Download
understanding dirsync n.
Skip this Video
Loading SlideShow in 5 Seconds..
Understanding Dirsync PowerPoint Presentation
Download Presentation
Understanding Dirsync

Understanding Dirsync

531 Views Download Presentation
Download Presentation

Understanding Dirsync

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Understanding Dirsync Daniel Kenyon-Smith Microsoft Consultancy Services UK

  2. Agenda Dirsync Overview Requirements Deployment Options Understanding Synchronization 3 4 1 2

  3. Dirsync Overview

  4. What is DirSync? • An application that synchronizes on-premises Active Directory Objects with Office 365 • Users, Contacts and Groups • Initially designed as a software based “appliance” • “Set it and forget it” • Multi Forest Support now available • Appliance and FIM options available

  5. Purpose • Enables coexistence • Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment • Provides a unified Global Address List experience between on-premises and Office 365 • Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 • Enables coexistence for Exchange • Works in both simple and hybrid deployment scenarios • Enabler for mail routing between on-premises and Office 365 with a shared domain namespace • Enables coexistence for Microsoft Lync

  6. Purpose • Enables “run state” administration and management of users, groups, and contacts • Synchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365 • Enabler for Single Sign-On • Not intended as a single use bulk upload tool

  7. Directory Synchronization Options DirSync Office 365 Connector PowerShell & Graph API • Suitable for Organizations using Active Directory (AD) • Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost • Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios • Complex multi-forest AD scenarios • Non-AD synchronization through Microsoft premier deployment support • Requires Forefront Identity Manager and additional software licenses Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

  8. Single Forest Dirsync • X64 FIM Appliance (set and forget) • X86 MIIS Appliance now unsupported • Scoping of object sync within Forest now supported • AD GUID used as SourceAnchor(Link between AD and Office365 Object)

  9. Multi Forest Dirsync • X64 FIM Multi Forest Appliance (simple) • FIM Deployment (complex) • Scoping of object sync within Forest(s) now supported • For a FIM deployment an unique AD attribute must be selected (SourceAnchor\Immutable ID) • E.g. Employee ID

  10. Multi Forest Topology

  11. Multi-forest AD Multi-forest AD support is available through Microsoft-led deployments Multi-forest DirSync appliance supports multiple dis-joint account forests FIM 2010 Office 365 connector supports complex multi-forest topologies Windows Azure Active Directory DirSync on FIM Federation using ADFS AD AD AD On-Premises Identity Ex: Domain\Alice User

  12. Non-AD Synchronization Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies Windows Azure Active Directory Office 365 Connector on FIM Federation using Non-ADFS STS Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice User

  13. Requirements

  14. Prerequisite Remediation • Run the Microsoft Office 365 Deployment Readiness Tool - http://community.office365.com/en-us/forums/183/p/2285/8155.aspx • Analyse on-premise environment • Domains • User Identity and Account Provisioning • Exchange Online • Lync Online • SharePoint Online • Client • Network

  15. Dirsync • Dirsync(Single Forest)must be joined to a domain within the same forest that will be synchronized • DirsyncServer should never be installed on a domain controller • Dirsync Server should be Windows Server 2008 (x64) • By default SQL Server 2008 R2 Express is installed. • 10GB database limit (approx. 50,000 objects) • Full SQL Option Available. • X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios) From the Field When utilising the full SQL option you must ensure that the EA account has “sysadmin” rights on the SQL database and that the Dirsync service account has “public” permissions on the Dirsync DB.

  16. Scoping & filtering for Synchronization Customers can exclude objects from synchronizing to Office 365 Scoping can be done at the following levels: • AD Domain-based • Organizational Unit-based • User Attribute based Additional filtering capabilities will become available with the O365 Connector. From the Field When installing Dirsync ensure that you use EA credentials and that all DC’s are accessible from the Dirsync Server.

  17. Hardware Recommendations • Recommend a system that exceeds the minimum requirements

  18. Network Requirements • Synchronization with Office 365 occurs over SSL • Internal network communication will use typical Active Directory related ports • Dirsync server must be able to contact all DC’s in the Forest

  19. Permission Requirements • Account used to install\configure DirSync must have • Enterprise administrator rights • Local machine administrator permissions • If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner • Account used to configure DirSync must reside in the local machine MIISAdmins group • Account used to install DirSync is automatically added • Administrator permission in the Office 365 tenant • DirSync uses an administrator account in the tenant to provision and update/modify objects

