Export (0) Print
Expand All

Deploy Office 365 Directory Synchronization in Microsoft Azure

 

Topic Last Modified: 2014-04-14

Summary: Learn how to deploy the Azure Active Directory Sync tool on a virtual machine in Microsoft Azure and synchronize your on-premises Active Directory Domain Services (AD DS) to Office 365.

The Azure Active Directory Sync tool (also known as the Directory Synchronization tool, Directory Sync tool, the DirSync tool, or the DirSync server) synchronizes your on-premises Active Directory users to Office 365.

In this article:

ImportantImportant:
This article describes synchronization of a single domain, in a single forest. The Azure Active Directory Sync tool synchronizes all Active Directory domains in your Active Directory forest with Office 365. If you have multiple Active Directory forests to synchronize with Office 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

The Azure Active Directory Sync tool synchronizes your on-premises Active Directory users to Office 365. The directory synchronization tool is a server-based application that you install on a domain-joined server. This server can be hosted in the cloud. The following list provides compelling reasons to host the directory synchronization tool in Azure:

  • Use on-premises user accounts, group accounts, and passwords in the cloud (for example, Azure or Office 365). You can significantly reduce operational costs and provide easier access to Microsoft cloud-based services.

  • Improve productivity by reducing how long it takes to make cloud-based services available to your employees.

  • Help increase the directory synchronization server’s site availability by using Azure.

  • Provisioning a server to run the directory synchronization tool in Azure may be easier than provisioning a server on-premises.

  • Help reduce the number of on-premises servers in your organization.

NoteNote:
You might have a question about the difference between Azure Active Directory (Azure AD) and Office 365. Azure AD is the directory service that is used by Office 365. Just like your on-premises Active Directory stores user information for Exchange, SharePoint, Lync, and your custom applications, the Azure AD instance used by Office 365 stores user information for Exchange Online, SharePoint Online, Lync Online, and other custom applications that you build in the cloud.

The following diagram shows the components that you need to deploy the directory synchronization tool to a virtual machine in Azure and synchronize your on-premises Active Directory Domain Services (AD DS) to Office 365.

DirSync Overview

In the diagram, there are two networks connected by a VPN connection. There is an on-premises network where AD DS is located, and there is an Azure virtual network, where there is a virtual machine running the Directory Sync tool. There are two main traffic flows originating from the server hosting the Azure Active Directory Sync tool:

  • The Azure Active Directory Sync tool queries a domain controller on the on-premises network for changes to accounts and passwords.

  • The Azure Active Directory Sync tool sends the changes to accounts and passwords to the Azure AD instance of your Office 365 subscription through the on-premises network’s proxy server.

NoteNote:
This solution describes synchronization of a single Active Directory domain, in a single Active Directory forest. The Azure Active Directory Sync tool synchronizes all Active Directory domains in your Active Directory forest with Office 365. If you have multiple Active Directory forests to synchronize with Office 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

In both cases, the traffic originated by the Azure Active Directory Sync tool is forwarded to a VPN gateway on the virtual network in Azure, which then forwards the traffic across the site-to-site VPN connection to the VPN gateway device on the on-premises network. The routing infrastructure of the on-premises network then forwards the traffic to its destination, such as a domain controller or a proxy server.

There are two phases when you deploy this solution:

  1. Creating an Azure virtual network and establishing a site-to-site VPN connection to the on-premises (organization) network.

  2. Installing the Azure Active Directory Sync tool on a domain-joined virtual machine in Azure.

NoteNote:
This solution describes synchronizing a single Active Directory forest to Office 365. The topology discussed in this article represents only one way to implement this solution. Your organization’s topology might differ based on your unique network requirements and security considerations.

To host the Azure Active Directory Sync tool in Azure, you must have VPN connectivity between your Azure virtual network and your on-premises network.

IPSEC Tunnel

For this scenario we’ll have to do the following:

  1. On-premises   Define and create an on-premises network that requires a route to the Azure virtual network and a VPN gateway device.

  2. Microsoft Azure   Create an Azure virtual network with a site-to-site VPN connection via the Azure Management Portal.

  3. On premises   Configure your on-premises hardware or software VPN gateway to terminate the VPN tunnel (which uses Internet Protocol security (IPsec)).

NoteNote:
After you start the VPN gateway in Azure, the Azure Management Portal creates configuration scripts that you can use to help provision the VPN connection. Scripts can be created for Windows Server 2012 Routing and Remote Access (RRAS), Cisco, and Juniper Networks VPN gateway devices.

