Export (0) Print
Expand All

Prepare for directory synchronization

Published: June 8, 2012

Updated: August 20, 2014

Applies To: Azure, Office 365, Windows Intune

noteNote
This topic might not be completely applicable to users of Microsoft Azure in China. For more information about Azure service in China, see windowsazure.cn.

As an administrator, you need to do some preparation before you synchronize your local Active Directory to Microsoft Azure Active Directory (Microsoft Azure AD).

If you are deploying single sign-on, then we recommend that you set up single sign-on before you set up directory synchronization.

After you’ve set up single sign-on, verify that the following statements are true:

  • You have the required software.

  • You have set up the correct permissions.

  • You understand the performance considerations related to directory synchronization.

Activating directory synchronization should be considered a long-term commitment. After you have activated directory synchronization, you can only edit synchronized objects by using your on-premises Active Directory management tools. For more information, see Directory synchronization and source of authority.

All customers of Azure Active Directory and Office 365 have a default object limit of 50,000 mail-enabled objects (users, mail-enabled contacts, and groups) by default.
This limit determines how many objects you can create in your tenant.
Objects can be created using DirSync, Powershell or the GRAPH API.

When you verify your first domain, this object limit is automatically increased to 300,000 objects.
Each tenant is only granted one increase.

ImportantImportant
If you have verified a domain and need to synchronize more than 300,000 objects OR you do not have any domains to verify, and need to synchronize more than 50,000 mail-enabled objects, you will need to contact Azure Active Directory Support to request an increase to your object quota limit.

If your on-premises Active Directory has fewer than 50,000 mail-enabled objects, you can deploy directory synchronization with Microsoft SQL Server 2008 Express.
However, if your on-premises Active Directory has over 50,000 mail-enabled objects, you must deploy directory synchronization with a full instance of SQL Server. The required full instances of SQL Server are Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2008 R2 or Microsoft SQL Server 2012. For more information about deploying synchronization on a standalone version of SQL Server, see How to install the Directory Sync tool onto SQL Server.

This section describes the computer requirements for running the Directory Sync tool. The Directory Sync tool communicates with your domain controller servers. The default installation of the Directory Sync tool includes a version of Microsoft SQL Server 2012 Express SP1.

The directory synchronization computer must meet the following requirements:

  • It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:

    • 64-bit edition of Windows Server 2008 Standard, Enterprise, or Datacenter edition with SP1 or later

    • Windows Server 2008 R2 Standard, Enterprise, or Datacenter edition with SP1 or later

    • Windows Server 2012 Standard or Datacenter

    • Windows Server 2012 R2 Standard or Datacenter

  • It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. For the rich co-existence scenario, this is a requirement because the DirSync server explicitly enumerates and reaches out to all domain controllers in the forest in order to set permissions for write-back. This is not the case if you do not have Hybrid Deployment enabled.
    The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.

  • It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.5.1 If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations:

  • It must run Windows PowerShell: If you are running Windows Server 2003, you need to download Windows PowerShell. If you are running Windows Server 2008, you need to enable Windows PowerShell. For more information, see Install Windows PowerShell on the directory sync computer.

  • It must be located in an access-controlled environment. Access to the computer that is running the Directory Sync tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.

noteNote
Support for Windows Server 2012 has been added to the server running the Directory Sync tool.

ImportantImportant
You can only install one computer running the Directory Sync tool between an on-premises Active Directory and an Office 365 tenant.

The following table lists the requirements for domain controllers deployed in your Active Directory forest(s) that communicate with the Office 365 environment.

 

Component Requirements

Active Directory forest

  • Windows Server 2003 forest functional mode or higher

Domain controller

  • 32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1)

  • 32-bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter.

  • Windows Server 2012 Standard or Datacenter.

ImportantImportant
In every Active Directory site where you plan to install Exchange 2010 SP2 hybrid servers, you must have at least one global catalog server configured.

When you install the Directory Sync tool, the Configuration wizard creates a service account that will be used to read from your local Active Directory and write to Azure AD. The wizard creates this account using both your local Active Directory admin permissions and your cloud admin permissions, which you provide as part of setup.

To run the Directory Sync tool, you must have administrator permissions for the following:

  • The computer running the Directory Sync tool.

  • Your company’s local Active Directory.

