Module 17

Office 365 Active

Directory
Synchronization
Presenter Name
Presenter Role

Conditions and Terms of Use

Microsoft Confidential

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in
such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond
to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

2014 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright lAdmin Web Service is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, Outlook, SkyDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.

Overview

This module covers the integration of an on-premises Active

Directory with the Azure Active Directory through the use of the
Azure AD Connect tool, including:
Purpose What does it do?
Requirements
Permissions
Understanding Synchronization
Key Deployment Considerations

Objectives

This module will cover:

Directory synchronization overview
The Azure AD Connect Tool
Preparing On Premises Active Directory for directory
synchronization
Password synchronization

What is the
Azure AD
Connect
Tool?

Azure AD Connect is the single tool and experience for connecting

and synchronizing your on premises directories to Azure Active
Directory
Designed as a software based appliance
Set it and forget it
Relies on Forefront Identity Manager 2010 R2 (aka FIM)
Bundled with SQL Server 2012 Express LocalDB
Enables a unified Global Address List (GAL) experience between
your on-premises organization and Office 365 as well as:
The ability to manage all Active Directory user accounts onpremises
The ability to synchronize on-premises Active Directory
password hashes
All account changes replicate automatically to Office 365
Required for single sign-on (ADFS)
Required for Exchange Hybrid Deployment or Staged Migration

Synchronizati
on Direction

Directory synchronization is mostly one way to Azure Active

Directory
Hybrid requires 7 attributes to be written back to the onpremises user objects for coexistence purposes
Password write back capability (requires Azure AD Premium
license)
On-premises AD being the authoritative source for all changes

Delete a user on-premises and directory synchronization will

delete the corresponding user in Office 365

Software
Requiremen
ts

System requirements:
Windows 2008, 2008 R2, 2012 and 2012 R2 supported
Microsoft .NET Framework 4.5
Windows PowerShell 3.0 or Newer
Additional requirements:
Standalone , Member Server or a Domain Controller
Local Administrator to install AADSync
Azure AD account Global Administrator
The following components are installed automatically:
Forefront Identity Manager 2010 R2
Microsoft SQL Server Express 2012 LocalDB (a light
version of SQL Server Express)
Microsoft Online Services Sign-in Assistant
7

Network
Requiremen
ts

Synchronization with Office 365 occurs securely over HTTPS

port 443
Internal network communication will use typical Active
Directory related ports

Hardware
Recommendatio
ns and Directory
service quota

Number of objects
in Active Directory

CPU

Memory

Hard disk size

Fewer than 10,000

1.6 GHz

4 GB

70 GB

10,00050,000

1.6 GHz

4 GB

70 GB

50,000100,000

1.6 GHz

16 GB

100 GB

100,000300,000

1.6 GHz

32 GB

300 GB

300,000600,000

1.6 GHz

32 GB

450 GB

More
SQL
Server
Express
size limit 500
thatGB
enables you to
than
600,000
1.6has
GHza 10GB
32 GB
manage approximately 100,000 objects

Directory
Service
Object
Quota

The default directory service quota is calculated according to the

following guidelines
If you don't have any verified domains
The current directory service quota in Windows Azure AD is
50,000 objects
If you have at least one verified domain
The default directory service quota in Windows Azure AD is
300,000 objects.
What happens when quota is exceeded ?
016: Synchronization has been stopped. This company has
exceeded the number of objects that can be synchronized.
Contact Microsoft Online Services Support.

10

Azure AD
Connect
credentials
and
permissions

Wizard Page

Express Setup: requires more privileges to setup more easily,

without requiring you to create users or configure permissions
separately
Credentials collected during Express Setup:
Credentials Collected

Permissions Required

Used For

Connect to
Azure AD

Azure AD directory
credentials

Global administrator role

in Azure AD

-Enabling sync in the Azure AD directory.

-Creation of the Azure AD account that will
be used for on-going sync operations in
Azure AD.

Connect to AD
DS

On-premises Active
Directory credentials

Member of the
Enterprise Admins (EA)
group in Active Directory

Used as the local AD Connector account,

that is, it is the account that reads and
writes the directory information for
synchronization.

