Vous êtes sur la page 1sur 42


Microsoft Office 365: Directory


Jono Luk
Program Manager II
What well talk about
What is Directory Sync?
Who did we build Directory Sync for?
What does Directory Sync do for you & your users
When to use Directory Sync

Using Directory Sync

How Directory Sync works
Common asks
Coming features
Who did we build Directory Sync for

Any customer that wants to use and unlock power of Office

Office 365 Enterprise subscribers

From smallest (10 objects) to largest (1M objects)

What does Directory Sync do for you
Enables you to manage your companys information in one
central location for both on-premise intranet and Office 365

Runs as an appliance
Install and forget

Proactively reports errors via email

No news is good news
What does Directory Synchronization do for users

Seamless user experience across on-premise and Office

365 services (Exchange, Lync, SharePoint)

Flavors of Co-Existence
Identity Co-Existence (aka Single Sign-On, Federated Identity,
Federated Authentication)
Application Co-Existence
What does Directory Synchronization do for users
Identity Co-Existence
Facilitates Single Sign-On Experience

For users: Single set of credentials to manage

On-premise users, security groups, distribution lists, contacts are

available in the cloud
Complete Address Books in Exchange Online
SharePoint Online ACLing via Security Groups

Users, contacts, groups can be created directly in Office 365, or

syncd from on-premise!
What does Directory Synchronization do for users
Application Co-Existence
2 types:

Simple Co-Existence:
Full, consistent Address Book available across all O365 services

Exchange Online users can receive mail at any of their (valid) on-
premise Proxy Addresses

Conf Room support (Outlook Room Finder)

What does Directory Synchronization do for users
Application Co-Existence
Rich Co-Existence:
Hybrid Deployments
Staged migrations
Keep data on-premise for various business or legal requirements

Free/Busy available to users on-premise and in cloud

What does Directory Synchronization do for users
Application Co-Existence
Rich Co-Existence (cont)
Cross-Premise Services
Customers with on-premise mailbox can have voicemail in cloud
Cloud Archiving
Filtering Co-Existence (safe senders, blocked senders)
When to use Directory Synchronization
Directory Synchronization is a long-term commitment

Common Scenarios:
Scenario Use Directory Synchronization?
Initial on-boarding/bulk Provisioning of No
users only*
Identity Federation Yes
Long-term migration/adoption of Yes
Office 365 Services
Partial adoption/migration to Office Yes
365 Services
Setting up Directory Sync - Requirements
3 types of requirements:

1. Host OS that runs Directory Sync

32-bit ONLY
Microsoft Windows Server 2003 SP2 x86
Microsoft Windows Server 2008 x86

Cannot be Domain Controller

2. Active Directory Forest functional level syncd by Directory Sync

Microsoft Windows Server 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
NOTE: known incompatibility with Recycle Bin feature
Setting up Directory Sync - Requirements
3. Rich Co-Existence
Rich co-existence, need Exchange 2010 SP1 Client Access
Server (CAS) Free
Installs schema extensions required to support Rich Co-
Demo: Microsoft Online Directory
Sync Setup

How Directory Synchronization works

Microsoft Online ID


365 FEs

Office 365
Directory O365
Sync Directory


Office Sub

Customer Network Office 365 Datacenter

How Directory Synchronization works
Architecture - Client
Uses Enterprise Admin credentials at configuration to create self-managed
account for sync purposes:
Attribute-level write permissions for Rich Co-Existence

Uses managed account with Global Administrator privileges for Tenant

Authenticates to O365 via Microsoft Online ID

Syncs all users, contacts and groups from your (single) AD forest
Queries AD DirSync control for changes
Filters out well-known objects and attributes patterns

Syncs every 3 hours

How Directory Synchronization works
Architecture - Client
First sync run full sync
Start-up, syncs all objects

Subsequent runs delta sync

Changes only

Time required depends on data size/complexity

How Directory Synchronization works
Architecture - Client
Microsoft Windows Server 2003 SP2 or higher (32-bit)

SQL Server 2008 R2 Express

Should use full Microsoft SQL Server 2005 / 2008 for larger customers
10GB DB size limit

Microsoft Online ID components for Authentication to Office 365

Available for download in 23 languages

How Directory Synchronization works
Architecture - Server
Syncs objects in batches

Users provisioned into Microsoft Online ID for login to Office 365

All objects provisioned into Office 365 Directory Store

objects flow into services based on subscription (Exchange Online, Lync
Online, SharePoint Online)
How Directory Synchronization works
Architecture Sync Object Limits
All customers initially subject to 10,000 object limit
objects = users, security groups, distribution lists, contacts
Will receive email
contact support to increase object limit

Larger customers (20,000+ users) sign-up for special subscription

work with your MS account reps for more details!
How Directory Synchronization works
Attribute Validation
As batches of objects processed by Office 365, objects are

First-in-wins conflict-resolution
If key attributes are duplicated, second object receives errors
How Directory Synchronization works
Attribute Validation
ProxyAddresses sanitization
proxy addresses with non-registered domains are stripped

UPN Validation
If UPN uses a non-registered domain, it will be replaced with:

mailNickName @ domain.onmicrosoft.com

(where domain is the primary domain the customer registered at sign-up)

How Directory Synchronization works
Attribute Validations
Attribute Most common issues
userPrincipalName cannot have dot . immediately preceding @
cannot exceed 113 chars (64 for username, 48 for domain)
cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < > ( )
cannot have duplicate UPNs

sAmAccountName cannot contain \ / [ ] : | < > + = ; ? ,

cannot end with dot .
cannot be more than 20 chars
cannot be empty

proxyAddresses cannot contain smtp addresses with domains that are not registered for
the tenant
cannot have duplicate proxy addresses

All errors are reported to Technical Notification Contact by email!

