Vous êtes sur la page 1sur 42

OSP325

Microsoft Office 365: Directory


Synchronization

Jono Luk
Program Manager II
Microsoft
What well talk about
What is Directory Sync?
Who did we build Directory Sync for?
What does Directory Sync do for you & your users
When to use Directory Sync

Using Directory Sync


Requirements
How Directory Sync works
Common asks
Coming features
Gotchas
Who did we build Directory Sync for
You!

Any customer that wants to use and unlock power of Office


365
Office 365 Enterprise subscribers

From smallest (10 objects) to largest (1M objects)


customers
What does Directory Sync do for you
Enables you to manage your companys information in one
central location for both on-premise intranet and Office 365

Runs as an appliance
Install and forget

Proactively reports errors via email


No news is good news
What does Directory Synchronization do for users

Seamless user experience across on-premise and Office


365 services (Exchange, Lync, SharePoint)

Flavors of Co-Existence
Identity Co-Existence (aka Single Sign-On, Federated Identity,
Federated Authentication)
Application Co-Existence
What does Directory Synchronization do for users
Identity Co-Existence
Facilitates Single Sign-On Experience

For users: Single set of credentials to manage

On-premise users, security groups, distribution lists, contacts are


available in the cloud
Complete Address Books in Exchange Online
SharePoint Online ACLing via Security Groups

Users, contacts, groups can be created directly in Office 365, or


syncd from on-premise!
What does Directory Synchronization do for users
Application Co-Existence
2 types:
Simple
Rich

Simple Co-Existence:
Full, consistent Address Book available across all O365 services

Exchange Online users can receive mail at any of their (valid) on-
premise Proxy Addresses

Conf Room support (Outlook Room Finder)


What does Directory Synchronization do for users
Application Co-Existence
Rich Co-Existence:
Hybrid Deployments
Staged migrations
Keep data on-premise for various business or legal requirements

Free/Busy available to users on-premise and in cloud


What does Directory Synchronization do for users
Application Co-Existence
Rich Co-Existence (cont)
Cross-Premise Services
Customers with on-premise mailbox can have voicemail in cloud
Cloud Archiving
Filtering Co-Existence (safe senders, blocked senders)
When to use Directory Synchronization
Directory Synchronization is a long-term commitment

Common Scenarios:
Scenario Use Directory Synchronization?
Initial on-boarding/bulk Provisioning of No
users only*
Identity Federation Yes
Long-term migration/adoption of Yes
Office 365 Services
Partial adoption/migration to Office Yes
365 Services
Setting up Directory Sync - Requirements
3 types of requirements:

1. Host OS that runs Directory Sync


32-bit ONLY
Microsoft Windows Server 2003 SP2 x86
Microsoft Windows Server 2008 x86

Cannot be Domain Controller

2. Active Directory Forest functional level syncd by Directory Sync


Microsoft Windows Server 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
NOTE: known incompatibility with Recycle Bin feature
Setting up Directory Sync - Requirements
3. Rich Co-Existence
Rich co-existence, need Exchange 2010 SP1 Client Access
Server (CAS) Free
Installs schema extensions required to support Rich Co-
Existence
Demo: Microsoft Online Directory
Sync Setup

demo
How Directory Synchronization works
Architecture

Microsoft Online ID

Exchange

FEs
365 FEs
Lync

Office 365
Directory O365
Sync Directory
AD

Office
SharePoint

Office Sub

Customer Network Office 365 Datacenter


How Directory Synchronization works
Architecture - Client
Uses Enterprise Admin credentials at configuration to create self-managed
account for sync purposes:
Attribute-level write permissions for Rich Co-Existence

Uses managed account with Global Administrator privileges for Tenant


Authenticates to O365 via Microsoft Online ID

Syncs all users, contacts and groups from your (single) AD forest
Queries AD DirSync control for changes
Filters out well-known objects and attributes patterns

Syncs every 3 hours


How Directory Synchronization works
Architecture - Client
First sync run full sync
Start-up, syncs all objects

Subsequent runs delta sync


Changes only

Time required depends on data size/complexity


How Directory Synchronization works
Architecture - Client
Microsoft Windows Server 2003 SP2 or higher (32-bit)

SQL Server 2008 R2 Express


Should use full Microsoft SQL Server 2005 / 2008 for larger customers
10GB DB size limit

Microsoft Online ID components for Authentication to Office 365

Available for download in 23 languages


How Directory Synchronization works
Architecture - Server
Syncs objects in batches

Users provisioned into Microsoft Online ID for login to Office 365

All objects provisioned into Office 365 Directory Store


objects flow into services based on subscription (Exchange Online, Lync
Online, SharePoint Online)
How Directory Synchronization works
Architecture Sync Object Limits
All customers initially subject to 10,000 object limit
objects = users, security groups, distribution lists, contacts
Will receive email
contact support to increase object limit

Larger customers (20,000+ users) sign-up for special subscription


type
work with your MS account reps for more details!
How Directory Synchronization works
Attribute Validation
As batches of objects processed by Office 365, objects are
validated

First-in-wins conflict-resolution
If key attributes are duplicated, second object receives errors
How Directory Synchronization works
Attribute Validation
ProxyAddresses sanitization
proxy addresses with non-registered domains are stripped

UPN Validation
If UPN uses a non-registered domain, it will be replaced with:

mailNickName @ domain.onmicrosoft.com

(where domain is the primary domain the customer registered at sign-up)


How Directory Synchronization works
Attribute Validations
Attribute Most common issues
userPrincipalName cannot have dot . immediately preceding @
cannot exceed 113 chars (64 for username, 48 for domain)
cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < > ( )
cannot have duplicate UPNs

sAmAccountName cannot contain \ / [ ] : | < > + = ; ? ,


cannot end with dot .
cannot be more than 20 chars
cannot be empty

proxyAddresses cannot contain smtp addresses with domains that are not registered for
the tenant
cannot have duplicate proxy addresses

All errors are reported to Technical Notification Contact by email!


How Directory Synchronization works
Writing to On-Premise AD
If Rich Co-Existence disabled, Directory Sync will not modify customers on-
prem AD

If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on


users:
Attribute Feature
SafeSendersHash Filtering Coexistence
BlockedSendersHash enables on-premise filtering using cloud safe/blocked sender info
SafeRecipientHash
msExchArchiveStatus Cloud Archive
Allows users to archive mail to the Office 365 service

ProxyAddresses (cloudLegDN) Mailbox off-boarding


Enables off-boarding of mailboxes back to on-premise

cloudmsExchUCVoiceMailSettings Voicemail Co-Existence


Enables on-premise mailbox users to have Lync in the cloud
How Directory Synchronization works
Identifying on-premise and Cloud Objects

Objects in Office 365 uniquely identified by sourceAnchor


value derived from the ObjectGUID of on-premise objects
set on first sync

Customer can create objects in Office 365 before running


Directory Sync
Objects may overlap with on-premise objects!

Sync tries to map objects being syncd with objects already


present in the cloud
Prevent duplicate objects!
How Directory Synchronization works
Matching on-premise and Cloud users

On sync, if no user object in cloud has sourceAnchor value, try


and match based on SMTP addresses

If SMTP address match succeeds, sourceAnchor value stamped


on object already in cloud, objects are matched

Subsequent sync runs will use sourceAnchor values

Matching for user objects only


How Directory Synchronization works
Synchronization Errors
Synchronization errors are communicated to the IT
Generalist via email
Technical Contact is a very important to Microsoft Online Directory Sync
for communication of sync health, errors, etc.

Administrators must address these errors through on-


premise changes
Planning for Directory Synchronization
Things to think about:
1. Do you plan to enable Identity Federation?
Register domains with Office 365
Activate Federation

2. Do you plan to enable Rich Co-existence?


Exchange 2010 SP1 CAS deployed on-premise?

3. Is your Active Directory ready?


Microsoft Online Deployment Guide (
http://www.microsoft.com/online/deploy.aspx)
Office 365 Best Practice Analyzer
Common Asks
Filtering
Not supported
Automated scoping out can lead to data loss (user mailboxes!)
Filter file no longer supported

Highly available Directory Sync


Directory Sync tool not configurable for high availability

NOTE: when Directory Sync tool down, Office 365 data goes stale, Federated Authentication,
etc. still works!
Common Asks
Scale & Large customers?
Directory Sync is used for MSFT! (~1M objects)
Customers with 50K+ objects - use full SQL installation
Powershell-based configuration
Coming: 64-bit client
64-bit Directory Sync client releasing soon
Provides W2K8 R2 Recycle Bin object re-animation (not
supported in 32-bit Directory Sync client)
Coming: Multi-Forest Support
Fact: Customers may have more than 1 AD Forest
containing users, groups and contacts to sync to Office
365

Fact: Microsoft Online Directory Sync Appliance cannot be


configured to sync from multiple Forests

Fact: customers of BPOS v1 have done work to


aggregate multiple AD forests into one for sync to BPOS
v1
Coming: Multi-Forest Support
Plan: provide prescriptive guidance for existing BPOS v1
customers to migrate to Office 365

Customers with specific, supported configurations can enable


new Office 365 scenarios (Federated Identity, Rich Co-
Existence)

BPOS v1 outside supported configurations, or new Office 365


Customers must wait until later in 2012 for a comprehensive
Office 365 multi-forest solution
Gotchas
Syncd objects are mastered on-premise
need to update on-premise object to update cloud object

Stopping Directory Synchronization


Cannot de-activate Directory Synchronization via Microsoft
Online Portal
Can turn off Directory Synchronization client
Cant delete users that have been syncd in unless removed from
on-premise
Support coming post-General Availability
Gotchas
Removing domains
Cant de-register domain from Office 365 until all users that have
attributes with that domain are removed
Demo: Back to Directory Sync
Other Sessions/Resources
SIM320 - Using Active Directory with Microsoft Office 365
Breakout session about Identity Federation & Directory
Synchronization

OSP381-INT -Microsoft
Office 365: Identity and Access Solutions - Q&A Follow U
p
Customer-driven deep dive

Office 365 booth


Appendix Directory Synchronization Features
Core DirSync features supported in V1:
Full shared GAL
Rich messaging (Full format)
Meeting requests
Works over the Internet
Appliance-like setup

New DirSync V2 features (out of the box):


Identity coexistence identities & security principals are mastered on-premises
Conf room synced as Conf room
Support for identity federation (ADFS)
Support for application coexistence (Mail, OC)
Syncs security groups (SharePoint security)
Syncs additional on-premise data (i.e., photos), enabling richer experience
Proxies for contacts and mail-enabled users are respected (unchanged)
Support for Rich Coexistence features

New DirSync V2 features (optional)


Free/Busy coexistence (w/ Exchange Server 2010 CAS server on premise)
Supports additional Rich Coexistence with Exchange Server 2010 (Cloud Archive, Filtering Coexistence, Delegation)
38
** DirSync does not require Exchange to exists on premises ** Microsoft Confidential
Resources

Connect. Share. Discuss.


http://northamerica.msteched.com

Learnin
Sessions On-Demand & Community
g
Microsoft Certification & Training Resources
www.microsoft.com/teched www.microsoft.com/learning

Resources for IT Professionals Resources for Developers


http://microsoft.com/technet http://microsoft.com/msdn
Complete an
evaluation on
CommNet and
enter to win!
Scan the Tag
to evaluate this
session now
on myTechEd
Mobile
2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.