N/A

Logon credentials of the

user running the wizard

Administrator of the local

server

The wizard creates the AD account that will

be used as the sync service logon account
on the local machine.

Custom setup: offers more choices and options, but has

situations where you need to ensure you have the correct
permissions yourself
11

Summary of
the accounts
that are
created by
Azure AD
Connect

Account created

Permissions
assigned

Used for

Azure AD account for

sync

Dedicated Directory
Synchronization Role

On-going sync
operations (Azure AD
MA account)

Express Settings: AD
account used for sync

Read/write permissions
on the directory as
required for
sync+password sync

On-going sync
operations (Azure AD
MA account)

Express Settings: sync

service logon account

Logon credentials of
the user running the
wizard

Sync service logon

account

Custom Settings: sync

service logon account

NA

Sync service logon

account

AD FS:GMSA account
(aadcsvc$)

Domain user

FS service logon
account
12

Objects
that
Synchronize

The Azure AD Connect tool synchronizes the following objects:

All Active Directory Users
Synchronized as a logon enabled with no license assigned
though
Mailbox enabled users are synchronized as a mail-enabled
users
Mail-Enabled Contacts
Mail-Enabled Groups
The Azure AD Connect tool does not synchronize:
Built-in administrative user accounts
Built-in administrative groups
Exchange System Mailbox accounts
Dynamic Distribution Groups
Mail-enabled Public Folder objects
13

Objects
that Do Not
Synchronize

Contact objects:

DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE

mailNickName starts with "CAS_" AND mailNickName contains "{

SecurityEnabledGroup objects:

isCriticalSystemObject = TRUE

mail is present AND displayName is not present

Group has more than 15,000 immediate members

MailEnabledGroup objects:

DisplayName is empty

(ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't
present/invalid - i.e. indexof ('@') <= 0)

Group has more than 15,000 immediate members

14

Objects
that Do Not
Synchronize
(continued)

Object is a conflict object (DN contains \0CNF:)

User objects:
mailNickName starts with "SystemMailbox{"
mailNickName starts with "CAS_" AND mailNickName contains "{"
sAMAccountName starts with "CAS_" ANDsAMAccountName has
"}"
sAMAccountName equals "SUPPORT_388945a0"
sAMAccountName equals "MSOL_AD_Sync"
sAMAccountName is not present
isCriticalSystemObject is not present
msExchRecipientTypeDetails == 0x1000 OR 0x2000 OR 0x4000
OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)

15

Mandatory
Attributes

Objects must contain values in the following core attributes to

be considered for synchronization to Office 365 by Azure AD
Connect:
cn
member (applies only to groups)
samAccountName (applies only to users)
alias (applies only to groups and contacts)
displayName (for groups with a mail or proxyAddresses
attribute populated)

16

DirSync and
Account
Status

Active Directory

DirSync Action

Office 365

Mailbox Enabled Account

Create Account

Creates a mail-enabled user.

*Assigning a license will not
create a mailbox as
msExchMailboxGUID attribute is
populated on-premises

Non-Mail Enabled Account

Create Account

Creates a user.
*Assigning a license will create
a mailbox

Modify Account

Make changes to an
existing account

Update changes

Delete Account

Delete account

Delete account and mailbox

and license removed

Disabled account

Disable account

Sign-in blocked but still retains

a license and mailbox

17

ON-PREM

MICROSOFT
CLOUD

IDENTITY
BRIDGE

SAAS APPS

Azure Active
Admin Web

High Level
Architectu
re
Overview

Directory (AAD)

Service (AWS)

Google

AD DS

Box
Salesforce
Others

AAD Sync

Cloud Sync
Fabric

Or
AAD Connect
Or
Identity
Identity
Manager
Manager

Dirsync
Or
FIM w/ Connector
Or
MIM 2016

HR

Tenant forests for

EXO, LYO, SPO, etc.
Other Apps

18

Core AAD
Connect
Concepts

UserPrincipalName:
Used to sign-in to the cloud services
Recommended to be the same as users primary SMTP address
Needs to use a domain suffix that is registered and verified in the
tenant
Critical for successful single sign-on using AD FS
If missing, is constructed as:
sAMAccountName + @ + Microsoft Online Default Domain
(i.e. user@contoso.onmicrosoft.com)
SourceAnchor:
Used as the immutable identifier for any given object that is
synchronized between on-premises and Office 365
Base64-encoded value generated from AD objects on-premises
ObjectGUID
Providing the AD object is never deleted, the ObjectGUID will never
change
SourceAnchor is the DirSync term and ImmutableID is the ADFS
19
term

