Microsoft Office 365: Directory Synchronization

Jono LukProgram Manager IIMicrosoft

OSP325

What we’ll talk about

What is Directory Sync?Who did we build Directory Sync for?What does Directory Sync do for you & your users When to use Directory Sync

Using Directory SyncRequirementsHow Directory Sync worksCommon asksComing featuresGotchas

Who did we build Directory Sync for

You!

Any customer that wants to use and unlock power of Office 365

Office 365 Enterprise subscribers

From smallest (10 objects) to largest (1M objects) customers

What does Directory Sync do for you

Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365

Runs as an applianceInstall and forget

Proactively reports errors via email“No news is good news”

What does Directory Synchronization do for users

Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)

Flavors of Co-ExistenceIdentity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)Application Co-Existence

What does Directory Synchronization do for usersIdentity Co-Existence

Facilitates “Single Sign-On” Experience

For users: Single set of credentials to manage

On-premise users, security groups, distribution lists, contacts are available in the cloud

Complete Address Books in Exchange OnlineSharePoint Online ACL’ing via Security Groups

Users, contacts, groups can be created directly in Office 365, or sync’d from on-premise!

What does Directory Synchronization do for usersApplication Co-Existence

2 types:Simple Rich

Simple Co-Existence:Full, consistent Address Book available across all O365 services

Exchange Online users can receive mail at any of their (valid) on-premise Proxy Addresses

Conf Room support (Outlook Room Finder)

What does Directory Synchronization do for usersApplication Co-Existence

Rich Co-Existence:Hybrid Deployments

Staged migrationsKeep data on-premise for various business or legal requirements

Free/Busy available to users on-premise and in cloud

What does Directory Synchronization do for usersApplication Co-Existence

Rich Co-Existence (con’t)Cross-Premise Services

Customers with on-premise mailbox can have voicemail in cloudCloud ArchivingFiltering Co-Existence (safe senders, blocked senders)

When to use Directory Synchronization

• Directory Synchronization is a long-term commitment

• Common Scenarios:Scenario Use Directory Synchronization?

Initial on-boarding/bulk Provisioning of users only*

No

Identity Federation Yes

Long-term migration/adoption of Office 365 Services

Yes

Partial adoption/migration to Office 365 Services

Yes

Setting up Directory Sync - Requirements

3 types of requirements:

1. Host OS that runs Directory Sync32-bit ONLY

Microsoft Windows Server® 2003 SP2 x86Microsoft Windows Server 2008 x86

Cannot be Domain Controller

2. Active Directory Forest functional level sync’d by Directory SyncMicrosoft Windows Server 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008Microsoft Windows Server 2008 R2NOTE: known incompatibility with Recycle Bin feature

Setting up Directory Sync - Requirements

3. Rich Co-ExistenceRich co-existence, need Exchange 2010 SP1 Client Access Server (CAS) – FreeInstalls schema extensions required to support Rich Co-Existence

demo

Demo: Microsoft Online Directory Sync Setup

Customer Network

How Directory Synchronization worksArchitecture

AD

Directory Sync

Office 365 DatacenterO

ffic

e 36

5 F

Es

Microsoft Online ID

Exchange

Office Sub

SharePoint

LyncO365

Directory

How Directory Synchronization worksArchitecture - Client

Uses Enterprise Admin credentials at configuration to create self-managed account for sync purposes:

Attribute-level write permissions for Rich Co-Existence

Uses managed account with Global Administrator privileges for TenantAuthenticates to O365 via Microsoft Online ID

Syncs all users, contacts and groups from your (single) AD forest Queries AD DirSync control for changesFilters out well-known objects and attributes patterns

Syncs every 3 hours

How Directory Synchronization worksArchitecture - Client

First sync run “full sync”Start-up, sync’s all objects

Subsequent runs “delta sync”Changes only

Time required depends on data size/complexity

How Directory Synchronization worksArchitecture - Client

Microsoft Windows Server 2003 SP2 or higher (32-bit)

SQL Server 2008 R2 ExpressShould use full Microsoft SQL Server 2005 / 2008 for larger customers10GB DB size limit

Microsoft Online ID components for Authentication to Office 365

Available for download in 23 languages

How Directory Synchronization worksArchitecture - Server

Syncs objects in “batches”

Users provisioned into Microsoft Online ID for login to Office 365

All objects provisioned into Office 365 Directory Storeobjects flow into services based on subscription (Exchange Online, Lync Online, SharePoint Online)

How Directory Synchronization worksArchitecture – Sync Object Limits

All customers initially subject to 10,000 object limit “objects” = users, security groups, distribution lists, contactsWill receive emailcontact support to increase object limit

Larger customers (20,000+ users) sign-up for special subscription type

work with your MS account reps for more details!

How Directory Synchronization worksAttribute Validation

As batches of objects processed by Office 365, objects are validated

First-in-wins conflict-resolutionIf key attributes are duplicated, second object receives errors

How Directory Synchronization worksAttribute Validation

ProxyAddresses sanitizationproxy addresses with non-registered domains are stripped

UPN ValidationIf UPN uses a non-registered domain, it will be replaced with:

mailNickName ‘@’ domain.onmicrosoft.com

(where domain is the primary domain the customer registered at sign-up)

How Directory Synchronization works Attribute Validations

Attribute Most common issues

userPrincipalName • cannot have dot ‘.’ immediately preceding ‘@’• cannot exceed 113 chars (64 for username, 48 for domain)• cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < > ( )• cannot have duplicate UPNs

sAmAccountName • cannot contain “ \ / [ ] : | < > + = ; ? ,• cannot end with dot ‘.’• cannot be more than 20 chars• cannot be empty

proxyAddresses • cannot contain smtp addresses with domains that are not registered for the tenant

• cannot have duplicate proxy addresses

All errors are reported to Technical Notification Contact by email!

