Manage directory synchronization
Published: June 8, 2012
Updated: September 24, 2014
Applies To: Azure, Office 365, Windows Intune
|This topic might not be completely applicable to users of Microsoft Azure in China. For more information about Azure service in China, see windowsazure.cn.|
As an administrator who will manage directory synchronization for your organization, you need to know where to edit objects in your local Active Directory and when to reconfigure directory synchronization. These activities are described in this topic.
You may also need to repeat some of the tasks you performed while setting up directory synchronization, including:
When you synchronize your local Active Directory with Microsoft Azure Active Directory (Microsoft Azure AD), you must continue to edit objects, such as user accounts and groups, in your local Active Directory. If you add objects to your local Active Directory, they will be added to Azure AD with the next synchronization. All changes that you make in your local Active Directory will be synchronized within three hours, or you can force synchronization at any time. See Synchronize your directories for more information.
You can add and edit users in Azure AD, but those users will not be added to your local Active Directory. For more information, see Directory synchronization and source of authority. You can also watch the video Managing Active Directory Security Groups and Mail-Enabling Objects and/or read the support article How to manage Active Directory security groups and to mail-enable group objects in an Office 365 environment.
The Microsoft Azure Active Directory Sync tool is configured using the Microsoft Azure Active Directory Sync tool Configuration Wizard. After it has been configured, the Directory Sync tool regularly synchronizes changes from your local Active Directory to Azure AD. When you change your the cloud service administrator password, add or delete a domain, or change the network proxy settings on the computer running the Directory Sync tool, you must run the Configuration Wizard again.
Azure AD requires regular password changes on all cloud accounts. When you change the password for the cloud service administrator account that you provided when you last configured the Directory Sync tool, you must run the Directory Sync Configuration Wizard again and provide the updated password.
Directory Sync creates an on-premises service account named MSOL_AD_SYNC that is granted read and synchronization permissions to the local Active Directory. You should not change the password associated with the MSOL_AD_SYNC service account. However, if your company forces password changes, you must run the Directory Sync Configuration Wizard if the password associated with this account is changed.
|It is not necessary to reconfigure the Directory Sync tool after you change the password that is associated with the enterprise administrator account in your local Active Directory.|
If you add a new domain to your local Active Directory, you must run the Directory Sync Configuration Wizard again to update the Directory Sync tool.
If you delete a domain from your local Active Directory without first deleting or moving the users in that domain, you must uninstall and reinstall the Directory Sync tool, and then run the Microsoft Azure Active Directory Sync tool Configuration Wizard. To learn more about uninstalling and reinstalling the Directory Sync tool, see Install or upgrade the Directory Sync tool. If you move or delete the users in a domain at least one synchronization session before the domain is deleted, you do not need to reinstall the Directory Sync tool—you can just run the Directory Sync Configuration Wizard again.
|If you delete a domain from your local Active Directory forest, all mail sent from external sources is returned to the sender with a non-delivery receipt. This can result in sync becoming inoperable until the orphaned objects are removed in the data center.|
To delete a domain from your local Active Directory and update directory synchronization, follow these steps.
Delete all of the users and mail-enabled groups from the Active Directory domain that you want to delete.
Force a directory synchronization to notify Azure AD of the deletions in your local Active Directory.
Force a second directory synchronization to receive the confirmation of the deletions from Azure AD.
Properly decommission the Active Directory domain from the last domain controller in the domain to be deleted.
Run the Microsoft Azure Active Directory Sync tool Configuration Wizard to update the Directory Sync tool, and then perform another sync. This will be a full synchronization, so it may take some time.
Check the Event Viewer to verify that the synchronization completed successfully. If the synchronization did not complete successfully, you must uninstall and then reinstall the Directory Sync tool.
If you change the network proxy settings of the computer running the Directory Sync tool, you must run the Microsoft Azure Active Directory Sync tool Configuration Wizard again.
|The network proxy settings are found in Control Panel.|