Source of
Authority

Refers to the location where Active Directory objects are

mastered (on-premises or Office 365)

Activating directory synchronization and installing Azure AD

Connect makes the on-premises Active Directory the source
of authority

Once enabled, changes to objects replicated to Office 365

can only be made on-premises

Deactivating directory synchronization transfers the source

of authority back to the Azure AD

20

Hard Match
vs. Soft
Match

For attribute updates, the Admin Web Service must identify what
Azure AD object to act upon:

HardMatch attempted first:

Checks to see if the object already exists with the same
SourceAnchor value (ObjectGUID) from the on-premises AD

SoftMatch if no hard match found:

Authoritatively matches an object in Office 365 with onpremises through a matching ProxyAddresses value
If a match exists, stamp the ObjectGUID from on-premises as
base64-encoded SourceAnchor attribute in Azure AD
Connect Database
SourceAnchor flows into Azure Active Directory objects
ImmutableID, allowing Source Of Authority Transfer from
Office 365 to on-premises
21

Sync
Overview
On-Premises

AAD Connect uses two managements agents:

Active Directory Connector management agent
Azure Active Directory management agent
AAD Connect stores information in two places:
Connector Space
Metaverse
Connector Space:
Replica of the managed objects in the Active Directory
Each management agent or connector has its own connector space
Metaverse:
Aggregate information about a managed object (i.e. User, Group, etc.)
Synchronization data flow:
User is imported from AD into the Active Directory Connector Connector
space
User is projected to the Metaverse
User is provisioned to the Azure Active Directory Connector space
User is exported to the Office 365 Admin Web Service
22

Sync Overview On-Premises (Continued)

Synchronization data flow:
CONNECTOR SPACE

AD DS

METAVERSE

CONNECTOR
INBOUND
SYNC RULE
OUTBOUN
D SYNC
RULE

CONNECTOR SPACE

AD DS

CONNECTOR SPACE

CONNECTOR

INBOUND
SYNC RULE

CONNECTOR
Run Profiles and
Steps:
Full Import
Delta Import
Full Synchronization
Delta Synchronization
Export

Microsoft Confidential

23

Sync
Overview
Office 365

Office 365 Admin Web Service receives the object data from AAD
Connect
Import from AAD Connect:
Only specific attributes defined in FIM are synchronized for
each object
Validate that changed data is not corrupted at the attribute level:
Data is normalized using _ for UPN and SamAccountName
Otherwise when an update is invalid for attribute a rejection
email is sent to the tenant contact
If an update is a user Account Creation event:
Admin Web Service attempts to create an account for the user
Failure causes a reject email to be sent to the tenant contact

24

Sync
Overview
Office 365
(continued)

If an update is an attribute change event:

Hard-match process to verify object already exists in Azure
AD
Hard-match failure causes reject email to AAD Connect
administrator
Ships data to the Azure Active Directory:
Object creations and hard-matched object updates pushed
at the attribute level

25

Forward
and Back
Sync

Forward-sync from Azure Active Directory to individual

services:
Each online application in Office 365 has their own
directory service
Once an object is changed in Azure AD, further
synchronization daemons are constantly running that
parse relevant changes and ship them to these
services directory partitions
Can cause delay in applications becoming available to
newly commissioned accounts/users

26

Forward
and Back
Sync
(continued)

Back-Sync/Write-Back:
There are certain attributes for the Exchange Online
(ExO) service that require reverse propagation to the
on-premises environment for Exchange co-existence
features to work
Back-Sync: Data is changed in the ExO partition and
then syncd back to Azure AD using daemons similar to
those used for Forward-sync
Write-back: Data is shipped from Azure AD, back
through Admin Web Service, to AAD Connect service
using bi-directional FIM functionality
AAD Connect updates local the AD objects with these
updated attributes

