Active Directory Synchronisation With BPOS

The Microsoft Online Services Directory Synchronisation tool provides one-way synchronisation from your local Active Directory directory service to Microsoft Online Services. Directory synchronization can also provide global address list synchronization between your local Microsoft Exchange Server environment and Microsoft Exchange Online.

Using Directory Synchronisation

If you plan to establish e-mail coexistence between your local Exchange Server environment and Exchange Online, you must establish e-mail coexistence before installing and configuring directory synchronisation.

When you first run the Directory Synchronisation tool, it will write a copy of each user account and mail-enabled contact and group to your organisation’s Microsoft Online Services directory.

When user accounts are first synchronised with your Microsoft Online Services company, they are marked as disabled. They cannot send or receive e-mail, and they do not consume licenses. When you are ready to assign Exchange Online mailboxes to specific users, you must select and activate these users.

While in e-mail coexistence, all edits of user accounts and mail-enabled contacts and groups must be performed in your local Active Directory. Directory synchronisation will update Microsoft Online Services with those changes every three hours, or you can manually force synchronisation at any time. For example, deleting a user account in your local Active Directory will delete that account in Microsoft Online Services.

Important 

Directory synchronisation is one way, from your local Active Directory environment to Microsoft Online Services. When synchronising Active Directory with Microsoft Online Services, it is important that you continue to create and edit all user accounts and e-mail enabled contacts and groups in your local Active Directory. Objects edited in the Microsoft Online Services Administration Center will be overwritten when the next synchronisation takes place.

Note 

Synchronised objects may take up to 24 hours to appear in the Offline Address Book (OAB) and Communicator.Objects that have been synchronized from your on-premises Active Directory directory service will appear immediately in your global address list (GAL), but it may take up to 24 hours before they appear in the OAB and in Microsoft Office Communicator.

Note 

When an account is migrated from your on-premises Active Directory, the account password is not migrated with the account. When the administrator activates the migrated account, a new password is assigned to that account.If the password associated with an on-premises Active Directory account is changed, that new password is not migrated. Users must change their Microsoft Online Services passwords manually.

Active Directory accounts are identified by a globally unique identifier (GUID) that is assigned to each account when it is created. If you delete an account and then create a new account with the same name, the new account will have a different GUID. Because the Directory Synchronization tool identifies the user accounts by their GUID, the Microsoft Online Services account associated with the deleted user account will be deleted during the next synchronization, and a new account will be created. The mailbox or other services associated with the deleted user account will also be deleted.If you accidentally delete a user in your local Active Directory, you should use the Active Directory tools to recover that user account. To prevent replication of the accidental deletion, disable directory synchronization in the Administration Center until you have recovered the deleted user account.

 

Install the Directory Synchronisation Tool

Before you install the Microsoft Online Services Directory Synchronisation tool, you’ll need:

  • Enterprise administrator credentials: With the Directory Synchronization tool, you will need to use enterprise administrator credentials on the computer on which it will be installed in order to create a local account with synchronization permissions. For more information, see Directory Synchronization Tool Prerequisites.
  • Windows Server 2003 SP2: The Directory Synchronization tool must be installed on a domain-joined computer that is running Windows Server 2003 with Service Pack 2 installed.

After you install the Directory Synchronization tool, you can upgrade the Directory Synchronization tool on the same computer or use a different computer. Using a different computer is recommended for customers who have an on-premise Active Directory with more than 50,000 objects to avoid missing deletions that occur on-premise while the upgrade is taking place.

There can be only one instance of the Directory Synchronization tool installed on your network. If you install the tool on a second computer that is networked with your first computer, synchronization will stop working on the first computer.

To install the Directory Synchronisation tool

  1. Log on to the Microsoft Online Services Administration Center, click Migration, and then click Directory Synchronisation.

  2. On the Directory Synchronisation page, complete steps 1 and 2.

  3. Under step 3, click Download and follow the instructions to save the installation file on your computer. If necessary, copy the installation file to the computer on which it will be installed.

  4. Run the installation file.

  5. On the last page of the installation program, select Run Configuration Wizard now, and then complete the configuration process.

