Microsoft TechNet
United States (English) Sign in
Home Library Wiki Learn Gallery Downloads Support Forums Blogs
4 out of 8 rated this helpful - Rate this topic

Prepare for directory synchronization

Published: June 8, 2012

Updated: February 28, 2013

Applies To: Office 365, Windows Intune

noteNote
This topic provides online help content that is applicable to multiple Microsoft cloud services, including Windows Intune and Office 365.

As an administrator, you need to do some preparation before you synchronize your local Active Directory to Windows Azure Active Directory.

If you are deploying single sign-on, then we recommend that you set up single sign-on before you set up directory synchronization.

After you’ve set up single sign-on, verify that the following statements are true:

  • You have the required software.

  • You have set up the correct permissions.

  • You understand the performance considerations related to directory synchronization.

Activating directory synchronization should be considered a long-term commitment. After you have activated directory synchronization, you can only edit synchronized objects by using your on-premises Active Directory management tools. For more information, see Directory synchronization and source of authority.

What do you want to do?

Review requirements for the directory synchronization computer

This section describes the computer requirements for running the Directory Sync tool. The Directory Sync tool communicates with your domain controller servers. The default installation of the Directory Sync tool includes a version of Microsoft SQL Server 2008 Express.

ImportantImportant
  • The Windows Azure AD service supports synchronization of up to 50,000 objects. To synchronize more than 50,000 objects, contact the cloud service Support.

  • If your on-premises Active Directory has fewer than 50,000 objects, you can deploy directory synchronization with Microsoft SQL Server 2008 Express. However, if your on-premises Active Directory has over 50,000 objects, you must deploy directory synchronization with a full instance of SQL Server. The required full instances of SQL Server are Microsoft SQL Server 2008 Standard or Microsoft SQL Server 2008 R2. For more information about deploying synchronization on a standalone version of SQL Server, see How to install the Directory Sync tool onto SQL Server.

The directory synchronization computer must meet the following requirements:

  • It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:

    • 64-bit edition of Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter.

    • 64-bit edition of Windows Server 2012 Standard or Datacenter.

  • It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. For the rich co-existence scenario, this is a requirement because the DirSync server explicitly enumerates and reaches out to all domain controllers in the forest in order to set permissions for writeback. This is not the case if you do not have rich co-existence enabled.
    The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.

  • It cannot be a domain controller. The Directory Sync tool cannot be installed on Active Directory domain controllers.

  • It must run Microsoft .NET Framework 3.x. If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations:

  • It must run Windows PowerShell: If you are running Windows Server 2003, you need to download Windows PowerShell. If you are running Windows Server 2008, you need to enable Windows PowerShell. For more information, see Install Windows PowerShell on the directory sync computer.

  • It must be located in an access-controlled environment. Access to the computer that is running the Directory Sync tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.

noteNote
Support for Windows Server 2012 has been added to the server running the Directory Sync tool.

ImportantImportant
You can only install one computer running the Directory Sync tool between an on-premises Active Directory and an Office 365 tenant.

Review requirements for the domain controllers

The following table lists the requirements for domain controllers deployed in your Active Directory forest(s) that communicate with the Office 365 environment.

 

Component Requirements

Active Directory forest
  • Windows Server 2003 forest functional mode or higher

Domain controller
  • 32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1)

  • 32-bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter.

  • 32-bit or 64-bit edition of the Windows Server 2012 Standard or Datacenter.

ImportantImportant
In every Active Directory site where you plan to install Exchange 2010 SP2 hybrid servers, you must have at least one global catalog server configured.

Ensure you have administrator permissions

When you install the Directory Sync tool, the Configuration wizard creates a service account that will be used to read from your local Active Directory and write to Windows Azure AD. The wizard creates this account using both your local Active Directory admin permissions and your cloud admin permissions, which you provide as part of setup.

To run the Directory Sync tool, you must have administrator permissions for the following:

  • The computer running the Directory Sync tool.

  • Your company’s local Active Directory.

  • Your company’s Microsoft cloud service administrator account. (see Windows Azure AD credentials)

Review performance considerations

The first time that the Directory Sync tool runs, it copies all the relevant objects (user accounts and security groups) to Windows Azure AD. Before performing this operation, you must know the number of objects that will be copied so that you can plan ahead for the effect this operation will have on your network response time and the computers that are running Microsoft Exchange Server.

noteNote
The Windows Azure AD service supports synchronization of up to 50,000 objects. To synchronize more than 50,000 objects, contact Support.