27

Write Back
Attributes

Attributes that are written back to the on-premises Active Directory from
Azure Active Directory in an Exchange Hybrid deployment scenario:

Write-Back attribute

Exchange "full fidelity" feature

msExchArchiveStatus

Online Archive: Enables customers to archive mail.

msExchUCVoiceMailSettings

Enable Unified Messaging (UM) Online voice mail:

This attribute is used only for UM-Microsoft Lync Server
integration to indicate to Lync Server on-premises that
the user has voice mail in online services.

msExchUserHoldPolicies

Litigation Hold: Enables cloud services to determine

which users are under Litigation Hold.

ProxyAddresses

Enable Mailbox: Offboards an online mailbox back to

on-premises Exchange

(LegacyExchangeDN as X500)
msExchSafeSendersHash

Filtering: Writes back on-premises filtering and online

safe and blocked sender data from clients.

msExchBlockedSendersHash
msExchSafeRecipientsHash
28

Microsoft
Online Default
Routing
Domain

The Microsoft Online Default Routing Domain is constructed from

the tenant name (contoso.onmicrosoft.com)
All Office 365 users receive this domain as an email address in
a non-hybrid scenario
This special email address is inextricably linked to each
Exchange Online recipient
The domain cannot be managed, changed, or deleted
The email address can be over-ridden as the primary SMTP
address by using the attributes in the on-premises Active
Directory user object but will always remain as a users
secondary SMTP address

29

AAD
Connect
and SMTP
Addresses

Active Directory Attribute

Active Directory Value

Office 365 Value

proxyAddresses

SMTP:john@contoso.com

SMTP:john@contoso.com
smtp:john@contoso.onmicrosoft.com

proxyAddresses

smtp:john@contoso.com

SMTP:john@contoso.onmicrosoft.com
smtp:john@contoso.com

proxyAddresses

SMTP:john@contoso.com
smtp:john@apac.contoso.com

SMTP:john@contoso.com
smtp:john@apac.contoso.com
smtp:john@contoso.onmicrosoft.com

mail

john@contoso.com

SMTP:john@contoso.com
smtp:john@contoso.onmicrosoft.com

UserPrincipalName

john@contoso.com

SMTP:john@contoso.com
smtp:john@contoso.onmicrosoft.com

30

AAD
Connect
Process

1. Prepare the on-premises Active Directory

Account and attribute clean-up (idFix)

UPN of users matches federated domain (if using ADFS)

2. Create and verify your custom domain(s)
3. Setup Identity Federation (if applicable)
4. Enable Directory Synchronization in the Portal or via
PowerShell Set-MSOLDirSyncEnabled EnableDirSync $True
5. Download and run Directory Synchronization
6. Verify the synchronization was successful
7. Activate users by assigning them a license in the Portal or via
PowerShell

31

Estimating
Synchronizati
on Time

*Actual times may vary depending on activity and environmental

factors such as available bandwidth, object count and throttling
by the service

32

Password
Sync
Overview

Password Synchronization is the process of copying a

customers on-premises password hash to Azure Active
Directory
Allows the customer to use their on-premises password to log
into their Office 365
Password Synchronization does not replace Identity Federation
Changes to on-premises passwords are synced to the cloud in
minutes.
If the user is currently logged into a cloud service with their
old password, then change their password in the on-premises
AD, their current cloud service session will continue
uninterrupted

33

Are
Passwords
safe?

The Password Sync tool, Azure AD, and all associated services
never see or store the on-premises user's plain text
password
A digest of the Windows Active Directory Password Hash is
used for transmission between the on-premises AD and Azure
Active Directory
To authenticate a user, the password presented by the user is
hashed and compared with the stored hash
The digest of the Password Hash cannot be used to access
resources in the customer's on-premises environment.

34

Password
Sync
Limitations

Password Sync and Federated Identities

Customers cannot have both Password Synchronization and
Federated authentication configured for the same domain
(namespace).
The Password Sync feature will not synchronize passwords for
users with Federated Identities
Customers must manually remove/disable federation from
individual accounts, making them a managed account, before
they can utilize Password Synchronization
Password Complexity Policy
Password Synchronization requires all on-premises synchronized
users to follow the on-premises Active Directory password policy
Users managed in the cloud remain with cloud defined Password
Policies
Password Synchronization sets cloud password for all onpremises synchronized users to Never Expire
35

How does
Password
Hash Sync
work?

Azure AD Connect monitors the pwdLastSet user attribute to

identify password change events, such as resets
It then extracts and hashes the users password from the onpremises Active Directory and to Azure AD
The synchronization process is similar to that of objects, with
the difference that passwords are synchronized in minutes,
rather than the default three (3) hours for objects
Password hashes are syncd in batches of up to 50 users per
batch
Passwords are never sent to Azure AD nor stored in AAD in
clear text
Password has sync can be used together with password writeback to enable self service password reset (Azure AD Premium
license needed)

36

Enable
Password
Hash
Synchronizati
on

Select Enable Password Synchronization in the configuration

wizard of AAD Connect

37

Password
Hash Sync
versus SSO

Talking point A,
* Talking point B,
* Talking point C,

38

Password
write back

Talking point A,
* Talking point B,
* Talking point C,

39

Event ID

Monitoring
Password
Synchronizati
on using the
event logs

Description

650
Event
logsProvision credentials batch start. Count: 1

Cause
Password synchronization starts retrieving updated
passwords from the on-premises AD DS.

651

Provision credentials batch end. Count: 1

Password synchronization finishes retrieving updated

passwords from the on-premises AD DS.

653

Provision credentials ping start.

Password synchronization starts informing Azure AD that

there are no passwords to be synced. This occurs every
30 minutes if no passwords have been updated in the onpremises AD DS.

654

Provision credentials ping end.

Password synchronization finishes informing Azure AD

that there are no passwords to be synced. This occurs
every 30 minutes if no passwords were updated in the onpremises AD DS.

656

Password Change Request - Anchor :

H552hI9GwEykZwof74JeOQ==, Dn : CN=Viola
Hanson,OU=Cloud Objects,DC=contoso,DC=local,
Change Date : 05/01/2013 16:34:08

Password synchronization indicates that a password

change was detected and tries to sync it to Azure AD. This
identifies the user or users whose password changed and
will be synced. Each batch contains at least one user and
at most 50 users.

657

Password Change Result - Anchor:

eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola
Hanson,OU=Cloud Objects,DC=contoso,DC=local,
Result : Success.

User or users whose password was successfully synced.

40

Forcing Full
Password
Sync

To trigger a full Password Sync to re-synchronize all user

passwords
Import the Powershell module by running Import-Module AdSync
Run Get-ADSyncConnector |FL Name to get the connectors name
Disable password sync by running the cmdlet
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector
<OnPremADDomain> -TargetConnector <AzureADDomain
-Enable $false
Re-enable password sync by running the cmdlet
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector
<OnPremADDomain> -TargetConnector <AzureADDomain> Enable $true

41

Forcing
Delta
Objects
Sync

DirSync is scheduled to perform delta syncs once every three

hours:
You can force an immediate synchronization rather than wait
3 hours
For example, for employee terminations, or bulk attribute
changes
To force object synchronization:
Open the Command Prompt
Navigate to the folder C:\Program Files\Microsoft Azure AD
Sync\Bin
Then run DirectorySyncClientCmd.exe Delta to trigger a delta
DirSync

42

Verifying
and
Monitoring
DirSync

You can verify if DirSync has performed a successful sync by:

Looking for Event ID 104 in the Application Event Logs

Running Get-MSOLCompanyInformation and checking the

LastDirSyncTime value

Checking the emails sent to the technical contact of the tenant

Using miisclient.exe to view the status of the last sync cycle

43

Throttling
Sync

Throughput shared across tenants at Admin Web Service layer

(throttled per directory partition)
DirSync client automatically handles throttling and retries
again
Error Code 81 Server Busy gets logged in the event logs
when DirSync has been throttled
Throttling can lead to variable sync times especially for a first
full sync cycle after installation

44

DirSync and
Deletes

Objects owned by DirSync cannot be edited directly in the portal,

but they can be deleted via PowerShell directly in the Office 365
tenant
Remove-MSOLUser/Contact/Group will allow you to delete an
object that is owned by DirSync
Deleted objects get moved to a Recycle Bin in the tenant
To view contents run Get-MSOLUser ReturnDeletedUsers
Purge Recycle Bin using Remove-MSOLUser
-RemoveFromRecycleBin
If object still exists on-premises, will be recreated on next Sync
cycle
If deleted on-premises, object needs to be restored from onpremises
Use the AD Recycle Bin (requires W2K8 R2 Forest Functional
Level)
Or AD authoritative restore of deleted object(s)
45

Accidental
Deletes

Scenario:
On-premises AD Admin accidentally deletes a user object in
AD (Oops)
DirSync propagates delete to the cloud
User object is deleted in the cloud (mailbox lost)
What do you do now?

46

Accidental
Deletes
(continued)

Manual recovery:
Admin identifies object to be recovered on-premises and uses
the recycle bin feature or an authoritative restore of the
object
Via AAD Connect:
When admin restores the user object in AD the object is
automatically recovered by AAD Connect, mailbox is also
recovered, etc.
Recovery is dependent on keeping the same SourceAnchor
value
New SourceAnchor value with same attribute values will not
recover the user object in Office 365 and instead will create a
new user

47

Filtering
What
Objects
Sync

DirSync filtering is now supported, tread carefully.

You can sync , based on:
Domain
OU
Attribute based
Useful for filtering-out service accounts and protected objects
Incorrect filtering can mass delete objects (and their
mailboxes) from the Azure Active Directory
Filtering configuration is lost if you reinstall or upgrade the
DirSync tool
Configure filtering for directory synchronization
http://technet.microsoft.com/en-us/library/jj710171.aspx

48

Attribute
based
filtering

Follow-along Example of attribute-based filtering:

1) Open Synchronization Rules Editor
2) Rule Types Inbound Select In Fom AD User Join
3) Click Edit
4) Go to Scoping Filter
5) Any users that match the query will sync

50

Troubleshooti
ng

Use the MIISClient UI to monitor export errors and track down

objects
Use the DirSync error mail notifications from Office 365
Search for duplicate proxyaddresses against Exchange online
by running Get-Recipient <allegedduplicateaddress>
Use the IdFix tool to identify and fix problem objects or
attributes in the on-premises Active Directory
The best approach is to make sure the AD objects are as clean
as possible before implementing AD Azure Connect

51

Key
Deployment
Consideration
s

Complete Active Directory cleanup work before implementing

DirSync
Understand how soft match works
Consider Exchange schema extensions for non-Exchange AD
environments
Verify on-premises user objects have a value (not null) for UPN
suffix and that it is correct
The default routing domain (e.g. contoso.onmicrosoft.com) is
used for Office 365 UPN suffix if the on-premises UPN suffix
does not contain a public routable DNS domain (i.e. cannot
use *.local)
Verified domains
Add all SMTP domains as verified domains before
synchronizing

52

Lab: Activate,
Install and
Configure Azure AD
Connect Tool

53

Module
Review

What objects does the Azure AD Connect tool synchronize?

What port does Azure AD Connect use to synchronize with
Office 365?
How can you force directory synchronization to run?

54

Module
Review
(Answers)

What objects does the Azure AD Connect tool synchronize?

Answer: Users, contacts, and groups
What port does Azure AD Connect use to synchronize with
Office 365?
Answer: HTTPS 443
How can you force directory synchronization to run?
Answer 1: Run DirectorySyncClientCmd.exe Delta from the
Command prompt. OR Answer 2: Open Task Scheduler, and
right-click and run the Azure AD Sync Scheduled Task

55

Module
Summary

In this Lesson, you learned:

The on-premises requirements and preparation
required to run directory synchronization
How the Azure AD Connect tool synchronizes objects
and simplifies user provisioning and administration of
objects

56

 2013
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION