Embed Size (px)
Citation preview
Understanding DirsyncDaniel Kenyon-Smith Microsoft Consultancy Services UK
Agenda
Requirements Deployment Options
2 3
Dirsync Overview
1
Understanding Synchronization
4
Dirsync Overview
3
4
What is DirSync? An application that synchronizes on-premises Active Directory Objects with Office 365 Users, Contacts and Groups
Initially designed as a software based “appliance” “Set it and forget it”
Multi Forest Support now available Appliance and FIM options available
5
Purpose Enables coexistence
Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment
Provides a unified Global Address List experience between on-premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365
Enables coexistence for Exchange Works in both simple and hybrid deployment scenarios
Enabler for mail routing between on-premises and Office 365 with a shared domain namespace
Enables coexistence for Microsoft Lync
6
Purpose Enables “run state” administration and management of users, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and
contacts from on-premise to Office 365
Enabler for Single Sign-On Not intended as a single use bulk upload tool
Directory Synchronization Options
Suitable for small/medium size organizations with AD or Non-AD
Performance limitations apply with PowerShell and Graph API provisioning
PowerShell requires scripting experience
PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)
PowerShell & Graph API
Suitable for Organizations using Active Directory (AD)
Provides best experience to most customers using AD
Supports Exchange Co-existence scenarios
Coupled with ADFS, provides best option for federation and synchronization
Supports Password Synchronization with no additional cost
Does not require any additional software licenses
Suitable for large organizations with certain AD and Non-AD scenarios
Complex multi-forest AD scenarios
Non-AD synchronization through Microsoft premier deployment support
Requires Forefront Identity Manager and additional software licenses
8
Single Forest Dirsync X64 FIM Appliance (set and forget) X86 MIIS Appliance now unsupported Scoping of object sync within Forest now supported
AD GUID used as SourceAnchor (Link between AD and Office365 Object)
9
Multi Forest Dirsync X64 FIM Multi Forest Appliance (simple) FIM Deployment (complex) Scoping of object sync within Forest(s) now supported
For a FIM deployment an unique AD attribute must be selected (SourceAnchor\Immutable ID) E.g. Employee ID
10
Multi Forest Topology
Multi-forest AD Windows Azure Active Directory
User
Multi-forest AD support is available through Microsoft-led deployments
Multi-forest DirSync appliance supports multiple dis-joint account forests
FIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using ADFS
AD
DirSync on FIM
AD
AD
Non-AD Synchronization Windows Azure
Active Directory
User
Preferred option for Directory Synchronization with Non-AD Sources
Non-AD support with FIM is available through Microsoft-led deployments
FIM 2010 Office 365 connector supports complex multi-forest topologies
On-Premises IdentityEx: Domain\Alice
Federation using Non-ADFS STS
Office 365 Connector on FIM
Non-AD(LDAP)
Requirements
13
14
Prerequisite Remediation• Run the Microsoft Office 365 Deployment Readiness Tool -
http://community.office365.com/en-us/forums/183/p/2285/8155.aspx
• Analyse on-premise environment
• Domains
• User Identity and Account Provisioning
• Exchange Online
• Lync Online
• SharePoint Online
• Client
• Network
Dirsync
When utilising the full SQL option you must ensure that the EA account has “sysadmin” rights on the SQL database and that the Dirsync service account has “public” permissions on the Dirsync DB.
From the Field
• Dirsync (Single Forest)must be joined to a domain within the same forest that will be synchronized
• Dirsync Server should never be installed on a domain controller
• Dirsync Server should be Windows Server 2008 (x64)
• By default SQL Server 2008 R2 Express is installed.• 10GB database limit (approx. 50,000 objects)• Full SQL Option Available.
• X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios)
Scoping & filtering for SynchronizationCustomers can exclude objects from synchronizing to Office 365
Scoping can be done at the following levels: AD Domain-based Organizational Unit-based User Attribute based
Additional filtering capabilities will become available with the O365 Connector.
When installing Dirsync ensure that you use EA credentials and that all DC’s are accessible from the Dirsync Server.
