Plan for directory synchronization for Office 365
Applies to: Office 365 Deployment Guide for Enterprises
Topic Last Modified: 2013-10-22
Summary: Describes directory synchronization topics such as source of authority, Active Directory cleanup, Directory Sync tool, and two-way synchronization.
Depending on business needs, technical requirements, or both, directory synchronization is the most common provisioning choice for enterprise customers who are moving to Office 365. Directory synchronization allows identities to be mastered on-premises and all updates to that identity are synchronized to Office 365.
There are a couple of things to keep in mind when you plan an implementation of directory synchronization, including directory preparation, and the requirements and functionality of the Windows Azure Active Directory. Directory preparation covers quite a few areas. They include attribute updates, auditing, and planning domain controller placement. Planning requirements and functionality includes determining the permissions that are required, planning for multiforest/directory scenarios, capacity planning, and two-way synchronization.
In an Office 365 environment, source of authority refers to the location where Active Directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a cross-premises deployment.
You can change the source of authority for an object by using one of these scenarios—activate, deactivate, or reactivate directory synchronization from within Office 365 or with Windows PowerShell. Source of authority is transferred from Office 365 to your on-premises directory service after you perform the first sync.
For more information, see the article Directory synchronization and source of authority.
The on-premises Active Directory forest must meet specific requirements. They include requirements for the schema master, global catalog servers, and domain controllers. It’s important to carefully read the latest requirements and ensure that your on-premises directory servers meet those requirements. They are in Prepare for directory synchronization
To help ensure a seamless transition to Office 365 by using synchronization, we highly recommend that you prepare your Active Directory forest before you begin your Office 365 directory synchronization deployment.
Your directory remediation efforts should focus on the following tasks:
Remove duplicate proxyAddress and userPrincipalName attributes.
Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.
Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName, displayName, mail, proxyAddresses, mailNickname, and userPrincipalName attributes. For details about preparing attributes, see Prepare user-related attributes for Office 365 deployment.
|When you deploy and configure the Windows Azure Active Directory Sync tool, an email will be sent to your organization’s Technical Contact with any errors that still need to be corrected.|
Your organization may want to use Active Directory auditing to capture and evaluate the events that are associated with directory synchronization, such as user creation, password reset, adding users to groups, and so on.
By implementing directory synchronization, auditing captures directory services logs from your Active Directory domain controllers. Note that security logging may be disabled by default; you have to understand how to enable it for your organization.
For more information about configuring auditing, see the TechNet article Audit account management.
The Directory Sync tool synchronizes with a single sign-on (SSO) on-premises Active Directory forest. If your organization has multiple forests for authentication (logon forests) and would like to use the Directory Sync tool, we highly recommend the following:
- Evaluate consolidating your forests. In general, there’s more overhead required to maintain multiple forests. Unless your organization has security constraints that dictate the need for separate forests, consider simplifying your on-premises environment in advance of deploying the Directory Sync tool.
- Use only in your primary logon forest. Consider deploying Office 365 only in your primary logon forest for your initial rollout of Office 365.
If you can’t consolidate your multiforest Active Directory deployment or are using other directory services to manage identities, you may be able to synchronize these with the help of Microsoft or a partner.
Directory synchronization is the synchronization of directory objects (users, groups, and contacts) from your on-premises Active Directory environment to the Office 365 directory infrastructure. The Directory Sync tool performs this synchronization. You install this tool on a dedicated computer in your on-premises environment.
When user accounts are synchronized with the Office 365 directory for the first time, they are marked as non-activated. They cannot send or receive email, and they don’t consume subscription licenses. When you’re ready to assign Office 365 subscriptions to specific users, you must select and activate them by assigning a valid license.
The Directory Sync tool is required for the following features and functionality:
Exchange hybrid deployment, including:
Fully shared global address list (GAL) between your on-premises Exchange environment and Exchange Online.
Synchronizing GAL information from different mail systems.
The ability to add users to and remove users from Office 365 service offerings. This requires the following:
Two-way synchronization must be configured during Directory Sync tool setup. By default, the Directory Sync tool writes directory information only to the cloud. When you configure two-way synchronization, you enable write-back functionality so that the Directory Sync tool copies a limited number of object attributes from the cloud, and then writes them back to your local Active Directory. Write-back is also referred to as Exchange hybrid mode in the context of Directory Sync tool configuration. More information about the attributes that are synchronized during write-back is discussed later in this topic.
An on-premises Exchange hybrid deployment
- Two-way synchronization must be configured during Directory Sync tool setup. By default, the Directory Sync tool writes directory information only to the cloud. When you configure two-way synchronization, you enable write-back functionality so that the Directory Sync tool copies a limited number of object attributes from the cloud, and then writes them back to your local Active Directory. Write-back is also referred to as Exchange hybrid mode in the context of Directory Sync tool configuration. More information about the attributes that are synchronized during write-back is discussed later in this topic.
The ability to move some user mailboxes to Office 365 while keeping other user mailboxes on-premises.
Safe senders and blocked senders on-premises are replicated to Exchange Online.
Basic delegation and send-on-behalf-of email functionality.
- Fully shared global address list (GAL) between your on-premises Exchange environment and Exchange Online.
Synchronization of photos, thumbnails, conference rooms, and security groups.
Filtering and scoping. For more information, see Configure filtering for directory synchronization.
To learn more about the Directory Sync tool, see Prepare to install Directory Synchronization tool.
To install the Directory Sync tool, you need enterprise admin rights during only the installation process. When you’ve installed the tool, a non-privileged Active Directory account will be required. This non-privileged account is created automatically when the Directory Sync tool is being installed.
To implement the Directory Sync tool, you need to plan synchronization and database capacity. In most organizations, user objects make up the bulk of the synchronization payload and influence both synchronization times as well as the database sizing for your Directory Sync tool server.
Two-way synchronization (write-back) is required if your organization plans to take advantage of Office 365 features and functionality, such as online archiving, configuring safe and blocked senders, and cloud voice mail. Write-back copies the necessary attributes from the Office 365 directory infrastructure to your on-premises Active Directory environment.
The following table shows the features that are enabled by two-way synchronization and the associated attributes that are copied from the Office 365 directory back to your on-premises directory.
Writes-back on-premises filtering and online safe/blocked sender data from clients.
Enables your organization to archive email in Office 365.
Enables your organization to move mailboxes from the cloud to your on-premises organization.
ProxyAddresses (LegacyExchangeDN) (online LegacyDN) as X500
Enable Unified Messaging (UM) online voice mail
Enables you to integrate UM and Lync to indicate to Lync on-premises that the user has voice mail in Office 365. (This is a new attribute. It can be used only for this integration.)
Enables users to manage other users’ mailboxes
If your organization has concerns about configuring two-way synchronization, consider creating a non-privileged service account in your on-premises directory. Assign this new service account write permissions only to the attributes as previously defined.