Exchange Server 2016 and Microsoft Cloud (Part 8)

If you would like to read the other parts in this article series please go to:


Time to start the directory synchronization between on-premises and Azure Active Directory/Office365. In order to do that we will be adding a new server in our environment (TORSync01), as depicted in the diagram below.

We are going to use a Windows Server 2012 R2 with all Windows Updates before starting this article. This server will be joined to the domain as well.

TORSync01 has been added to the infrastructure to replicate the on-premise Active Directory with Azure Active Directory

The process is simple and in this article we are going to cover all the assessment of the environment and prepare for the upcoming synchronization.

Creating a synchronization account…

The first step when enabling the synchronization between on-premise and Azure Active Directory/Office 365 (from now on I will refer to as Azure Active Directory) is to create a service account on Azure Active Directory with the Global Administrator role assigned to it, as shown in the image below. This account is going to be used during the wizard that configures the synchronization in the Azure Active Directory Connect tool (AAD Connect).

Creating a synchronization account in Office365 with Global Administrator role assigned to it

In order to get to the screen above, these following steps can be used:

  1. Logged on the Office365 Admin Center Preview
  2. Click on Users and then click on Active Users
  3. Click on + Add a user button, and on the new blade fill out the information that was discussed previously and click on Add
  4. In the User was added page. A summary of the new user will be shown, the administrator can send that info by e-mail if necessary. Click on Send email and close to complete the process.

A few hints when creating the synchronization account:

  • Use create user without product license under Product License section of a new user in Office 365 Admin Center
  • Make sure that the account does not exist on-premise, after all we will synchronize the directories in few moments
  • You can create the account even with domain. It does not impact its ability to be configured on the AAD Connect later on

Preparing for the Directory Synchronization…

In this section, we are going over the steps that are recommended to validate the current environment and clean it up before the synchronization process.

Logged on Admin center preview, click on Settings, Services & Addins, and click on Directory Synchronization from the list, as shown in the image below.

Starting the Directory Synchronization assessment from the Office 365 Admin Center Preview

A new blade informing about the process of directory synchronization will be displayed. After reading the introduction, click on Go to the DirSync readiness wizard link to start the process. In some cases the assessment is the longest part of the configuration process, but it is better to spend time checking and validating items than fixing issues later on, right? One point that is worth mentioning is that this process should be executed on the server that will host the synchronization and the reason behind is that some tools will be executed on the local server as part of the process.

The process has three steps, and each step has several subtasks. Be aware that new pages and download of products will pop up during the process, but the initial wizard will stay there. If you close that main page, you don’t need to worry as you can always run the same wizard. Here are the steps that we will follow to complete the assessment and cleanup of the environment before the initial synchronization.

  1. In the Is directory sync right for you? page. Here is the thing, if you select less than 51 (options one and two) the assessment will ask you to create the users manually, so make sure that you use at least the third option and click Next.

The Directory Synchronization assessment starting

  1. In the Sync your local directory with the cloud page. A brief introduction about the synchronization between on-premise and the Cloud, just click Next.
  2. In the Let’s check your directory page. In order to perform the initial check, there are a few requirements that need to be met. Since we are performing this task from a Windows Server 2012 R2 which is our synchronization server-to-be we don’t need to worry about Internet browser, and additional software. The only thing left is to make sure that we are logged in the domain with domain admin privileges. Click on Start Scan.
  3. A new page Evaluating directory synchronization setup will be displayed. Click on run checks and a Application Run – Security Warning will be displayed, click on Run. The process may take a while and it will generate a list on a separate page with all issues that were found on the environment. The ideal world is to have a blank page saying that no issues were found. If that is not your case, then work on resolving each one of the issues listed before moving forward.
  4. In the Let’s check your directory page. Back to the main page of the wizard the information that the previous scan was complete will be displayed, click on Next to check the results.
  5. In the Here’s what we found page. A summary of all Active Directory objects, mailboxes, groups, contacts and users will be displayed for informational purposes. Click Next.
  6. In the Get your domains ready page. The assessment checked all the domains of the on-premises Active Directory and will suggest to import them to Office 365, and since we already have done that in our series, this step will be a breeze. Just click Next.
  7. In the Verify ownership of your domains page. A list of all domains found on-premise and their status on Office 365. Click Next.
    Note: If there are domains to be added, you must go to Domains and validate each one of those domain.
  8. In the Your domains are ready page. It will inform the result of all domains that were added and/or validated, as depicted in the image below. Click Next.

Results of the domains retrieved from the assessment tool that were added/validated in Office365

  1. In the Clean up your environment page. The wizard suggests to run the IDFix Tool to check the current objects in the Active Directory and it provides a report with accounts that will have problems synchronizing. Click on download and run the IDFix.exe executable (no installation is required).

Before continuing with the current step by step, we will go over the IDFix tool. The tool is an executable which means no installation is required, just run it and a Privacy Statement pop up will be displayed, just click on OK.

The tool itself is simple, it is a single page tool but it is really useful. In order to start just click on Query and that will trigger a query on the Active Directory and it will list all objects that are potential issues for the future replication and the administrator can perform the changes and fix through the tool.

IdFix Tool

Here are some notes from the field that can speed up the synchronization process:

  • If you have non-routable UPN domains, then all objects that are using that domain will be listed and a fix will be required (similar to the first item on the image above)
  • We don’t have to replicate everything to Azure Active Directory, we can define which OUs are going to be replicated from on-premise. This becomes helpful when we have OUs with service accounts/vendor accounts that will never be replicated to Azure Active Directory. In this kind of situation we don’t have to fix all those accounts because they won’t be replicated.
  • The IdFix allows the administrator to change the value (Edit, Remove and Complete)
  • The Remove option does not remove the object itself, it just clears the username and UPN from the Active Directory object

Time to go back to the wizard and complete the process by running the last pages of the wizard.

  1. In the Run Azure Active Directory Connect page. Now it is time to download the Azure AD Connect client to the server, click on Download, you will be redirect to the download page. Click Next.
  2. In the Make sure sync worked as expected page. The wizard asks to check the replication between on-premise and Azure Active Directory, we will perform this step in the upcoming article. For now, just click Next.
  3. In the Activate Users page. The wizard informs that an user has to be activated before it can use Office 365 services, for now just click Next.
  4. Finally, the You’re all set up page. Click on Finish.

In our next article we will be synchronizing the directories between on-premises and Azure Active Directory.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top