  • Your company’s Microsoft cloud service administrator account. (see Azure AD credentials)

The first time that the Directory Sync tool runs, it copies all the relevant objects (user accounts and security groups) to Azure AD. Before performing this operation, you must know the number of objects that will be copied so that you can plan ahead for the effect this operation will have on your network response time and the computers that are running Microsoft Exchange Server.

noteNote
The Azure AD service supports synchronization of up to 50,000 mail-enabled objects. To synchronize more than 50,000 mail-enabled objects, contact Support.

TipTip
Using Office 365? Objects that have been synchronized from your on-premises directory service appear immediately in the Global Address List (GAL); however, these objects may take up to 24 hours to appear in the Offline Address Book (OAB) and in Lync Online.

To set up directory synchronization, you must designate one computer as your directory synchronization computer, and then install the Directory Sync tool on that computer.

The performance of the Directory Sync tool is dependent on the size and complexity of the customer’s Active Directory as well as the hardware that is running the directory synchronization tool. Running the directory synchronization tool on insufficient hardware will impact the performance of the tool, resulting in increased latency or even failure to propagate on-premise data to the cloud.

In the case of Active Directory deployments with more than 50,000 mail-enabled objects, we recommend that you deploy the directory synchronization tool with a full SQL instance (a deployment of any non-SQL Express SKU such as SQL Server Standard, Enterprise or DataCenter). Customers with less than 50K mail-enabled objects may also elect to use a full SQL instance as well, however, the SQL Express installed by default with the Directory Sync tool will suffice.

The following table shows the minimum recommended hardware requirements for the directory synchronization computer in relation to how many objects you have in your on-premises Active Directory.

 

Number of objects in Active Directory CPU Memory Hard drive size

Fewer than 10,000

1.6 GHz

4 GB

70 GB

10,000–50,000

1.6 GHz

4 GB

70 GB

50,000–100,000

Requires full SQL Server

1.6 GHz

16 GB

100 GB

100,000–300,000

Requires full SQL Server

1.6 GHz

32 GB

300 GB

300,000–600,000

Requires full SQL Server

1.6 GHz

32 GB

450 GB

More than 600,000

Requires full SQL Server

1.6 GHz

32 GB

500 GB

Various processes within the Directory Sync tool will consume hard disk space. The disk space consumed the Directory Sync tool increases based on several factors including the size and complexity of the Active Directory infrastructure that the Directory Sync tool is being synchronized from.

The Hard Disk capacities listed in the table above are estimates of the total disk space required to synchronize Active Directory for the stated sizes.

By default, the Directory Sync tool will install Microsoft SQL Server 2008 R2 Express edition. The data files are stored in the same directory as the Microsoft Online Directory Sync Product files (the path specified during installation of the Directory Sync tool – C:\Program Files\Microsoft Online Directory Sync). The location of these database files is not configurable for SQL Server 2008 R2 Express edition.

The Directory Sync tool does not mandate or require a specific hard disk configuration for customers that use an existing SQL Server Instance. However, machines with disk configurations optimized for SQL will realize better overall performance of the directory synchronization process.

Your Active Directory environment must be properly configured in order for your users to sign-in to Microsoft online services. In particular, the userPrincipalName (UPN) attribute, also known as a user logon name, must be set up correctly for each user in a specific way. The UserPrincipalName attribute must use a publically routable domain.  If you are not currently using a publically routable domain, you will need to update your users UserPrincipalNames.  To do this, add an alternative UPN suffix in your on-premises Active Directory.

You must add an alternative UPN suffix to associate the user’s corporate credentials with the Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

  1. Click Start, Administrative Tools, and then click Active Directory Domains and Trusts.

  2. Log on to one your organization’s Active Directory domain controllers

  3. In the console tree, right-click Active Directory Domains and Trusts and then click Properties.

  4. Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

  5. Repeat step 3 to add additional alternative UPN suffixes

If you have not yet set up Active Directory synchronization, you can skip this task and continue with the next section.

If you have already set up Active Directory synchronization, the user’s UPN for Office 365 may not match the user’s on-premises UPN defined in Active Directory. This can occur when a user was assigned a license before the domain was verified.

To remedy this issue, use Windows PowerShell to update users’ UPNs to ensure that their Office 365 UPN matches their corporate user name and domain.

After you have optionally set up single sign-on and prepared your directory synchronization computer, you are ready to Activate directory synchronization.

noteNote
If you have questions regarding the content of this article or if you have general feedback, post a message to the Azure Active Directory Discussion Forum.

See Also

Concepts

Prepare for single sign-on
Azure AD credentials

Other Resources

Best Practices for Deploying and Managing the Azure Active Directory Sync Tool
List of Attributes that are Synced by the Azure Active Directory Sync Tool

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft