Exchange hybrid deployment in Windows Azure, we added our custom domain to the Azure Active Directory tenant and then converted the domain to a federated domain. Lastly, we verified the authentication redirection worked as expected.

Let’s get going…

Deploying the Directory Synchronization Server

So since we are done configuring the AD FS servers, we will now turn our attention to the server that will be used for directory synchronization purposes.

Figure 1: Directory Synchronization now in focus

Since the virtual machine has not been provisioned in Azure IaaS yet, we will do that first. By now we know the drill pretty well. Open the Azure Portal and then click “Virtual Machines” in the left pane. Under the “Virtual Machine Instances” tab, click “New” in the lower left corner and then select “From Gallery”. Since the directory synchronization tools are supported on Windows Server 2012 R2 nowadays, select this image and click the arrow.

Figure 2: Selecting the right image for the virtual machine

Now we need to provide a name (which will also become the NetBIOS name of the server) for the virtual machine and specify the building block to use. Since I want to keep compute power as low as possible, I will configure the virtual DirSync servers with the “Extra Small (shared core, 768 MB memory)” building block.

You can switch between the building blocks at any time after the virtual machine has been provisioned if you require more compute power for the respective virtual machines during specific periods.

Also, enter the admin account name and provide a complex password for it and then click the arrow in the lower right corner.

Figure 3: Specifying name, building block and admin credentials for the virtual machine

We are brought to the page where we can configure the cloud service, network, storage account and availability set.

In the “Cloud Service” drop-down menu, you will be able to see a list of the cloud services created so far. Since this is the first and only DirSync server, we are deploying and because we don’t want it on an existing cloud service, select “Create a new cloud service”.

In the cloud service name, we should enter the DNS name through which the DirSync virtual machine should be accessible from the Internet. We do not plan to have the DirSync servers accessible directly from the Internet as other than through remote desktop and PowerShell as this is not required.

In the “Region/Affinity Group/Virtual Network” drop-down menu, we will select the virtual network we created earlier on in the article, which is “VirtualNetwork1”.

Under “Storage Account” we will use the one we previously created and under “Availability Set”, select “(None)”.

Click the check mark in the lower right corner to create and provision the virtual machine.

Figure 4: Virtual machine configuration

On the next page, leave the defaults as is and click the check mark in the lower right corner to create and provision the virtual machine.

Figure 5: Virtual Machines Agent that will be installed

When the virtual machine has been provisioned, connect to it using remote desktop and then add it to the Active Directory forest.

Activating Synchronization for the Azure Active Directory Tenant

The first preparation step we want to complete before concentrating on installing and configuring the WAAD Sync tool on the new virtual server we configure in the next section is to activate directory synchronization for our Azure Active Directory tenant. This can be done by opening the Office 365 portal and here expand “Users”. Under “Users”, select Active Users” and then click “Set up” to the right of “Active Directory synchronization” in the top of the page as shown in Figure 6 below.

Figure 6: Clicking Set up under Active Directory synchronization

Under “Set up and manage Active Directory synchronization”, click on the “Activate” button in “Step 3”.

Figure 7: Activating Directory synchronization for the AAD tenant

You will now be asked whether you really wish to activate directory synchronization from your on-premises environment to Office 365. Since this is exactly what we want to do, click “Activate” once again.

Figure 8: Confirming activation of Directory Synchronization

Unlike back in the previous version (wave 14) of Office 365, where we had to wait up to 24 hours for a script to run, in the current version activation will occur instantly.

Figure 9: Directory Synchronization activated

Creating the Necessary DirSync Service Account in the AAD Tenant

With directory synchronization activated, let’s create the service account that will be used for configuring directory synchronization. We should create this account in the Azure Active Directory tenant and it needs to be assigned the Global Administrator role. To do so open the Office 365 portal and then “Users”.