How Directory Synchronization works
Writing to On-Premise AD
If Rich Co-Existence disabled, Directory Sync will not modify customers on-
prem AD

If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on

Attribute Feature
SafeSendersHash Filtering Coexistence
BlockedSendersHash enables on-premise filtering using cloud safe/blocked sender info
msExchArchiveStatus Cloud Archive
Allows users to archive mail to the Office 365 service

ProxyAddresses (cloudLegDN) Mailbox off-boarding

Enables off-boarding of mailboxes back to on-premise

cloudmsExchUCVoiceMailSettings Voicemail Co-Existence

Enables on-premise mailbox users to have Lync in the cloud
How Directory Synchronization works
Identifying on-premise and Cloud Objects

Objects in Office 365 uniquely identified by sourceAnchor

value derived from the ObjectGUID of on-premise objects
set on first sync

Customer can create objects in Office 365 before running

Directory Sync
Objects may overlap with on-premise objects!

Sync tries to map objects being syncd with objects already

present in the cloud
Prevent duplicate objects!
How Directory Synchronization works
Matching on-premise and Cloud users

On sync, if no user object in cloud has sourceAnchor value, try

and match based on SMTP addresses

If SMTP address match succeeds, sourceAnchor value stamped

on object already in cloud, objects are matched

Subsequent sync runs will use sourceAnchor values

Matching for user objects only

How Directory Synchronization works
Synchronization Errors
Synchronization errors are communicated to the IT
Generalist via email
Technical Contact is a very important to Microsoft Online Directory Sync
for communication of sync health, errors, etc.

Administrators must address these errors through on-

premise changes
Planning for Directory Synchronization
Things to think about:
1. Do you plan to enable Identity Federation?
Register domains with Office 365
Activate Federation

2. Do you plan to enable Rich Co-existence?

Exchange 2010 SP1 CAS deployed on-premise?

3. Is your Active Directory ready?

Microsoft Online Deployment Guide (
Office 365 Best Practice Analyzer
Common Asks
Not supported
Automated scoping out can lead to data loss (user mailboxes!)
Filter file no longer supported

Highly available Directory Sync

Directory Sync tool not configurable for high availability

NOTE: when Directory Sync tool down, Office 365 data goes stale, Federated Authentication,
etc. still works!
Common Asks
Scale & Large customers?
Directory Sync is used for MSFT! (~1M objects)
Customers with 50K+ objects - use full SQL installation
Powershell-based configuration
Coming: 64-bit client
64-bit Directory Sync client releasing soon
Provides W2K8 R2 Recycle Bin object re-animation (not
supported in 32-bit Directory Sync client)
Coming: Multi-Forest Support
Fact: Customers may have more than 1 AD Forest
containing users, groups and contacts to sync to Office

Fact: Microsoft Online Directory Sync Appliance cannot be

configured to sync from multiple Forests

Fact: customers of BPOS v1 have done work to

aggregate multiple AD forests into one for sync to BPOS
Coming: Multi-Forest Support
Plan: provide prescriptive guidance for existing BPOS v1
customers to migrate to Office 365

Customers with specific, supported configurations can enable

new Office 365 scenarios (Federated Identity, Rich Co-

BPOS v1 outside supported configurations, or new Office 365

Customers must wait until later in 2012 for a comprehensive
Office 365 multi-forest solution
Syncd objects are mastered on-premise
need to update on-premise object to update cloud object

Stopping Directory Synchronization

Cannot de-activate Directory Synchronization via Microsoft
Online Portal
Can turn off Directory Synchronization client
Cant delete users that have been syncd in unless removed from
Support coming post-General Availability
Removing domains
Cant de-register domain from Office 365 until all users that have
attributes with that domain are removed
Demo: Back to Directory Sync
Other Sessions/Resources
SIM320 - Using Active Directory with Microsoft Office 365
Breakout session about Identity Federation & Directory

OSP381-INT -Microsoft
Office 365: Identity and Access Solutions - Q&A Follow U
Customer-driven deep dive

Office 365 booth

Appendix Directory Synchronization Features
Core DirSync features supported in V1:
Full shared GAL
Rich messaging (Full format)
Meeting requests
Works over the Internet
Appliance-like setup

New DirSync V2 features (out of the box):

Identity coexistence identities & security principals are mastered on-premises
Conf room synced as Conf room
Support for identity federation (ADFS)
Support for application coexistence (Mail, OC)
Syncs security groups (SharePoint security)
Syncs additional on-premise data (i.e., photos), enabling richer experience
Proxies for contacts and mail-enabled users are respected (unchanged)
Support for Rich Coexistence features

New DirSync V2 features (optional)

Free/Busy coexistence (w/ Exchange Server 2010 CAS server on premise)
Supports additional Rich Coexistence with Exchange Server 2010 (Cloud Archive, Filtering Coexistence, Delegation)
** DirSync does not require Exchange to exists on premises ** Microsoft Confidential

Connect. Share. Discuss.


Sessions On-Demand & Community
Microsoft Certification & Training Resources
www.microsoft.com/teched www.microsoft.com/learning

Resources for IT Professionals Resources for Developers

http://microsoft.com/technet http://microsoft.com/msdn
Complete an
evaluation on
CommNet and
enter to win!
Scan the Tag
to evaluate this
session now
on myTechEd
2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.