How Directory Synchronization worksWriting to On-Premise AD

If Rich Co-Existence disabled, Directory Sync will not modify customer’s on-prem AD

If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on users:

Attribute Feature

SafeSendersHashBlockedSendersHashSafeRecipientHash

Filtering Coexistence enables on-premise filtering using cloud safe/blocked sender info

msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service

ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise

cloudmsExchUCVoiceMailSettings Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud

How Directory Synchronization works Identifying on-premise and Cloud Objects

Objects in Office 365 uniquely identified by sourceAnchorvalue derived from the ObjectGUID of on-premise objectsset on first sync

Customer can create objects in Office 365 before running Directory Sync

Objects may overlap with on-premise objects!

Sync tries to “map” objects being sync’d with objects already present in the cloud

Prevent duplicate objects!

How Directory Synchronization worksMatching on-premise and Cloud users

On sync, if no user object in cloud has sourceAnchor value, try and match based on SMTP addresses

If SMTP address match succeeds, sourceAnchor value stamped on object already in cloud, objects are “matched”

Subsequent sync runs will use sourceAnchor values

Matching for user objects only

How Directory Synchronization worksSynchronization Errors

Synchronization errors are communicated to the IT Generalist via email

Technical Contact is a very important to Microsoft Online Directory Sync for communication of sync health, errors, etc.

Administrators must address these errors through on-premise changes

Planning for Directory Synchronization

Things to think about:1. Do you plan to enable Identity Federation?

Register domains with Office 365Activate Federation

2. Do you plan to enable Rich Co-existence?Exchange 2010 SP1 CAS deployed on-premise?

3. Is your Active Directory “ready”?Microsoft Online Deployment Guide (http://www.microsoft.com/online/deploy.aspx)Office 365 Best Practice Analyzer

Common Asks

FilteringNot supportedAutomated “scoping out” can lead to data loss (user mailboxes!)Filter file no longer supported

Highly available Directory SyncDirectory Sync tool not configurable for high availability

NOTE: when Directory Sync tool down, Office 365 data goes “stale”, Federated Authentication, etc. still works!

Common Asks

Scale & Large customers?Directory Sync is used for MSFT! (~1M objects)Customers with 50K+ objects - use full SQL installation

Powershell-based configuration

Coming: 64-bit client

64-bit Directory Sync client releasing soonProvides W2K8 R2 Recycle Bin object re-animation (not supported in 32-bit Directory Sync client)

Coming: Multi-Forest Support

Fact: Customers may have more than 1 AD Forest containing users, groups and contacts to sync to Office 365

Fact: Microsoft Online Directory Sync Appliance cannot be configured to sync from multiple Forests

Fact: customers of BPOS v1 have done work to “aggregate” multiple AD forests into one for sync to BPOS v1

Coming: Multi-Forest Support

Plan: provide prescriptive guidance for existing BPOS v1 customers to migrate to Office 365

Customers with specific, supported configurations can enable new Office 365 scenarios (Federated Identity, Rich Co-Existence)

BPOS v1 outside supported configurations, or new Office 365 Customers must wait until later in 2012 for a comprehensive Office 365 multi-forest solution

Gotchas

Sync’d objects are mastered on-premiseneed to update on-premise object to update cloud object

Stopping Directory SynchronizationCannot “de-activate” Directory Synchronization via Microsoft Online Portal

Can “turn off” Directory Synchronization client

Can’t delete users that have been sync’d in unless removed from on-premise

Support coming post-General Availability

Gotchas

Removing domainsCan’t de-register domain from Office 365 until all users that have attributes with that domain are removed

Demo: Back to Directory Sync

Other Sessions/Resources

SIM320 - Using Active Directory with Microsoft Office 365Breakout session about Identity Federation & Directory Synchronization

OSP381-INT -Microsoft Office 365: Identity and Access Solutions - Q&A Follow UpCustomer-driven deep dive

Office 365 booth

Appendix – Directory Synchronization FeaturesCore DirSync features supported in V1:

Full shared GALRich messaging (Full format)Meeting requestsWorks over the InternetAppliance-like setup

New DirSync V2 features (out of the box):Identity coexistence –identities & security principals are mastered on-premisesConf room synced as Conf roomSupport for identity federation (ADFS)Support for application coexistence (Mail, OC)Syncs security groups (SharePoint security)Syncs additional on-premise data (i.e., photos), enabling richer experienceProxies for contacts and mail-enabled users are respected (unchanged) Support for Rich Coexistence features

New DirSync V2 features (optional)Free/Busy coexistence (w/ Exchange Server 2010 CAS server on premise)Supports additional Rich Coexistence with Exchange Server 2010 (Cloud Archive, Filtering Coexistence, Delegation)

** DirSync does not require Exchange to exists on premises **Microsoft Confidential

38

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.