In this step, you synchronize an on-premises instance of Active Directory to Office 365. This is done by hosting a server in Azure running the Azure Active Directory Sync tool, and then synchronizing with the on-premises Active Directory and Office 365.

In this procedure, you do the following:

  1. Create an Azure Virtual Machine to host the Azure Active Directory Sync tool.

  2. Install the Azure Active Directory Sync tool (DirSync.exe).

  3. Configure the Azure Active Directory Sync tool by adding the Azure AD administrator account and the on-premises Enterprise Administrator account, and then enabling password synchronization.

  4. Run the Azure Active Directory Sync tool to synchronize the on-premises Active Directory to Office 365.

ImportantImportant:
When the Azure Active Directory Sync tool configuration completes, the Azure Active Directory Sync tool does not save the on-premises Enterprise Administrator account.

The following list of prerequisites are required for this solution:

  • An Azure subscription. For information about Azure subscriptions, go to the Microsoft Azure subscription page.

  • An Office 365 subscription, which includes the Active Directory integration feature. For information about Office 365 subscriptions, go to the Office 365 subscription page.

  • Available private IPv4 address space to assign to the virtual network and the subnet hosted in the Azure virtual network, with sufficient room for growth to accommodate the number of virtual machines needed now and into the future.

  • One Azure Virtual Machine that runs the Azure Active Directory Sync tool to synchronize your Active Directory forest with Office 365.

  • An available VPN device in your on-premises network to host the site-to-site VPN connection that supports the requirements for IPsec. For more information, see About VPN Devices for Virtual Network. There are scripts for automated deployment for Cisco and Juniper VPN devices and for RRAS in Windows Server 2012.

  • Modifications to the routing infrastructure of your organization so that traffic routed to the address space of the Azure virtual network is forwarded to the VPN device that hosts the site-to-site VPN connection.

  • A web proxy that gives computers that are connected to the on-premises network and the Azure virtual network access to the Internet.

The following list represents the design choices made when designing and deploying this solution architecture. For additional solution design choices, see Variations to solution design later in this article.

  • This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that contains one server that is running the Azure Active Directory Sync tool.

  • This solution uses RRAS in Windows Server 2012 to establish an IPsec site-to-site VPN connection between the on-premises network and the Azure virtual network. You can also use other options, such as Cisco and Juniper Networks VPN devices.

  • On the on-premises network, a domain controller (to be synchronized with Office 365) and DNS servers exist.

  • The Azure Active Directory Sync tool is used for password synchronization instead of single sign-on (you do not have to deploy an Active Directory Federation Services (AD FS) infrastructure). To learn more about password synchronization and single sign-on options, see Determine which directory integration scenario to use.

There are additional design choices that you might consider when you deploy this solution in your environment. These include the following:

  • For an existing Azure virtual network with one or more subnets, determine whether there is remaining address space for an additional subnet to host your servers based on your requirements. If you don’t have remaining address space for an additional subnet, create an additional virtual network that has a site-to-site VPN connection.

  • If there are existing DNS servers in an existing virtual network, determine whether you want your directory synchronization server to use them for name resolution instead of the on-premises network's DNS servers.

  • If there are existing domain controllers in an existing Azure virtual network, determine whether you want to configure Active Directory Sites and Services to make sure that your directory synchronization server uses them for changes in accounts and passwords instead of domain controllers on the on-premises network.

You must configure your on-premises routing infrastructure to forward traffic destined for the address space of the Azure virtual network to the on-premises VPN device that is hosting the site-to-site VPN connection.

The exact method of updating your routing infrastructure depends on how you are managing routing information, which can be:

  • Routing table updates based on manual configuration.

  • Routing table updates based on routing protocols, such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Consult with your routing specialist to make sure that after the site-to-site VPN connection is established, traffic destined for the Azure virtual network is forwarded to the on-premises VPN gateway device.

If your VPN device is located on a perimeter network that has a firewall between the perimeter network and the Internet, you might have to configure the firewall for the following rules to allow the site-to-site connection.

  • Traffic to the VPN device:

    • Destination IP address of the VPN device and IP protocol 50

    • Destination IP address of the VPN device and UDP destination port 500

    • Destination IP address of the VPN device and UDP destination port 4500

  • Traffic from the VPN device:

    • Source IP address of the VPN device and IP protocol 50

    • Source IP address of the VPN device and UDP source port 500

    • Source IP address of the VPN device and UDP source port 4500

The private IP address space of the Azure virtual network must be able to accommodate addresses used by Azure to host the virtual network and with at least one subnet that has enough addresses for your virtual machine running the Azure Active Directory Sync tool.

