Any suggestions? Export (0) Print
Expand All

Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure

 

Topic Last Modified: 2015-11-16

Summary: Learn how to deploy the Microsoft Azure Active Directory Connect tool (formerly known as the DirSync.exe tool) on a virtual machine in Microsoft Azure to perform directory synchronization (DirSync) between your on-premises Active Directory Domain Services (AD DS) and Office 365.

The Azure Active Directory (AD) Connect tool (formerly known as the Directory Synchronization tool, Directory Sync tool, or the DirSync.exe tool) is a server-based application that you install on a domain-joined server to synchronize your on-premises Active Directory users to Office 365 for professionals and small businesses. You can install the Azure AD Connect tool on a server in Azure or on-premises, but we recommend installing it in Azure for the following reasons:

  • You can provision and configure cloud-based servers faster, making the services available to your users sooner.

  • Azure offers better site availability with less effort.

  • You can reduce the number of on-premises servers in your organization.

In this article:

ImportantImportant:
This solution requires connectivity between your on-premises network and your Azure Virtual Network. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.
ImportantImportant:
This article describes synchronization of a single domain in a single forest. The Azure AD Connect tool synchronizes all Active Directory domains in your Active Directory forest with Office 365. If you have multiple Active Directory forests to synchronize with Office 365, see Multi-forest Directory Sync with Single Sign-On Scenario.
NoteNote:
What's the difference between Azure Active Directory (Azure AD) and Office 365? Azure AD is the directory service that is used by Office 365. Just like your on-premises AD DS stores user information for Exchange, SharePoint, Lync or Skype for Business, and your custom applications, the Azure AD instance used by Office 365 stores user account information for Exchange Online, SharePoint Online, Skype for Business Online, and other custom applications that you build in the cloud.

If you want to test this workload using an Office 365 trial subscription prior to deploying it in production, see the instructions in Set up Office 365 Directory Synchronization (DirSync) in a hybrid cloud for testing.

The following diagram shows the Azure AD Connect tool on a virtual machine in Azure (the DirSync server) synchronizing on-premises AD DS to Office 365.

DirSync Overview

In the diagram, there are two networks connected by a site-to-site VPN or ExpressRoute connection. There is an on-premises network where AD DS domain controllers are located, and there is an Azure virtual network with a DirSync server, a virtual machine running the Azure Active Directory Sync tool. There are two main traffic flows originating from the DirSync server:

  • The Azure AD Connect tool queries a domain controller on the on-premises network for changes to accounts and passwords.

  • The Azure AD Connect tool sends the changes to accounts and passwords to the Azure AD instance of your Office 365 subscription. Because the DirSync server is essentially in an extended portion of your on-premises network, these changes are sent through the on-premises network’s proxy server.

NoteNote:
This solution describes synchronization of a single Active Directory domain, in a single Active Directory forest. The Azure AD Connect tool synchronizes all Active Directory domains in your Active Directory forest with Office 365. If you have multiple Active Directory forests to synchronize with Office 365, see Multi-forest Directory Sync with Single Sign-On Scenario.

In both cases, the traffic originated by the Azure AD Connect tool is forwarded to a VPN gateway on the virtual network in Azure, which then forwards the traffic across the site-to-site VPN or ExpressRoute connection to the VPN gateway device on the on-premises network. The routing infrastructure of the on-premises network then forwards the traffic to its destination, such as a domain controller or a proxy server.

There are two phases when you deploy this solution:

  1. Creating an Azure virtual network and establishing a site-to-site VPN connection to the on-premises (organization) network. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

  2. Installing the Azure AD Connect tool on a domain-joined virtual machine in Azure, and then synchronizing the on-premises AD DS to Office 365. This involves:

    1. Creating an Azure Virtual Machine to host the Azure AD Connect tool.

    2. Installing the Azure AD Connect tool.

    3. Configuring the Azure AD Connect tool by providing the credentials (user name and password) of an Azure AD administrator account and an AD DS enterprise administrator account. The Azure AD Connect tool runs immediately and on an ongoing basis to synchronize the on-premises AD DS forest to Office 365.

ImportantImportant:
When the Azure AD Connect tool configuration completes, the Azure AD Connect tool does not save the AD DS enterprise administrator account credentials.
NoteNote:
This solution describes synchronizing a single Active Directory forest to Office 365. The topology discussed in this article represents only one way to implement this solution. Your organization’s topology might differ based on your unique network requirements and security considerations.

Before you begin, review the following prerequisites for this solution:

  • Review the related planning content in Plan your Azure Virtual Network.

  • Ensure you meet all prerequisites for configuring the Azure virtual network.

  • Have an Office 365 subscription that includes the Active Directory integration feature. For information about Office 365 subscriptions, go to the Office 365 subscription page.

