Introduction
In part 7 of this multi-part article series revolving around Exchange 2013 hybrid deployment based migrations to the new Office 365 or more precisely Exchange Online, we converted our custom managed domain to a federated domain, so that users will be able to authenticated against Office 365 using their UPN login.In this part 8, we will continue where we left off in part 7. That is we will install and configure the Windows Azure Active Directory (WAAD Sync tool on our Windows Server 2012 domain-member server and start object synchronization from our on-premises Active Directory to the Office 365 tenant.
Note:The WAAD Sync tool was formerly known as the Directory Synchronization tool (DirSync tool).
Let’s get going...
Activating Active Directory Synchronization
The first preparation step we want to complete before concentrating on installing and configuring the WAAD Sync tool on the respective domain member server in our on-premises environment is to activate directory synchronization for our Office 365 tenant. This can be done by logging on to the Office 365 portal followed by clicking on the “users and groups”. and from here click “Set up” to the right of “Active Directory synchronization” in the top of the page as shown in Figure 1 below.Figure 1: Users and groups page in the Office 365 portal
Under “Set up and manage Active Directory synchronization”, click on the “activate” button in “step 3”.
Figure 2: Clicking on the activate button
You will now be asked whether you really wish to activate directory synchronization from your on-premises environment to Office 365. Since this is exactly what we want to do, click “activate” once again.
Figure 3: Do we really wish to activate directory synchronization?
Although we just activated directory synchronization, this will not occur instantly. As you can see in Figure 4, we need to wait up to 24 hours before it’s activated.
Figure 4: Activation in progress
Creating the WAAD Sync Service Account
While we wait for directory synchronization to complete, let’s create the service account that should be used for configuring directory synchronization. We should create this account in the Office 365 tenant. To do so, click “users and groups” and then hit the “plus” sign as shown in Figure 5.Figure 5: Clicking “plus” sign
Enter the name and UPN logon for the account and click “next”.
Figure 6: Naming the account and giving it a UPN logon name
On the “settings” page, make sure to assign the account “Global Administrator” permissions. Also, specify the email address that should be used if there’s a need to someday reset the password for this account.
Click “next”.
Figure 7: Assigning the account Global Administrator permissions
Since the account should not be used to access any Office 365 services, leave all of them unticked and click “next”.
Figure 8: No need for any licenses
Now specify the email address to which the temporary password should be sent and click “create”.
Figure 9: Send results in email
On the “results” page, click “finish”.
Figure 10: Results page
Now log off the portal and log on again using the new accounts credentials.
Figure 11: Logging on to the portal with the new account
You will be asked to specify a new password for the account. Do so and click “save”.
Figure 12: Specifying a new password for the new account
Now you need to decide whether the new account, which can be considered a service account should follow the Office 365 password expiration policy meaning you need to change the password for the account every 90 days or if you rather want to set the password to never expire.
I’ll do the latter.
Since this can’t be done via the Office 365 portal, we need to connect to the Office 365 tenant using Windows PowerShell.
When connected to the Office 365 tenant, we can check the “PasswordNeverExpires” value with the following command:
Get-MsolUser –UserPrincipalName “svc-dirsync@clouduserdk.onmicrosoft.com” | fl
Figure 13: Value of the “PasswordNeverExpires” attribute for the new service account
To change this value to “True”, we can use the following command:
Set-MsolUser –UserPrincipalName “svc-dirsync@clouduserdk.onmicrosoft.com” –PasswordNeverExpires “true”
Figure 14: Changing the password never expires attribute to “true”
Ok let's see whether active directory synchronization has been activated. As you can see in Figure 15, this is the case so we can move on to the next action, which is to install and configure the WAAD Sync tool.
Figure 15: Active directory synchronization is now activated
Installing and Configuring the WAAD Sync Tool
When directory synchronization has been activated, let’s switch back to the server on which we wish to install the WAAD Sync tool. You can download the latest version of the WAAD Sync tool from the Office 365 portal. More specifically under “users and groups” > “Set up” and here click the “download” button under “step 4”.Figure 16: Downloading the WAAD Sync tool
From there launch the WAAD Sync tool setup wizard. On the “Welcome” page, click “Next”.