Figure 10:
Clicking the plus sign to create a new user

Enter the name and UPN logon for the account. A option when creating a new user is to specify the password to be used instead of auto-generating it followed by logging in and changing it. Specify a password and then untick “Make this user change their password with Outlook Web App on next login.

Click “Create”.

Figure 11: Creating Service Account for DirSync purposes

With the user account created, click “Close”.

Figure 12: Service account created successfully

Open the property page for the new account and select “Settings”. Assign the Global Administrator role and specify an alternate email address then click “Save”.

Figure 13: Assigning the global administrator role to the service account

When ticking a user, there is a new “Add to Group” option, however this only applies to custom groups not the default RBAC based role groups, which is why I took the property page approach.

Now you need to decide whether the new service account should follow the Office 365 password expiration policy meaning you need to change the password for the account every 90 days or if you rather want to set the password to never expire. I’ll do the latter.

Since this can’t be done via the Office 365 portal, we need to connect to the Office 365 tenant using Windows PowerShell. When connected to the Office 365 tenant, we can check the “PasswordNeverExpires” value with the following command:

Get-MsolUser –UserPrincipalName “[email protected]” | fl

Figure 14: Value of the “PasswordNeverExpires” attribute for the new service account

To change this value to “True”, we can use the following command:

Set-MsolUser –UserPrincipalName “[email protected]” –PasswordNeverExpires “true”

Figure 15:
Changing the password never expires attribute to “true”

Installing the Active Directory Sync Services Tool

Time has come to install the Active Directory Sync Services Tool. Before we launch the installation wizard, we need to install the .NET Framework 4.5 feature, which is a prerequisite for the tool. So launch the “Server Manager” and select “Add Roles and Features” in the “Manage” menu.

Figure 16: Selecting Add Roles and Features in Server Manager

Click “Next” twice and tick “.NET Framework 4.5 Features” and click “Next” twice followed by “Install.

Figure 17: Installing .NET Framework 4.5 Features

In this article we are going to synchronize our Active Directory forest users to the Azure Active Directory tenant using the new Microsoft Azure Active Directory Sync Services tool. You may be used to downloading this tool via step 4 in the directory synchronization list, but since it is still the old DirSync appliance that is available there, we will download it from here.

Once downloaded, launch the installation wizard, accept the license agreement, and click “Install.

Figure 18: AAD Sync Services wizard Welcome page

We now need to specify the credentials for the service account in the Azure Active Directory tenant created earlier on in this article. Remember this account must be assigned the Global Administrator role.

Click “Next”.

Figure 19:
Specifying credentials of DirSync service account in AAD

Enter the credentials for an Enterprise administrator in the Active Directory forest and click “Next”.

Figure 20: Specifying credentials for administrator in Active Directory forest

The Azure Active Directory Sync Services tool supports synchronization of objects from multiple Active directory forests. Since this is out of scope for this articles series, click “Next”.

Figure 21: Option to connect additional Active Directory forests

On the next page, we have the option of configuring the objects that should be used for matching users between the Active Directory forest and the Azure Active Directory tenant.

With only one Active Directory forest in scope, the defaults are fine.

Click “Next”.

Figure 22: Available matching rules

We are now taken to the additional options page. This page is quite important as this is where you enable “Exchange hybrid deployment” and other options. So we will tick “Exchange hybrid deployment” and also “Password write-back”, which is something we will look at later.

Click “Next”.

Figure 23: Ticking Exchange Hybrid and Password write-back under optional features

The wizard has now collected the required information and we can click “Configure”.

Figure 24: Ready to configure rule set based on settings

The rule sets etc. will now be configured and when the wizard is done, we are taken to the “Finished” page.

Since we do not want to start the synchronization just yet, untick “Synchronize now” and click “Finish”.

Figure 25: Finished page

This concludes part 22 of this multi-part article in which I provide you with an explanation of what Windows Azure is and how you configure an Exchange 2013 hybrid lab environment in Windows Azure.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top