From the Field
17
Hardware Recommendations Recommend a system that exceeds the minimum requirementsNumber of objects in Active Directory CPU Memory Hard disk size
Fewer than 10,000 1.6 GHz 4 GB 70 GB
10,000–50,000 1.6 GHz 4 GB 70 GB
50,000–100,000 1.6 GHz 16 GB 100 GB
100,000–300,000 1.6 GHz 32 GB 300 GB
300,000–600,000 1.6 GHz 32 GB 450 GB
More than 600,000 1.6 GHz 32 GB 500 GB
18
Network Requirements Synchronization with
Office 365 occurs over SSL
Internal network communication will use typical Active Directory related ports
Dirsync server must be able to contact all DC’s in the Forest
Service Protocol Port
LDAP TCP/UDP 389
Kerberos TCP/UDP 88
DNS TCP/UDP 53
Kerberos Change Password
TCP/UDP 464
RPC TCP 135
RPC randomly allocated high TCP
portsTCP
1024 - 6553549152 - 655351
SMB TCP 445
SSL TCP 443
SQL TCP 1433
19
Permission Requirements Account used to install\configure DirSync must have Enterprise administrator rights Local machine administrator permissions If using full SQL, rights within SQL to create the DirSync database,
and to setup the SQL service account with the role of db_owner
Account used to configure DirSync must reside in the local machine MIISAdmins group Account used to install DirSync is automatically added
Administrator permission in the Office 365 tenant DirSync uses an administrator account in the tenant to provision and
update/modify objects
20
Permission Requirements Enterprise Administrator permission in the on-premise Active Directory Credential is not stored/saved by the configuration wizard Used to create the MSOL_AD_Sync domain account in the CN=Users
container of the root domain Used to delegate the following permissions to MSOL_AD_Sync on
each domain partition in the forest Replicating Directory Changes Replicating Directory Changes all Replication Synchronization
21
Permission Requirements Enterprise Administrator
permission Continued Used to create the
MSOL_AD_Sync_RichCoexistence group in the CN=Users container of the root domain if “Rich Coexistence” is selected during configuration
Used to delegate write permissions to only the 6 attributes needed for a hybrid deployment scenario to the MSOL_AD_Sync_RichCoexistence group on each domain partition in the forest
Attribute Object Type
MSExchArchiveStatus User
MSExchBlockedSendersHash
User
SExchSafeRecipientsHash
User
MSExchSafeSendersHash
User
MSExchUCVoiceMailSettings
User
ProxyAddresses User, Contact, Group
Understanding Synchronization
22
Synchronization By default the entire Active Directory forest is scoped for synchronization
What is synchronized? All user objects All group objects Mail-enabled contact objects
Passwords are not synchronized*
*Password Sync Early On-boarding program underway
24
List of attributes sync’d to WAADSynced object attribute User Group Contact (Src) Description
CompanyRead - Read The person's (user or contact) company
name.
Department Read - Read The name of the person's (user or contact) department.
Description Read Read Read Human-readable descriptive phrases about the object
DisplayName Read Read ReadThe display name for an object, usually the combination of the person's first name, middle initial, and last name.
List of attributes that are synced to Windows Azure Active Directory and attributes that are written back to the on-premises Active Directory Domain Services
http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198
25
Synchronization Synchronization is from on-premises to Office 365 only
unless “write-back” is enabled Synchronization occurs every 3 hours
Use “Start-OnlineCoexistenceSync” cmdlet to force a sync outside of regular synchronization schedule
New user, group, and contact objects that are added to on-premises are added to Office 365 Licenses are not automatically assigned
Existing user, group, or contact objects attributes that are modified on-premises are modified in Office 365 Not all on-premises AD attributes are synchronized
26
Synchronization Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365
Existing user objects that are disabled on-premises are disabled in Office 365 License is not automatically unassigned
Objects are recoverable within 30 days of deletion
27
Synchronization First synchronization cycle after installation is a full synchronization May be a time consuming process relative to the number of objects
synchronized Approximately 5000 objects every 45 to 60 minutes Plan ahead if synchronizing tens or hundreds of thousands of objects
Subsequent synchronization cycles are deltas only and much faster
28
Synchronization
Microsoft Online Services
Logon Enabled User Object (Unlicensed)Mail-Enabled User (not Mailbox-Enabled)ProxyAddresses: SMTP: [email protected] smtp: [email protected]: [email protected]
On-premises
Active Directory
Exchange Server
DirSyncOnline
Directory
DirSync Web
Service
SharePoint Online
Live ID
Exchange Online
Lync Online
Sync Cycle Step 1:Import Users, Groups,and Contacts from source Active Directory forest
Sync Cycle Step 2:Imports Users, Groups, and Contacts from Microsoft Online Services via AWS
Sync Cycle Step 3:Export Users, Groups, and Contacts that do not already exist in Microsoft Online Services
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
User
s on
ly
Mail-enabled
objects
Understanding Coexistence
29
What is Coexistence? Some users are provisioned in Office 365 while the remaining users are provisioned in the on-premises environment
Office 365 users see the same objects in the Global Address List as the on-premises users
Email messages are routed seamlessly from Office 365 users to on-premises users, and vice-versa
31
Simple Coexistence Deployment Uses Directory Synchronization for GAL synchronization Enables mail routing between on-premises and Office 365 using a
shared DNS namespace Provides a unified GAL experience
Can be used with cloud identities or federated identities
Does not require an on-premises Hybrid server
32
Hybrid Deployment Uses Directory Synchronization for GAL synchronization Enables mail routing between on-premises and Office 365 using a
shared DNS namespace Provides a unified GAL experience
Can be used with cloud identities or federated identities
Key Deployment Considerations
33
34
Key Deployment Considerations Complete Active Directory cleanup work before implementing DirSync Especially if importing data from a 3rd party LDAP directory into
Active Directory
Plan ahead for DirSync quota increase Could become a deployment blocker. Don’t wait until 11th hour to
request.
Consider Exchange schema extensions for non-Exchange AD environments
35
Key Deployment Considerations UPN suffix
Verify on-premises user objects have a value (not null) for UPN suffix and that it is correct
The default routing domain (e.g. contoso.onmicrosoft.com) is used for Office 365 UPN suffix if the on-premises UPN suffix does not contain a public routable DNS domain (i.e. cannot use *.local)
Verified domains Add all SMTP domains as verified domains before synchronizing Cannot be removed until all synchronized objects are no longer using
the domain as a proxy address or UPN
Questions?
36