    Important 

    You must successfully complete the Directory Synchronization tool Configuration Wizard before synchronization will begin.

To upgrade the Directory Synchronisation tool

  1. In the Microsoft Online Services Administration Center, on the Migration tab, click the Directory Synchronisation page. Click Download, and then follow the instructions to save the latest version of the Directory Synchronization tool installation file to the directory synchronization computer.

  2. On the computer on which the Directory Synchronisation tool is installed, open the Control Panel, select Add and Remove Programs, and then uninstall the Directory Synchronisation tool.

    Note 

    If a synchronisation session is in progress, you will receive a warning when you try to remove the Directory Synchronisation tool. If you receive this warning, wait until synchronisation is complete and then repeat this step.

  3. Run the latest version of the Directory Synchronisation tool installation file.

  4. On the last page of the installation program, select Run Configuration Wizard now, and then complete the configuration process.

    Important 

    You must successfully complete the Directory Synchronisation tool Configuration Wizard before synchronisation will begin.

To update the Directory Synchronisation tool using a different computer

  1. Log on to the current directory synchronisation computer, click Start, click Control Panel, open Administrative Tools, and then, in Services, stop the MSOL_AD_Sync service.

  2. On a different computer, download and run the Directory Synchronisation tool installation file as usual, and then run the Configuration Wizard.

  3. On the last page of the Configuration Wizard, select Start directory synchronisation now, and then click Finish.

    This will reset the synchronisation service password, break the synchronization relationship with the old computer, and establish a synchronisation relationship with the new computer.

  4. When the Event Viewer on the new directory synchronisation computer shows that synchronisation is complete, log on to the old directory synchronisation computer, run the Configuration Wizard, and force a synchronisation.

    This will identify and synchronise any objects that were deleted while directory synchronisation was stopped.

  5. On the new directory synchronisation computer, run the Configuration Wizard again, and force another synchronisation.

    This will reset the synchronisation service password and reestablish the synchronization relationship.

  6. Uninstall the Directory Synchronisation tool from the old directory synchronisation computer.

Additional Information

Important 

Installing the Directory Synchronisation tool creates the MSOL_AD_SYNC account in the standard Users organizational unit (OU) of the local Active Directory. This account is used by Directory Synchronisation tool to read the local Active Directory information. Do not move or remove this account. Moving or removing this account will cause synchronisation failures.

Issue: Items deleted on local computer while tool is uninstalled aren’t deleted from Microsoft Online Services

If you uninstall and then reinstall the Directory Synchronisation tool on your local computer (or move the tool from one computer to another), items deleted on your computer during the time that the Directory Synchronisation tool is uninstalled will not be deleted from Microsoft Online Services. This issue occurs when you are using the Directory Synchronisation tool to provide one-way synchronization from your local Active Directory directory service to Microsoft Online Services.

Issue: Can’t uninstall Directory Synchronisation tool

When the Directory Synchronisation tool installation fails before the MIISAdmins group is created, the account that would be used to uninstall the Directory Synchronisation tool does not exist; hence, the Directory Synchronisation tool is not uninstalled.

To work around this, you need do the following:

  1. Create a Local Machine Group called MIISAdmins.
  2. Add yourself to the group.
  3. Attempt to uninstall the Directory Synchronisation tool.

Enable Directory Synchronisation

Enabling directory synchronisation is one simple step in the process of implementing e-mail coexistence and directory synchronisation. It must be done before installing the Microsoft Online Services Directory Synchronisation tool.

Directory synchronisation is one way, from your local Active Directory environment to Microsoft Online Services. When synchronizing Active Directory with Microsoft Online Services, it is important that you continue to create and edit all user accounts and e-mail enabled contacts and groups in your local Active Directory. Objects edited in the Microsoft Online Services Administration Center will be overwritten when the next synchronization takes place. For more information about directory synchronization, see About Directory Synchronisation.

Note 

If you plan to establish e-mail coexistence, you must enable directory synchronization.

To enable directory synchronisation

  1. Log on to the Administration Center, click Migration, and then click Directory Synchronisation.

  2. In the Enable one-way synchronisation from your local Active Directory to Microsoft Online Services step, click Enable.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s