  20. Permission Requirements • Enterprise Administrator permission in the on-premise Active Directory • Credential is not stored/saved by the configuration wizard • Used to create the MSOL_AD_Syncdomain account in the CN=Users container of the root domain • Used to delegate the following permissions to MSOL_AD_Sync on each domain partition in the forest • Replicating Directory Changes • Replicating Directory Changes all • Replication Synchronization

  21. Permission Requirements • Enterprise Administrator permission Continued • Used to create the MSOL_AD_Sync_RichCoexistence group in the CN=Users container of the root domain if “Rich Coexistence” is selected during configuration • Used to delegate write permissions to only the 6 attributes needed for a hybrid deployment scenario to the MSOL_AD_Sync_RichCoexistencegroup on each domain partition in the forest

  22. Understanding Synchronization

  23. Synchronization • By default the entire Active Directory forest is scoped for synchronization • What is synchronized? • All user objects • All group objects • Mail-enabled contact objects • Passwords are not synchronized* • *Password Sync Early On-boarding program underway

  24. List of attributes sync’d to WAAD List of attributes that are synced to Windows Azure Active Directory and attributes that are written back to the on-premises Active Directory Domain Services http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198

  25. Synchronization • Synchronization is from on-premises to Office 365 only • unless “write-back” is enabled • Synchronization occurs every 3 hours • Use “Start-OnlineCoexistenceSync” cmdlet to force a sync outside of regular synchronization schedule • New user, group, and contact objects that are added to on-premises are added to Office 365 • Licenses are not automatically assigned • Existing user, group, or contact objects attributes that are modified on-premises are modified in Office 365 • Not all on-premises AD attributes are synchronized

  26. Synchronization • Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365 • Existing user objects that are disabled on-premises are disabled in Office 365 • License is not automatically unassigned • Objects are recoverable within 30 days of deletion

  27. Synchronization • First synchronization cycle after installation is a full synchronization • May be a time consuming process relative to the number of objects synchronized • Approximately 5000 objects every 45 to 60 minutes • Plan ahead if synchronizing tens or hundreds of thousands of objects • Subsequent synchronization cycles are deltas only and much faster

  28. Synchronization Sync Cycle Step 3: Export Users, Groups, and Contacts that do not already exist in Microsoft Online Services On-premises Microsoft Online Services Sync Cycle Step 2: Imports Users, Groups, and Contacts from Microsoft Online Services via AWS Exchange Server DirSync Web Service Live ID Sync Cycle Step 1: Import Users, Groups, and Contacts from source Active Directory forest Users only Exchange Online Mail-enabled objects Online Directory DirSync Active Directory SharePoint Online Logon Enabled User Object (Unlicensed) Mail-Enabled User (not Mailbox-Enabled) ProxyAddresses:SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com TargetAddress: John.Doe@contoso.com User Object Mailbox-Enabled ProxyAddresses:SMTP: John.Doe@contoso.com Lync Online

  29. Understanding Coexistence

  30. What is Coexistence? • Some users are provisioned in Office 365 while the remaining users are provisioned in the on-premises environment • Office 365 users see the same objects in the Global Address List as the on-premises users • Email messages are routed seamlessly from Office 365 users to on-premises users, and vice-versa

  31. Simple Coexistence Deployment • Uses Directory Synchronization for GAL synchronization • Enables mail routing between on-premises and Office 365 using a shared DNS namespace • Provides a unified GAL experience • Can be used with cloud identities or federated identities • Does not require an on-premises Hybrid server

  32. Hybrid Deployment • Uses Directory Synchronization for GAL synchronization • Enables mail routing between on-premises and Office 365 using a shared DNS namespace • Provides a unified GAL experience • Can be used with cloud identities or federated identities

  33. Key Deployment Considerations

  34. Key Deployment Considerations • Complete Active Directory cleanup work before implementing DirSync • Especially if importing data from a 3rd party LDAP directory into Active Directory • Plan ahead for DirSync quota increase • Could become a deployment blocker. Don’t wait until 11th hour to request. • Consider Exchange schema extensions for non-Exchange AD environments

  35. Key Deployment Considerations • UPN suffix • Verify on-premises user objects have a value (not null) for UPN suffix and that it is correct • The default routing domain (e.g. contoso.onmicrosoft.com) is used for Office 365 UPN suffix if the on-premises UPN suffix does not contain a public routable DNS domain (i.e. cannot use *.local) • Verified domains • Add all SMTP domains as verified domains before synchronizing • Cannot be removed until all synchronized objects are no longer using the domain as a proxy address or UPN

  36. Questions?