  • Provision one Azure Virtual Machine that runs the Azure AD Connect tool to synchronize your on-premises AD DS forest with Office 365.

  • You must have the credentials (names and passwords) for an AD DS enterprise administrator account and an Azure Active Directory Administrator account.

The following list represents the design choices made for this solution. For additional solution design choices, see the Variations to solution design section in this topic.

  • This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that contains one server, the DirSync server that is running the Azure AD Connect tool.

  • On the on-premises network, a domain controller (to be synchronized with Office 365) and DNS servers exist.

  • The Azure AD Connect tool is used for password synchronization instead of single sign-on. You do not have to deploy an Active Directory Federation Services (AD FS) infrastructure. To learn more about password synchronization and single sign-on options, see Determine which directory integration scenario to use.

There are additional design choices that you might consider when you deploy this solution in your environment. These include the following:

  • If there are existing DNS servers in an existing Azure virtual network, determine whether you want your DirSync server to use them for name resolution instead of DNS servers on the on-premises network.

  • If there are domain controllers in an existing Azure virtual network, determine whether configuring Active Directory Sites and Services may be a better option for you. The directory synchronization server can query the domain controllers in the Azure virtual network for changes in accounts and passwords instead of domain controllers on the on-premises network.

Deploying the Azure AD Connect tool on Azure consists of four phases, as shown in the following diagram.

DirSync Workflow

 

Phase Description

Phase 1

Prepare your Azure environment

Phase 2

Set up your Office 365 subscription to allow Active Directory synchronization

Phase 3

Install and configure the Azure AD Connect tool

Phase 4

Assign licenses to users in Office 365

Create the Azure Virtual Machine for the DirSync server and join it to your on-premises Active Directory domain. For more information about how to create a virtual machine in Azure, see How to create the virtual machine.

Use the following settings:

  • On the Basics pane, select the same subscription and resource group as your virtual network. Record the name and password in a secure location. You will need these later to log on to the virtual machine.

  • On the Size pane, choose the A2 Standard size.

  • On the Settings pane, in the Storage section, select the Standard storage type and the storage account set up with your virtual network. In the Network section, select the name of your virtual network and the subnet for hosting the DirSync server (not the gateway subnet). Leave all other settings at their default values.

Verify that your DirSync server is using DNS correctly by checking your internal DNS to make sure that an Address (A) record was added for the virtual machine with the correct IP address from Azure.

To log on to the new virtual machine using a Remote Desktop Connection, see Log on to the virtual machine. After logging on, join the virtual machine to the on-premises AD DS domain.

For the Azure AD Connect tool to gain access to Internet resources, you must configure the DirSync server to use the on-premises network's proxy server. You should contact your network administrator for any additional configuration steps to perform on the DirSync server.

Allow Active Directory synchronization in Office 365 by completing the following steps:

  1. Log on to the Office 365 portal page.

  2. Click Users. Next to Active Directory synchronization, click Set up, and then click Activate.

Complete the following steps to install and configure the Azure AD Connect tool on your DirSync server:

  1. On the Azure Virtual Machine, log on by using an account that has local administrator privileges, and then use the following link to download the Azure AD Connect tool: Azure AD Connect tool (https://www.microsoft.com/download/details.aspx?id=47594).

  2. Run the Microsoft Azure AD Connect Setup program.

  3. From the desktop, double-click Azure AD Connect.

  4. On the Welcome page, select I agree to the license terms and privacy notice, and then click Continue.

  5. On the Express Settings page, click Use express settings.

  6. On the Connect to Azure AD page, type the user name and password of an Azure Active Directory administrator account, and then click Next.

  7. On the Connect to AD DS page, type the user name and password of an AD DS enterprise administrator account, and then click Next.

  8. On the Ready to configure page, review the settings, and then click Install.

  9. On the Configuration complete page, click Exit.

CautionCaution:
Setup creates the AAD_xxxxxxxxxxxx account in the Local Users organizational unit (OU). Do not move or remove this account or synchronization will fail.

Activate your Office 365 users by completing the following procedure:

  1. Log on to the Office 365 portal page, and then click Users.

  2. Select the check box next to the user, or users, that you want to activate, and then click Activate synced users.

  3. Under Set user location, select the user’s, or users’, work location.

  4. Under Assign licenses, select the licenses that you want to assign to the user, or users, and then click Next.

  5. On the Send results in email page, select Send email to send a user name and temporary password by email. Enter email addresses, separated by semicolons (;), and then click Activate. You can enter a maximum of five email addresses.

  6. On the Results page, the new user, or users, and a corresponding temporary password are displayed. Click Finish.

Show:
© 2016 Microsoft