Figure 17: WAAD Sync tool setup wizard – Welcome page
Accept the license terms and click “Next”.
Figure 18: Accepting the license terms
On the “Select Installation Folder” page, click “Next”.
Figure 19: Select installation folder page
Let the installation finish. This can take a few minutes.
Figure 20: WAAD Sync tool is being installed
When installation has completed, click “Next”.
Figure 21: Installation complete
On the “Finished” page, make sure “Start Configuration wizard now” is ticked then click “Finish”.
Figure 22: Finish page
The WAAD Sync tool Configuration wizard will now launch. On the “Welcome” page, click “Next”.
Figure 23: WAAD Sync tool Configuration wizard
On the “Windows Azure Active Directory Credentials” page, enter the credentials for the service account we created in the previous section and click “Next”.
Figure 24: Entering the credentials for the WAAD Sync service account
On the “Active Directory Credentials” page, enter the credentials of an account with domain administrator permissions in the on-premises Active Directory.
Note:
This does not need to be a dedicated service account as these credentials aren’t saved.
Click “Next”.
Figure 25: Entering the credentials of a domain administrator
We’re now taken to the Exchange hybrid deployment page. If the DirSync Configuration setup wizard detects Exchange 2010 SP1 (or later) servers in the on-premises Active Directory we will be able to tick “Enable Exchange hybrid deployment”.
Note:
If the setup wizard doesn’t detect any Exchange 2010 SP1 (or later) servers, the tick box will be greyed out. Since we, in this article series, are dealing with an Exchange hybrid deployment based configuration based on Exchange 2013 servers, we wish to tick this option.
When ticking the “Enable Exchange hybrid deployment” box, we allow the WAAD Sync tool to perform write-back from Office 365 to the on-premises Active Directory for specific attributes. This is in order to allow support for features such as archive on-premises mailboxes in the cloud, off-board mailboxes from the cloud to on-premises Exchange servers, have on-premises filtering software take advantage of user made safe and blocked senders in the cloud and UM online voice mail.
With Exchange hybrid deployment enabled, write-back will be performed for the following attributes:
Write-Back attribute |
Exchange "full fidelity" feature |
SafeSendersHash BlockedSendersHash SafeRecipientHash |
Filtering Coexistence: Writes back on-premises filtering and online safe and blocked sender data from clients. |
msExchArchiveStatus |
Online Archive: Enables customers to archive mail in Microsoft Online. |
ProxyAddresses (LegacyExchangeDN |
Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange. |
msExchUCVoiceMailSettings |
Enable Unified Messaging (UM) - Online voice mail: This new attribute
is used only for UM-Microsoft Lync Server 2010 or later integration to
indicate to Lync Server 2010 or later on-premises that the user has
voice mail in online services. |
When you have ticked “Enable Exchange hybrid deployment”, click “Next”.
Figure 26: Ticking enable “Hybrid Deployment”
Now we reach the new “Password Synchronization” page, where we have the option to enable password synchronization from the on-premises Active Directory users to the user objects in the Office 365 tenant. With password synchronization we can achieve SSO as in “same sign-on” not SSO as in “single sign-on”, which is possible with ADFS based federation between the on-premises environment and the Office 365 tenant.
Since we use ADFS based federation in this article series, make sure “Enable Password Sync” is unticked and click “Next”.
Figure 27: Password synchronization page
Wait for the WAAD Sync tool configuration wizard to complete the configuration.
Figure 28: Completing configuration
When configuration has completed, click “Finish”.
Figure 29: Configuration complete
Now make sure “Synchronize directories now" is selected and then click “Finish”. This will initiate the first synchronization from the on-premise Active Directory to the metaverse and the export from the metaverse to the Office 365 tenant.
Figure 30: Finished page
You will receive the warning shown in Figure 31, which includes a link to a TechNet page that explains how you can verify synchronization works properly. Click “OK”.