TipTip
Using Office 365? Objects that have been synchronized from your on-premises directory service appear immediately in the Global Address List (GAL); however, these objects may take up to 24 hours to appear in the Offline Address Book (OAB) and in Lync Online.

Review hardware recommendations

To set up directory synchronization, you must designate one computer as your directory synchronization computer, and then install the Directory Sync tool on that computer.

The performance of the Directory Sync tool is dependent on the size and complexity of the customer’s Active Directory as well as the hardware that is running the directory synchronization tool. Running the directory synchronization tool on insufficient hardware will impact the performance of the tool, resulting in increased latency or even failure to propagate on-premise data to the cloud.

In the case of Active Directory deployments with more than 50,000 objects, we recommend that you deploy the directory synchronization tool with a full SQL instance (a deployment of any non-SQL Express SKU such as SQL Server Standard, Enterprise or DataCenter). Customers with less than 50K objects may also elect to use a full SQL instance as well, however, the SQL Express installed by default with the Directory Sync tool will suffice.

The following table shows the minimum recommended hardware requirements for the directory synchronization computer in relation to how many objects you have in your on-premises Active Directory.

 

Number of objects in Active Directory CPU Memory Hard drive size

Fewer than 10,000

1.6 GHz

4 GB

70 GB

10,000–50,000

1.6 GHz

4 GB

70 GB

50,000–100,000

Requires full SQL Server

1.6 GHz

16 GB

100 GB

100,000–300,000

Requires full SQL Server

1.6 GHz

32 GB

300 GB

300,000–600,000

Requires full SQL Server

1.6 GHz

32 GB

450 GB

More than 600,000

Requires full SQL Server

1.6 GHz

32 GB

500 GB

Hard disk capacity

Various processes within the Directory Sync tool will consume hard disk space. The disk space consumed the Directory Sync tool increases based on several factors including the size and complexity of the Active Directory infrastructure that the Directory Sync tool is being synchronized from.

The Hard Disk capacities listed in the table above are estimates of the total disk space required to synchronize Active Directory for the stated sizes.

Hard disk configurations

By default, the Directory Sync tool will install Microsoft SQL Server 2008 R2 Express edition. The data files are stored in the same directory as the Microsoft Online Directory Sync Product files (the path specified during installation of the Directory Sync tool – C:\Program Files\Microsoft Online Directory Sync). The location of these database files is not configurable for SQL Server 2008 R2 Express edition.

The Directory Sync tool does not mandate or require a specific hard disk configuration for customers that use an existing SQL Server Instance. However, machines with disk configurations optimized for SQL will realize better overall performance of the directory synchronization process.

Review UPN Requirements

Your Active Directory environment must be properly configured in order to work with single sign-on. In particular, the userPrincipalName (UPN) attribute, also known as a user logon name, must be set up for each user in a specific way.

Add Alternate UPN Suffix to Active Directory

You must add an alternative UPN suffix to associate the user’s corporate credentials with the Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

To add an alternative UPN suffix

  1. Click Start, Administrative Tools, and then click Active Directory Domains and Trusts.

  2. Log on to one your organization’s Active Directory domain controllers

  3. In the console tree, right-click Active Directory Domains and Trusts and then click Properties.

  4. Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

  5. Repeat step 3 to add additional alternative UPN suffixes

Match On-Premise UPN with Office 365 UPN

If you have not yet set up Active Directory synchronization, you can skip this task and continue with the next section.

If you have already set up Active Directory synchronization, the user’s UPN for Office 365 may not match the user’s on-premises UPN defined in Active Directory. This can occur when a user was assigned a license before the domain was verified.

To remedy this issue, use Windows PowerShell to update users’ UPNs to ensure that their Office 365 UPN matches their corporate user name and domain.

Next step: Activate directory synchronization

After you have optionally set up single sign-on and prepared your directory synchronization computer, you are ready to Activate directory synchronization.

noteNote
If you have questions regarding the content of this article or if you have general feedback, post a message to the Windows Azure Active Directory Discussion Forum.

See Also

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft
|
Site Feedback
© 2013 Microsoft. All rights reserved.