TechShizz | All posts tagged 'Office 365'

Initiating DirSync

Pre-Requisites:


  1. From a domain joined machine, log in with an account that has Enterprise admin rights
  2. Log into portal.office365.com
  3. Go to "Users" > Active Users > and click "Setup"
  4. Follow the instructions. You will be guided through confirming domains
  5. Next you will be prompted to download and run IDFix. Run this tool to check AD for errors.
  6. Next you will be prompted to Download the AzureADConnect tool. Save it to a network share. You will need to run this from your DirSync server next. Download the tool here : http://go.microsoft.com/fwlink/?LinkID=278924 | <More Info to be added here> 
    Additional guide here - https://blogs.technet.microsoft.com/canitpro/2014/05/13/step-by-step-syncing-an-on-premise-ad-with-azure-active-directory/
  7. From the DirSync Server, run the AzureADConnect tool. Follow the wizard. Once complete the Active Directory should sync to Office 365.

Other Tools
There are three tools we can use to initiate DirSync
  • Identity Manager
  • PowerShell
Initiate Sync with PowerShell
To initiate a Delta Sync, open Windows PowerShell and run:
Start-ADSyncSyncCycle -PolicyType Delta

To initiate a Full Sync, open Windows PowerShell and run:
Start-ADSyncSyncCycle -PolicyType Initial

Sync Time

To change the synchronization time (i.e. the time between synchronizations, we can use Microsoft.Online.DirSync.Scheduler.exe.config. This config file can be found in : C:\Program Files\Windows Azure Active Directory Sync\. Change the value 3.0.0 to whatever you need, H,M,S.
To verify synchronization we can do the following:
  • Check Office 365 portal of new accounts
  • View Sync results in Identity Manager
  • View Sync results in Event Manager
Initiate Sync with Identity Manager

Go to "C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell" on your Identity Manager server.

Launch miisclient.exe.> Management Agents > Active Directory Connector (right click > Run) > Select Full Import Full Sync.






Filtering in DirSync

With DirSync for Office 365, you can specify what NOT to synchronize with a filter. This is useful in large environments as there may be hundereds of thousands of objects and that would not be suitable if only one portion of your organization actually used Office 365.

There are three filter types:

  • OU-Based Filtering
  • Domain Based Filtering
  • User-Attribute Based Filtering
You can have multiple filter rules in a single condition = OR (any)
or Multiple conditions in the same rule = AND (all).

Execution

This filtering is done on the server with Forefront ID Manager. 

You need to navigate to the following directory:

"C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell"

Here you will find miisclient.exe.

Open up Management Agents. You'll see the Active Directory Connector. Double click this to open the connector.

Select "Configure Directory Partitions".



If there were multiple domains, and we wanted to filter out an entire domain, we could do this here by unticking the checkbox of the domain we DONT want to sync. This is Domain Based Filtering.

Click the "Containers" button and you'll be promted for the username and password for AD. Enter the credentials and the AD OU's are then displayed with check boxes all ticked. 

Unticking these boxes will filter DirSync bu OU. This is OU Based Filtering


Next click on "Configure Connector Filter". Select "User" and then click "New" to create out own User Based Filter.


If we want to create a User Based Filter to filter out a custom group of people, we can use an extensionAttribute to specify if a value is present that this object won't be synchronized. So all we'd have to do it fill in "NoSync" as below, then populate this value for any users that we don't want to be synchronized into their user attributes.

Preparing for DirSync

Active Directory Cleanup

If your on premises environment is AD only, and does not have an Exchange server; you will need to install the Exchange Server 2013 Schema Extension before installing DirSync.

AD Health Check Tools

IDFix - This tool looks for potential conflicts in usernames between the O365 and on premises environment and other settings that might conflict.

ADModify.net - Can be used to make batch changes to AD principals such as email addresses or usernames

Office 365 On-Ramp - This tool asseses your on premises environment to see if its ready for DirSync.

UPN Suffixes

Before installing DirSync your should ensure that there ar no NULL UPN suffix values for any AD objects.
We need to add the external domain that we're using as a UPN suffix in AD. 

Office 365 DirSync Requirents

Domain & Forest Requirements

  • SQL Server - By default SQL Server Express will be installed, which is limited to 10GB databases. (Around 50,000 objects). If you expect to have more that 50,000 objects you should plan for a FULL version of SQL server. The account used to set up dirsync will need full SQL server permissions and the dirsync database will require "public permissions".
  • Forefront Identity Manager 2010 R2 (THIS IS NOT ACTUALLY REQUIRED FOR SINGLE FORESTS)
  • Dirsync server must be in same domain and same forest
  • Recommended to install Dirsync on a member server, but on the DC will work OK
  • Windows Server 2003 Forest Functional Mode or higher
  • The lowest level DC must be at least Server 2003 SP1 32bit

Server Prerequisites
.NET Framework 3.1 SP1 & 4.0
Windows Azure AD Module for Power-Shell

Operating System Prerequisites
DirSync Server must be installed on a server with Server 2008 R2 SP1 Standard as a minimum

Accounts
O365 Admin account with full tenant account rights
Active Directory account with "Enterprise Admin" rights.

Hardware Requirements
50,000 Objects or less:
1.6GHz, 4GB RAM, 70GB Disk
100,000 Objects or less:
16GB RAM, 100GB Disk
300,000 Objects or less:
32GB RAM, 300GB Disk

Ports

These ports are required in addition to the default ports required for Office 365.

TCP/UDP
389 - LDAP
88 - Kerberos & 464 - Kerberos (Password Changes) 
53 - DNS

TCP
135 - RPC
445 - SMB
1433 - SQL

TCP Randomly allocated 1024-65535

Office 365 Client Connection Troubleshooting

To access Office 365, there are some prerequisites that a client and the network the client is connected to must meet for Office 365 to work correctly.

Ports

TCP 443 - O365 Portal, Outlook, OWA, SharePoint
TCP 80/443 - Azure AD Sync Tool, Mail migration tools, Exchange.
TCP 25 - Mail Routing
TCP 587 - SMTP Relay
TCP 143/993 - IMAP Simple Migration Tool
TCP 995 - SPOP3

Further ports required by Lync
TCP 5223 - Lync Mobile clietn push notifications.
PSOM/TLS 443 - Lync Online outbound data sharing.
STUN/TCP 443 - Lync Online outbound audio, video, app sharing.
STUN/UDP 3478 - Lync Online outbound audio and video sessions.
UDP 20000-45000 - Lync to Phone outbound.
UDP 50000-59000 - Lync outbound audio and video sessions.

Troubleshooting Tools

Office 365 Best Practices Analyzer - diagnose client connectivity. Requires Windows 7 SP1 (64Bit), IE9 onwards.
Access this from Tools menu in the O365 Admin center. 

Office 365 OnRamp Tool - Check deployment readiness in on premises
Access this tool from https://configure.office.com