To determine the number of addresses needed for the subnet, count the number of virtual machines that you need now, estimate for future growth, and then use the following table to determine the size of the subnet.

 

Number of virtual machines needed Number of host bits needed Size of the subnet

1–3

3

/29

4–11

4

/28

12–27

5

/27

28–59

6

/26

60–123

7

/25

Prior to creating an Azure virtual network to host a virtual machine running the Azure Active Directory Sync tool, you must determine the following set of information.

Names and name resolution support

 

Description Configuration settings

Name to assign to the Azure virtual network (example DirSyncNet).

Name to assign to your on-premises network (example OrgNet).

Name of a previously configured, or new, Azure affinity group.

Friendly names and IP addresses of DNS servers on your on-premises network that the Azure Virtual Machines running the Azure Active Directory Sync tool will use for name resolution.

IPv4 addresses and address spaces

 

Description Configuration settings

Public IPv4 address of your VPN device's interface on the Internet.

IP address of public DNS server on the Internet.

The private IP address space(s) assigned to your on-premises network. You'll be asked to supply the starting IP address and prefix length in CIDR notation.

The overall address space for the virtual network defined in a single public address prefix. You will be asked to supply the starting IP address and prefix length in CIDR notation.

The address space of the subnet within the virtual network, based on the overall address space for the virtual network.

Information from the Azure Management Portal

NoteNote:
When you create the Azure virtual network, the Azure Management Portal will provide you with the following information. You can record it in the following tables for your documentation purposes.

 

Description Configuration settings

Public IPv4 address of the Azure VPN gateway for your virtual network.

The IPsec pre-shared key for the site-to-site VPN connection.

Account information

ImportantImportant:
The following information is required to install the Azure Active Directory Sync tool. You should not record this information.

 

Description Configuration settings

Active Directory Enterprise Administrator account

Do not record your password.

Azure Active Directory Administrator account

Do not record your password.

Deploying the Azure Active Directory Sync tool on Azure consists of six phases, as shown in the following diagram.

DirSync Workflow

You must configure routing between your on-premises network and the Azure virtual network. Consult with your network administrator to determine which routing changes to apply so that the networks can communicate with one another.

If you are building a single-subnet test network, complete the following steps to add static routes to all of the on-premises servers.

  1. At the Windows PowerShell command prompt, use the Get-NetAdapter cmdlet to list the names of the adapters on the computer. For more information, see Get-NetAdapter.

  2. At the Windows PowerShell command prompt, run the following command to add a static route from the on-premises network to the Azure virtual network:

    
    New-NetRoute -DestinationPrefix <DestinationPrefix> -InterfaceAlias <InterfaceAlias> -NextHop <NextHop>
    
    
    • Where

      • <DestinationPrefix> specifies a destination prefix of an IP route. A destination prefix consists of an IP address prefix and a prefix length, separated by a slash (/). For example, you can enter a value that looks like 192.168.1.0/24.

      • <InterfaceAlias> is the name of the network interface from the results of the Get-NetAdapter command.

      • <NextHop> specifies the IP address of the router interface that is the next hop for the route.

    You can also follow these steps to configure your routers that are running Windows Server 2012 and RRAS.

    For more information, see New-NetRoute.

The first step is to configure a cross-premises Azure virtual network. Ensure you have your IP addressing scheme figured out for the Azure virtual network before you create the Azure virtual network. To configure the cross-premises Azure virtual network, see Configuring a Microsoft Azure Virtual Network later in this article.

ImportantImportant:
You should make sure you are not already using the IP address range for the Azure virtual network on your on-premises network.

After you complete these steps, you must start the gateway. For more information, see Start the Gateway. After starting the gateway and generating the VPN Device Configuration Script, you must download the script and run it on your VPN gateway device. If you are using Windows Server 2012 RRAS, you can use the script to configure the RRAS service for a site-to-site connection and IPsec protection.

Create the Azure Virtual Machine for the Azure Active Directory Sync tool and join it to your on-premises Active Directory domain. For more information about how to create a virtual machine in Azure, see How to create the virtual machine.

ImportantImportant:
If you do not use the Gallery to create your virtual machine, you must manually create a storage account for use with the virtual machine. For more information, see How To Create a Storage Account.

Verify that your virtual machine is joined to the domain by checking your internal DNS to make sure that an Address (A) record was added for the virtual machine with the correct IP address from Azure. For the Azure Active Directory Sync tool to gain access to Internet resources, you must configure the server that runs the Azure Active Directory Sync tool to use the on-premises network's proxy server. You should contact your network administrator for additional configuration steps to perform on the server.

Allow Activate Directory synchronization in Office 365 by completing the following steps:

  1. Log on to the Office 365 portal page.

  2. Click Users, next to Active Directory synchronization, click Set up, and then click Activate.

Complete the following steps to install and configure the Azure Active Directory Sync tool on your Azure Virtual Machine:

  1. On the Azure Virtual Machine, log on by using an account that has local administrator privileges, and then use the following link to download the Azure Active Directory Sync tool: Microsoft Azure Active Directory Sync tool – 64 bit.

  2. Run the setup program, choose an installation path for the tool, and then click Next. The setup wizard installs the tool, which can take up to 10 minutes to complete.

  3. On the last page of the wizard, select Start Configuration Wizard now, and then click Finish to start the Azure Active Directory Sync Tool Configuration Wizard.

  4. Provide the Azure Active Directory Administrator credentials, and then click Next.

  5. Provide the Active Directory Enterprise Administrator credentials, and then click Next.

  6. When prompted, select Enable Password Sync, and then click Next.

  7. When configuration is complete, click Next.

  8. When prompted, select Synchronize your directories now to start synchronization.

CautionCaution:
Setup creates the AAD_xxxxxxxxxxxx account in the Local Users OU. Do not move or remove this account or synchronization will fail.

Activate your Office 365 users by completing the following procedure:

  1. Log on to the Office 365 portal page, and then click Users.

  2. Select the check box next to the user, or users, that you want to activate, and then click Activate synced users.

  3. Under Set user location, select the user’s, or users’, work location.

  4. Under Assign licenses, select the licenses that you want to assign to the user, or users, and then click Next.

  5. On the Send results in email page, select Send email to send a user name and temporary password by email. Enter email addresses, separated by semicolons (;), and then click Activate. You can enter a maximum of five email addresses.

  6. On the Results page, the new user, or users, and a corresponding temporary password are displayed. Click Finish.

Complete the following steps to create an Azure virtual network to host a single subnet that contains the directory synchronization server that performs password synchronization to an Office 365 subscription. For more information, see Create a Virtual Network for Site-to-Site Cross-Premises Connectivity.

  1. In the Azure Management Portal, click New > Networks > Virtual Network > Custom Create.

  2. On the Virtual Network Details page of the Azure Virtual Network wizard, do the following:

    • In NAME, type the name of the Azure virtual network that will host the directory synchronization server.

    • In AFFINITY GROUP, select the appropriate affinity group for the virtual network. If you do not have a previously configured affinity group, select Create a new affinity group and specify the REGION and AFFINITY GROUP NAME.

  3. Click the Next arrow.

  4. On the DNS Servers and VPN Connectivity page, do the following:

    • In DNS Servers, type a friendly name and IP address of the selected DNS server of your on-premises network. The friendly name that you choose does not have to match the name of your on-premises DNS server.

    • Select Configure site-to-site VPN.

    NoteNote:
    If you have previously configured your organization's name and address space, you can select it in the LOCAL NETWORK list. Otherwise, select Specify a New Local Network.

    Here is an example:

    DNS Servers and VPN Connectivity
  5. Click the Next arrow.

  6. On the Site-to-Site Connectivity page, do the following:

    NoteNote:
    If you specified the name of an existing LOCAL NETWORK on the DNS Servers and VPN Connectivity page, you will not see the Site-to-Site Connectivity page.
    • In NAME, type the name for your on-premises network.

    • In VPN DEVICE IP ADDRESS, type the public IPv4 address of the VPN device's interface on the Internet.

    • In ADDRESS SPACE, add the address space of your on-premises network as a set of private IPv4 address prefixes. For each prefix, specify the prefix (under STARTING IP) and the prefix length (under CIDR (ADDRESS COUNT)).

    Here is an example:

    Site-to-Site Connectivity
  7. Click the Next arrow.

  8. On the Virtual Network Address Spaces page, do the following:

    • In ADDRESS SPACE, add the address space of the Azure single-subnet virtual network as a private IPv4 address prefix. Specify the prefix (in STARTING IP) and the prefix length in CIDR (ADDRESS COUNT).

  9. Click the add gateway subnet button.

  10. Click the Complete icon to create the virtual network.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft