When moving to the Office 365 environment quite commonly the old on-premises structure must be preserved. Sometimes it is because the migration process can take quite a bit of time to finish, sometimes because the company wants to follow the hybrid scenario, when both environments are used.
No matter the reason, one of the important aspects of the coexistence setup is synchronization of Active Directory between local and Cloud Exchange. The article below describes steps required to achieve such a sync.
Directory Synchronization Tool
To sync the local AD with the Office 365 service the installation of the Directory Synchronization Tool (Dirsync) is required. You can download the tool from Microsoft pages.
The program syncs all accounts, with their access passwords up to Office 365. However, it does not provide Single Sign-On (SSO) capability. To achieve SSO AD Federation Services (ADFS) needs to be configured.
Microsoft recommends installing Dirsync on a server within a domain, however, it should not be a domain controller. More specific system requirements are available on this Microsoft website.
Installation
NOTE: all actions below are performed on a test Office 365 environment.
Steps are as follows:
- Log in to Office 365 with administrative user credentials.
- Go to Users, then Active Users.
- Click the Active Directory synchronization Set up link visible above the list of users.
- In point „3” on the list click the Activate button. A notification should appear that the synchronization is active:
- In point „4” click Download to get the Dirsync tool:
- On the machine, where you are installing the tool make sure that the .net 3.5 sp1 and .net 4.0 libraries are installed. Otherwise the Dirsync tool setup will return the following error:
In Windows Server 2008 R2 SP1 the .net 3.5 SP1 library is available for installation via the Server Manager program, in the Features tab, while the .net 4.0 needs to be downloaded from this Microsoft website. In Windows Server 2012 and 2012 R2 both libraries can be installed using the Server Manager console. - Follow the installation wizard until finish. The process might take a couple of minutes.
- Once the installation is complete select Start Configuration Wizard now and click Finish.
- In the configuration wizard, enter credentials of a user with administrative privileges in Office 365. These credentials are stored within the tool – if they change (e.g. the password is changed) the program needs to be reconfigured.
- In the next step enter administrative user credentials of the on-premises AD. Opposite to step 9., these credentials are not stored, and there is no need to reconfigure the program if e.g. the password changes.
- Next step shows the Exchange settings for the hybrid deployment. Leave them unchecked, as they are not covered in this article. Click Next.
- In the following step, mark the Enable Password Sync checkbox. Click the Next button.
- Wait for the program to finish configuration. Once it’s done – click the Finish button. Leave the Synchronize your directories now option marked:
Synchronization monitoring
After Dirsync is installed, you need to verify that the process works as expected. To do so use the Synchronization Service Manager console:
- Go to the following disk location: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell.
- Launch the miisclient.exe program. It might happen that the program will not start, right after Dirsync installation. In such situation simply log out and then log back on to the system.
- Once the program is running you can check the sync progress:
In the upper part of the window, there is a list of all current sync cycles. In lower left all current modifications to AD are listed.
Dirsync post-installation tweaks
Changing time between sync cycles
By default, the sync cycles are launched in 3-hour intervals. To reduce the time between syncs (e.g. for testing purposes) do the following:
- On the server, where the Dirsync tool is installed go to the C:\Program Files\Windows Azure Active Directory Sync folder.
- Open the Microsoft.Online.DirSync.Scheduler.exe.Config file with the Notepad.
- Locate the following string:<add key=”SyncTimeInterval” value=”3:0:0″ />and change the “3:0:0” value to e.g. “0:5:0”. This changes the sync interval from 3 hours to 5 minutes.
- Save changes in the file and restart the Windows Azure Active Directory Sync Service in system services.
Limiting the number of synced objects
In situations, when the on-premises organization is large, and only some users or groups are using Office 365 it is useful to limit the sync to specific Organizational Units (OU) only.
- On the Dirsync server open the C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell location.
- Open the Synchronization Service Manager console by launching miisclient.exe.
- Open the Management Agents tab:
- Right-click Active Directory Connector and select Properties.
- Navigate to Configure Directory Partitions and click the Containers button:
- In the next window enter credentials of the AD administrative user:
- Select the OU container of your choice and click OK:
- Click OK again to return to the main window (Management Agents tab).
- Right-click the Active Directory Connector agent and click Run:
- Select Full Import Full Sync and hit OK:
- You should already notice the effect of above settings in the main program window, in the Operations tab:
That’s it – you have now a fully synced AD with Office 365. Every change to any Active Directory object is now synchronized to the Cloud.
The next step is usually the mailbox migration. To perform it you can use a third party tool, such as CodeTwo Office 365 Migration.
dears,,
I have a question, how I can sync the attribute of users in the active directory (such ad mobile, job description, and mobile )with the office365 emails
and to make this information appear after any employee click on any of o365 email
You can sync your on-prem AD with AAD using AAD Connect. To make AAD information visible in your emails, you can use the method mentioned in this article.
Hi, if i configure dirsync, and would like to enable MFA for M365, will it require additional license in M365?
Hi,
M365 MFA requires a license, but whether you require an additional license depends on what you already have. Here are some MFA requirements details
By the way, DirSync has been deprecated for some time now, here is an article about its replacement – AAD Connect.
Hi there, I just joined a company which already have a lot of O365 mailboxes but it´s not synced with local AD servers. On the other hand, not all those O365 mailboxes will exist into AD (it´s a school)…so just few AD accounts will be synced to O365, but all others into O365 will remain with their password management into O365…If I setup the sync, will those mailboxes (student MB) face any kind of issue?
tks
The situation you’re facing and the suggested resolution is available in this article.
In short – they *shouldn’t* face any issues, as this is one of the supported scenarios. If you don’t run SMTP matching, they won’t be able to, for example, access local public folders.
Hello,
I have a question : is it possible to change the password in Office 365 and to be sync with my AD local ? i have tablet user which needs to change his password via outlook or O365 but i get a message every-time telling me that my AD blocks the password changing and apparently i can change the password via AD and be sync with Office 365 but i cant do it in another way.
Thank you in advance.
Ziad
Hello,
You can set it up to work this way with Azure AD password writeback. There are some prerequisites, though. You can learn more at this Microsoft’s page.
Inspirational content, have achieved a good knowledge from the above content on Windows Azure training useful for all the aspirants of Windows Azure training.
Hi Adam, great article. Question: If I have a NEW server and my o365 tenant is already sync’d via DirSync to an old server (which i will replace with the new), can i simply install dirsync on the new server and sync up? Will that overwrite my empty/new Active Directory with office 365? i guess my question is, can i use DirSync to pull in all of my O365 users and popular my new Active Directory?
Hi Jason,
Unfortunately, at the current moment, populating the on-premises directory with Office 365 users is not possible. The directory synchronization (currently handled by AAD Connect) is one-way only. The way to go would be to recreate users in the new server and use SMTP matching to re-sync them. The following article includes some guidelines on what you can do: How to merge an Office 365 account with an on-premises AD account after hybrid configuration?
Thank you in advance for your help and everything you are doing it. We appreciate all your suggestions .In few words if I want to rename the Active Directory to another name , should I first uninstall the sync tool , rename the AD (we want to get rid off .local name) and then after rename to reinstall the sync tool right ? The problem is not just a server name but all the forest will be changed. And the main affected will be the users that we actually have. And after it resync can we have all the users as before with the new AD Qualified domain name , or will be duplicated so with old AD name users and new AD name users ?
If you are only trying to get rid of the “.local” name, you should be able to handle the situation without duplicates by configuring SMTP matching. Take a look at the following article, as it explains the scenario you will face after renaming the server:
How to merge an Office 365 account with an on-premises AD account after hybrid configuration?
Hi Adam , first of all thank you for this helpful page. I have an important question. We want to rename the Domain Controller and of course this will affect even the sync of the users at the DC related to Office 365. If we change the name and then resync with Azure tool , will we have all the users again to the office 365 ? What is your suggestions regarding this case ?
Tank you in advance
In short, according to Microsoft: AAD Sync does not support renaming a server. If you have to do it, it is recommended to uninstall AAD Sync, rename the server and then – reinstall AAD Sync.
Can you please recommend me a tool to sync AAD with SPO user profiles. It will be great help. Thanks
Is there any helpful tool to sync AAD with SPO User Profiles? If there is please let me know.
Hi Abhi,
AAD to SPO Sync is done by a native tool and as far as I know, there are no tools to substitute it. Neither there is a true need for them. You can learn more about the SPO sync in this TechNet article.
By the way, as Dir Sync is deprecated, you might want to take a look at the following article for the most up-to-date information on local AD sync to Office 365: How to sync on-premises Active Directory to Azure Active Directory with Azure AD Connect?
Hello,
I need your help on the below mail:
I have a client that wants to move mails & documents to O365.
They want to have their mails, documents in the cloud and also want single sign on with the solution.
Also, they want to be able to login with their domain credentials on their laptops.
Note that the customer does not have any IT Infrastructure and they don’t have any plan to buy.
How can we join each of their computers to the domain while they don’t have AD on site and they want to use the same domain account on their O365 for this.
Kindly recommend end to end solution or product to meet this need.
Thanks.
Hello Martins,
First, What is the source of the migration if the customer has no infrastructure? Where are the emails/documents? This is crucial information in deciding on how to migrate.
It is possible to join computers to the domain with the Azure AD Join. The problem is, it seems to require Windows 10 Pro or Enterprise.
Hello,
Below are the answers requested:
First, What is the source of the migration if the customer has no infrastructure?
The customer signed up for a webhosting service with planet web online which host their website and gave them space to create user mailboxes
Where are the emails/documents? This is crucial information in deciding on how to migrate.
Emails are hosted with planet web online which they access through control panel
Documents are presently saved in individuals computers
It is possible to join computers to the domain with the Azure AD Join.
What are the requirement to deploy this and will it work directly with office 365? Also, can we join all OS from Windows 7 upward to the domain?
What is the cost of the service?
If all the mailboxes are in an online service, you can perform an IMAP migration or migrate by exporting mailboxes to PST and then importing them to Office 365.
If documents are stored on individual computers, then there is no way to make it easy – all documents need to be uploaded to SharePoint Online manually.
The requirements for Azure AD Join is a paid Office 365 subscription and, like I mentioned before, Windows 10 Pro/Enterprise. Since you mention Windows 7, you either need to upgrade the OS or persuade the customer not to join computers to the domain.
When it comes to the cost of the service, I suggest you head to Office 365 plans pages, analyze different plans and find the one which suits the customer’s needs (e.g. It should include SharePoint if they want to have their organization’s documents in the cloud). You can find their pricing there.
Either way, prepare for a lot of manual work and creating an Office 365 organization pretty much from scratch.
Hello,
I came across bitTitan migration tool on O365. Can it be applied in this case scenario to resolve this problem. I need your assistance.
Thanks
If you want to use a migration tool to make your transition easier, I recommend you go with CodeTwo Office 365 Migration.
Mind that although this migration software will make your job easier, it will not fix the problem concerning the Azure AD Join requirements (Windows 10, mentioned before), as this issue is not migration-related.
Dear Adam,
Currently our company email has already used Office 365 for 1 year and it has been working fine and all are cloud users. we are creating office 365 mailbox from the portal directly.
However, currently i am being instructed by company whether it is feasible to sync between windows domain login password with office 365. In my previous company when we are using hybrid configuration, we are creating our mailbox from the on premise exchange and then it will be sync to office 365 via AAD Connect server. Then after sync, we will assign license in office 365 portal. However, in my past company, windows login domain is same as office 365 domain, as we are using company.com for both windows login and office 365 domain. There is no UPN suffixes required at all.
Now my current situation is: my new company has already completed the migration and currently all are cloud users. is it feasible to do sync windows login password and office365 mailbox password and currently we are on different domain between windows login and office 365. Windows login is using cpy.net domain whereby office 365 is using company.com.
May i know is it feasible to do this task?
in my mind, looks like there are some consequences:
1. password can’t be changed from OWA
2. windows profile may need to be created again?
3. how will the mapping be between the AD users with their office 365 mailboxes?
4. how is the mailboxes created since there are no more on premise exchange.
5. is there any risks associated with this task
Many thanks
Regards,
H
Hello
i want to sync the AD with office 365
there are more than 1000 users in AD and they have in house exchange account.
when i sync with azure sync tool kindly confirm over all users of local AD sync with office 365?
Hi Mohamed,
If I understand correctly, you want to know if Azure AD Connect syncs over 1000 users? By default, Azure AD tenant allows 50k objects, so it should not be a problem. Still, I will advise you to try it in a test environment before syncing on the production server.
Hi!
I’ve a problem when creating new users they default to the .onmicrosoft.com address, even though they are specified differently on prem.
They have to use PowerShell to change this each time, however, would like a way to do this by default.
Any suggestions?
Thanks in advance
Hi Amena,
I am sorry, but I have not come across this problem before. You could try asking the tech community at spiceworks.com, or at Microsoft’s TechNet. I wonder myself what solution will work in this situation.
Nice Article. How it help to developer in terms of balance the day to day life.
i have a question.
i want to sync the AD with office 365 but in office 365 my domain name is different and these user are premium.
when i sync with azure sync tool kindly confirm over all users of local AD sync with office 365 AD so in this case we need to pay the extra money for the user that are using in local ad or not .
thanks
Hi abrar ahmad,
As far as I know, you need to assign an Office 365 license only to a user that exists in Office 365, not local AD.
Once you have synchronized users from on-premises Active Directory to Azure Active Directory with Azure AD Connect tool, you need to manually assign them licenses before they can use Office 365 applications.
If you have two different domains for Exchange and Office 365 environments, make sure to set an Alternative UPN Suffix in the Active Domain and Trust to avoid creating double user accounts in Office 365. See this Technet post for more details: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dirservices/after-setting-up-ad-connect-i-now-have-two-users/833628ec-b8e7-4e58-87b3-687a31d7162f.
All the best,
Adam
Hello Adam, This is great stuff. I have a question. We have multiple forests and domains and have already migrated all our email mailboxes to the O365 tenant. The users in the on prem AD and in the tenant have different UPN’s. We want to be able to have the passwords synced by using dirsync. But a lot of what i’m reading says we should use AAD connect. We will also implement ADFS as well afterwards. From what I’ve been told is once we turn on dirsync or ADD connect it will create a new user in the tenant with the same UPN on on prem AD and then we have to remap that new user in the tenant back to their mailbox. Is this correct? Your advise is greatly appreciated. Thank you.
Hi Boardman Meade,
When you run AAD Connect, new users are created in Office 365. To make sure the user is created correctly, you should configure on-premises UPN suffix as a verified domain in Azure AD or set your Office 365 verified domain as an Alternative UPN Suffix in Active Domain and Trust.
If a verified domain and user’s UPN do not match, then a user will be created in Azure AD with the .onmicrosoft.com domain.
Once new users are created in Office 365, you need to assign them Office 365 licenses so that the users can start using their accounts.
All the best,
Adam
Hello,
I have recently moved from on premises exchange to o365. I have also created users on the o365 account. Now I have my AD which is still on premises and I need to connect it to the o365. If i use dirsync, will the users be mapped automatically? or will i need to do this manually? I have not yet tried to use dirsync.
Hello Amish,
As DirSync is deprecated now, use Azure AD Connect tool for directory synchronization.
In Azure AD Connect, as far as I know, users are matched automatically when using Express settings installation (if you have a single forest AD): https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express.
When using Custom settings installation, you can choose how the tool should identify users (when you have multiple forests): https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom (see section: Uniquely identifying your users).
If you have any differences between on-premises AD and Azure AD, refer to this article to avoid data overwriting in Cloud accounts: https://oddytee.wordpress.com/2016/03/14/sync-new-active-directory-with-existing-office-365-tenant/.
It is also a good practice to test the synchronization settings before going into production.
All the best,
Adam
Good article, i want ask, I’ve been using Office 365 and has already made a lot of users and groups. Now I just make Active directory in Windows Server 2012. The user and group are going to directly sync with the active directory? and delete a user account and group that I created in active directory?
Hi Andi,
DirSync, AAD sync and AAD Connect, sync from on-premises AD to the Cloud. So if you set up a sync between AD and Office 365, it will feed the on-premises objects to the Cloud. There is a risk of duplicating ones that were identical in both locations. E.g. say you had [email protected] in AD and the same [email protected] in Office365, you might end up with a user.abc and user.abc2 in the Cloud. But if you set matching correctly (it’s very easy to do) you should be fine.
Best regards,
Adam
Good
Hi Adam
Thank you for this great post, I have a query.
We have migrated 150 users over to 365 and NOW need dir sync installed so passwords can sync to 365.
How can I test this with ONE or TWO users only ?
I believe I need to enable AD synch on 365 first BUT will this impact all users, can I filter only a few users to try this on ?
Look forward to your reply
Thanks
brian
Hi Brian,
Azure AD Sync has 4 filtering options: Group-based, Domain-based, Organizational-Unit–based and Attribute–based. To test a sync on 2 users I would use either group or attribute-based filtering (add the 2 users to a test group or give them a test attribute).
-Adam
Great write up!
Hi Adam
Great article and explains a lot of how the process works.
My problem is that I have two accounts that have been deleted from on-prem AD but keep coming back as errors in the DirSync log even though I use PowerShell to remove the accounts from O365. What can I do to remove the two entries once and for all?
Thanks
Phil
Hi Phil,
Please try applying the solution from these Microsoft KB articles: https://support.microsoft.com/en-us/kb/2619062 and https://support.microsoft.com/en-us/kb/2709902.
Hope this helps!
Adam
Hi Adam,
I had to turn off Active Directory Synchronization, so all users are in the cloud. I’m reinstalling WIndows Azure on the VM Server again. I’m getting the following warning when I go to do this:
Do you want to activate Active Directory synchronization?
When you activate and configure directory synchronization, objects in your on-premises Active Directory may overwrite existing objects in the Microsoft Office 365 directory. Specifically, if a user, group, or contact object in the Microsoft Office 365 directory matches an object that is being synchronized from an on-premises object, the Microsoft Office 365 object will be overwritten.
This can result in data loss. The risk of data loss is much greater for organizations that have activated, deactivated, and then reactivated directory synchronization.
Regards,
RD
We strongly recommend that you back up user data before you reactivate directory synchronization.
Hello – all my users were manually created in Office 365. I need to enable directory sync and sync my users from a local AD server to Office 365. Will doing so merge the two accounts together and only change the password? I will be running Azure AD connect on a local domain server.
Please let me know.
Thanks,
Jaime
Hi Jamie,
If you match the users correctly then they should be merged just as you wrote, but I recommend testing on single accounts first. I haven’t really gotten into AAD Connect yet – however, I will be writing an article on it some time in the near future.
Best regards,
Adam
Please uninstall “Microsoft Online Services Sign-In Assistant” from control panel before installing the Dirsync tool, otherwise you will get error “Generic Failure” on Starting the Configuration Wizard.
My organization is a entity of a larger company that is currently on O365 but does not use the DirSync functionality. We are on completely separate operational domains and email hosts. We are getting ready to start the process to roll out O365 to our users under the one main admin account established by the parent company, but the IT manager wants to use DirSync and is afraid of overwriting the cloud accounts that already exist.
Is this possible or will DirSync only sync up the domain accts from the AD it has access to?
Hi Adam,
I have read your article and Q&A which covered almost all of my questions thanks.
My bosses asked me to work on office 365 migration ( email & fileserver)
1- Our email is host with RackSpace which we need to migrate to O365 and day by day pressure is building up as currently we paying to RackSpace and O365 as well. 98% users don’t have personal mail boxes and 2% personal mail boxes are located into their PC/Laptop. We need to migrate all our emails to O365. Our AD server is local (Server 2008) and no link between RackSpace and our local AD. Just for your information we are on E3 package.
What’s the best way to migrate emails from RackSpace to O365?
2- we need to migrate our file serve to share point. I have no experience with share point at all and is that possible that we maintain same security level while migrating files into Sharepoint O365? For example we have Accounts drive and only accounts staff can access it can we maintain same with O365 or once migration done then we have to restructure security on Sharepoint? Any advise would be appreciated
Hi Umer,
I’m not familiar with Rackspace, but my research shows that your best options are a PST export/import or a 3rd party app: https://community.spiceworks.com/topic/239798-challenges-migrating-from-rackspace-to-office-365
As to migrating file shares to Sharepoint, even Microsoft suggests 3rd party apps: http://blogs.technet.com/b/ptsblog/archive/2013/11/04/migrating-file-shares-to-sharepoint-online.aspx
Hope this helps,
Adam
Hi,
Could I or how could I create password syncronization to current O365 accounts and domain? We have use O365 over a year and now we want password sync option.
Hi Rep3FIN,
If you only want to synchronize only passwords from on-premises AD to Office 365, you should use AAD Connect: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/. When setting up the synchronization, you would have to match your on-premises users with Office 365 (e.g. based on UPNs) and then configure AAD Connect to sync only the password attribute.
However, if your goal was to enable single sign-on, you would have to use ADFS: http://blogs.technet.com/b/canitpro/archive/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365.aspx
All the best,
Adam
I am having the same problem with the msExchMailboxGUID attribute, I read the steps:
Moving to another OU will not work. You need to sync these users from scratch with a modified sync job. In short – you need to stop the sync for already synced users, reconfigure it and sync again:
– Remove all already synced users from the sync scope and wait for the change to be replicated up to the Office 365.
– Purge deleted users in Office 365 by running the following PowerShell commands (while connected to Office 365 PS console):
1. Get-MsolUser-ReturnDeletedUsers
2. Remove-MsolUser -RemoveFromRecycleBin
– Next modify your sync job properties. Navigate to the Configure Attribute Flow in the left pane, then locate the msExchMailboxGUID on the list. Highlight it and on the bottom of the window locate the Delete button, then click it.
– Include all the users you want to recreate in Office 365 in the sync scope, and then run the sync.
I am having issues removing them from Office 365 portal can you give me so assistance in how you do that?
We’re having issues syncing one of our client’s on prem active directory instance with Office 365?
Any thoughts? troubleshooting steps?
Hi James,
Apologies for the late reply.
If you still need help with this, please let me know, on which step from my article does the procedure fail in your case. Also, are there any error messages?
All the best,
Adam
Hi Adam,
Very helpful guide!
We have a hybrid configuration and everything works fine except for every new email address created after the migration. Those email addresses are associated with our public folders (on-premise).
The problem is that those address do not appear in the address book of outlook for all user on O365.
Got any ideas for me!?
Thank you,
—
Pat
Hi Pat,
Apolgies for the late reply.
Please try applying the solution from this MSDN article: http://blogs.msdn.com/b/ashour/archive/2015/01/13/mail-enabled-public-folders-a-hybrid-deployment-myth.aspx
All the best,
Adam
Hi Adam,
Great guide! I’ve followed it and managed to migrate the users I wanted to Office 365. I wanted to proceed and migrate the mailboxes with your CodeTwo Office 365 Migration. My problem is that only 3 out of 11 got assigned a Office 365 license, and if I try to assign one manually to the rest I get this error “This user’s on-premises mailbox hasn’t been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed.” Got any ideas what I can do?
Best regards,
Daniel
Hi Dan,
My guess is that the problem is caused by the msExchMailboxGUID attribute. See my comment from April for the solution: https://www.codetwo.com/admins-blog/sync-premises-ad-office-365/#comment-613
Let me know if this helps,
Adam
Hi,
Great article. I have a question around dirsync and the intervals.
I understand its a default of 3 hours per sync. This is only a delta sync and can be changed by modifying a config file as per your article. On a delta sync, it doesn’t take into consideration when users move to new OU’s. This can only be performed by a full sync. A full sync in a large AD environment can take many hours.
What best practices would you recommend implementing based on your experience. Would you perform a daily full sync, followed by hourly delta syncs?
Hi Mark,
Are you moving the users between two OUs that are both being synced or is only one of the OUs synced?
Best regards,
Adam
Hi Adam,
I am preparing my AD for use of Dirsync. I plan to modify several attributes for most users using a bulk modify application. I need to change UPN and ProxyAddress for each user from domain.loca to @domain.edu.au and am worried that this will break user accounts. Should I be worried?
also…
Is it possible to configure Dirsync to only sync certain ou’s prior to activating it. (eg: do I just untick the sync now box then use msiiclient.exe to set the filter and start the sync) …surely its not that simple?
Thankyou
Regards
Peter
Hi Peter,
I recommend changing the attributes before the first sync – no cause for worry. You can simplify this using AD Modify: http://admodify.codeplex.com/
@msiiclient.exe
I’m happy to tell you that it is that simple :)
Hope this helps,
Adam
I synched our local AD with Office 365 succesfully using this guide. I can assign an Office 365 license to these synched users but shows a message:
“This user’s on-premises mailbox hasn’t been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed. Learn more about email migration”
I installed and set up the CodeTwo Exchange to Office 365 migration software. When I want to match a mailbox on my local Exhange server with one of these Office 365 user accounts/mailboxes, they are not showing in the target mailbox list of users. It only shows the admin email account I set up in Office 365 and all the AD synched accounts are not showing up.
Any suggestions what the problem could be and how to fix?
i have a queston im wanting to set up dir sync but do i have to set up a azure server or can a can i set it up on premises
Ray
Hi Ray,
You can set up DirSync on-premises – just follow the steps in my article.
It’s also possible to set it up in Azure on a virtual machine (https://technet.microsoft.com/en-us/library/dn635310.aspx). But, if I understand correctly, that’s not your goal.
Hope this helps,
Adam
Exact error is
“error
The operation on mailbox “User” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘EmailAddresses’, can’t be performed on the object ‘user’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.”
I am having the issue where the primary address is still showing “[email protected]” although it shows “domain.com” as my main domain, when i try to go into the user to change the smtp address it wont let me save it, says that I need to make the change in local AD then sync, but I already have the correct email in the email field in AD for the users, I also tried adding a new UPN name for the correct domain as the local domain is different and changed it in the account in AD and resynced, but same issue. any ideas?
Hi Brian,
Changing the proxyAddress attribute to the new [email protected] address e.g. via AD Users and Computers (Advanced Features switched on, Attribute Editor tab) should do the trick. The record that starts with SMTP contains users’ default reply-to address. The same address is the default SMTP address for users.
All the best,
Adam
If I ran dirsync on one domain contoso.com but it appears that we need to change local DC name from contoso.com to corpnet.contoso.com, it means I need to install another DC with corpnet.contoso.com domain name, can I run dirsync again on this new domain corpnet.contoso.com adding UPN of contoso.com in trust relationships, so users in O365 have the same UPNs and if it will synchronize again with new domain and new domain controller?
Hi Peter,
Sounds like your solution should work. In case of problems try adding corpnet.contoso.com addresses as primary for your Office 365 users.
All the best,
Adam
@Hani
The synchronization of AD won’t setup your email in the Cloud automatically. You need to configure user mailboxes, assign Office 365 licenses and switch the MX records to you Office 365 tenant manually.
@Mitch
Great to hear that. I keep my fingers crossed for you!
Hi
I am trying to roll out AD in my company and manage it all on my local DC.
Currently I have my email on office 365 (cloud).
I am trying to move my email accounts from the cloud office 365 to local DC and then back to cloud but everytime I do that it creates a new email account for my users that I can’t link to the original email addresses. I would prefer not to have 2 accounts for each user and be able to have just the current email accounts.
Can someone help or send me a link on where to find help?
Thanks
Just wanted to say that I really admire your article and the excellent help you provide folks! It’s pretty remarkable how available you have been!!
I’ll be using this article in a couple of weeks to help me through my own synch. I’m setting up a new AD environment (one Azure server as secondary AD and a local server as primary AD controller with a VPN between them) and synch users to O365 from there.
While I look forward to a smooth setup thanks to your help, I’ll probably come crying for assistance!! ;)
Keep up the great work!
Hi Adam! That’s Great and Helpful article.
I plan to change from google app to O365, I prepare AD and O365 portal. my question: if I do sync with AD it will active mails direct and stop google mail??
Hello, is there a PS command to find out what AD containers are selected for Syncing? Something that would allow me to send to our AD admins instead of Dirsync screenshots. Many thanks!
Hi John!
Unfortunately I am not aware of such command. There are cmdlets available that check if the sync is enabled (or not) but haven’t seen one that returns names of synced AD containers.
I have seen also this script by Mike Crowley (MVP) that generates quite detailed report about the dirsync status, however without listing information you need.
Hi Again
Well I’ve got it to $%#$@ work and is syncing correctly. I just wanted to follow up on your statement to MAD below regarding the creation of mailboxes
“– Next modify your sync job properties. Navigate to the Configure Attribute Flow in the left pane, then locate the msExchMailboxGUID on the list. Highlight it and on the bottom of the window locate the Delete button”
Does this need to performed on all the data streams or just for User? and does it affect the on premise Exchange connectivity in any way that you are aware?
You are a legend by the way , go me out of tight jam :)
Hi Michael,
Sorry for the long wait, May Day took its toll:)
Answering your questions – you only need to perform this for User. Also, it should not affect your on prem Exchange connectivity in any way.
Good to hear I could help!
Michael,
Yes, that is correct – if your sync task transfers data from that particular OU, and you remove users (previously synced to the Cloud) from this OU, then the change will be replicated, and users visible in Office 365 should disappear. Just remember to remove licenses for these users in Office 365.
Regarding forced sync- try the following:
– In PowerShell, go to
C:\Program Files\Windows Azure Active Directory Sync\
– Enter the following command
.\DirSyncConfShell.psc1
– Next run
Start-OnlineCoexistenceSync
command.Thank so much for getting back to me – Unfortunately there is no Bin folder under Windows Azure Active Directory Sync, which is the one i have. Basically I have to move the users away from the original synced OU and allow it sync again without them in there is that correct?
The default 3 hour is approaching – will the selected users simply move to the recycle bin or will they be available for deleting?
To complement your solution I found this here :
http://blogs.technet.com/b/hot/archive/2011/12/01/how-to-remove-synced-users-from-cloud-side.aspx
But it is dated..
Hello Michael,
Try to run the following command in the CMD console, in the
C:\Program Files\Microsoft Azure AD Sync\Bin
folder:DirectorySyncClientCmd
This forces a full data sync and replicates any changes up to your Office 365.
HELP! – I hope you see this tonight
I have the same problem as MAD, where I Direct Synced with an onsite Exchange, not realising cloud mailboxes would not be created. I followed the steps you gave to MAD, but it doesn’t release or remove the users for the cloud. I cant delete them there either. Even though I followed your instructions and reset the sync intervals to 10 minutes the portal shows last sync as four hours. I need to clean out the users and start again but I cant delete them – can you offer any more info? I’m pretty desperate…
Excellent post!! I have a question. I already have it working, but sometimes when I´m creating a new user it takes too long to syncronize with the cloud. So, is there any command in Windows Azure to syncronize the AD with the cloud whenever I want to?
Hi Ginger Saltos!
Yes, there is such command.
First, launch the CMD console with elevated admin rights. Then navigate to the following location:
C:\Program Files\Microsoft Azure AD Sync\Bin
.Next run this command to sync immediately:
DirectorySyncClientCmd
.Hi Adam,
Did just what you said. Everything seems working good.
I Guess I’d let the users know we’re changing their passwords and set AD to force them to change it in the next login (will it do it on the 365 portal also?)
When I finish syncing passwords, is that mean SSO is now on, or should I do something else?
The Exchange mailboxes are meant to remain online. Are they safe, or should the sync process compromise them?
Thanks again
Hi Hernan,
Unfortunately the “User must change password at next login” option will not work in the Office 365 portal, and it might even cause problems: https://support.microsoft.com/en-us/kb/2855271
I think the best approach would be to turn that option off and ask your users to log into their domain workstations, and then change the password to the one of their choice. Then, after a couple of minutes that new password should be synced up to your Office 365.
Regarding mailboxes – the sync process will not compromise them, I asked just to clarify the scenario.
Hello!
We currently have an opposite situation: there’s an office365 cloud with 100 users, and we want to set up a new AD infrastructure on premise. I’ve already installed two 2012R2 servers, one of them promoted to be the DC (and one will hold DirSync), I’ve managed to export/import users from 365 to AD, so now they’re equal (not including passwords, which are now generic for all on premise users) all 365 users holds active exchange mailboxes, and I’m trying to find the right way of continuing from this point, without compromising existing users&mailboxes, and without interrupting users work.
Thanks
Hello Hernan,
In your scenario it would be best to test the setup with only one user by moving him to the special, test OU. Next, during the sync configuration you can select specific Organizational Unit to be synced up to Office 365. This way you can check if everything is working ok with only one, test user.
You said that your local users’ passwords are now generic – if you turn on the password sync it’ll overwrite your Office 365 passwords. Therefore, you need to decide between turning the password sync off and asking users to remember two passwords, or turning the password sync on, after setting local password to be identical as the ones in the Cloud.
Additionally – you mentioned that all 365 users hold active exchange mailboxes. Does that mean that you moved these mailboxes down to your on-prem Exchange?
Hello! We allow our users to update their photos within 365. We use Active Directory photos for some of our other apps and services. Is there any way to configure dir sync to sync the O365 photo with the Photo Attribute in AD?
Hello Keith,
Unfortunately, syncing photos from Office 365 back to your local AD is not possible. As a workaround you can ask you users to send you their photos, and then you can use our free tool, CodeTwo Active Directory Photos to load them into the on-prem AD.
Hi Ilianj,
Unfortunately there is no official way to perform such sync. DirSync works only one way, from on-prem to Cloud.
You would need to deploy local AD, create all users there and then establish the sync.
I think it is possible to export user data from Exchange Online via PowerShell (
Get-MsolUser
command) into CSV and then use that CSV to create users in local AD so their information matches what’s already in Office 365.hi Adam,
our organization using O365 Enterprise plan, however there is incoming project to create on-premises AD and to leave to O365 only exchange functionality. Is it possibly to synchronize users, folders, etc. from O365 to new-build AD and how? Your advice is highly appreciated.
Hi Adam,
Thanks for your answering through my questions.
As far as I know, to setup the Hybrid deployment user must subscript to Office 365 Enterprise plan. However, we have many users already use Office 365 Business Premium. So, anyway we can do?
My point is: Leave an existing users in on-premise server and the sign-up only new users on Office 365 (by using same email domain name). Also, both users, existing (on-premise) and new users (on Office 365) can send emails, share calendar and using public folders together.
Hi Weerawat,
You are correct – you need Enterprise, Government, Academic or Midsize plan to deploy hybrid. I am afraid that the scenario you’ve described cannot be achieved, especially if it comes to public folders. You can share data to some degree between your on-prem and 365 deployments, however not public folders. Complete migration OR your 365 plan upgrade (to the one supporting hybrid) are IMHO possible solutions to this problem.
How long does an AD change take for it to show up in the 365 cloud. I made a change before I left one evening and the next morning it was there. I made a change this morning and it has been an hour and still no change in the cloud.
Hello Louis!
Normally the default sync interval is three hours. Let me know if the change is still not replicated, even after 3 hrs. Also – you can force-sync the process by running these commands in PowerShell:
Import-Module DirSync
and then
Start-OnlineCoexistenceSync
Hi Adam! That’s Great and Helpful article. I think I would need you guidance on my forward steps.
I am new with Office365 and I now have coming project from my Boss. That to mange connection for our new users on Office 365 and the existing users on local network, which is now on-premises exchange server.
– Currently we use On-Premises Exchange Server 2013, with approx. 70 user accounts. All users have their old email address and using shared data from the Server which is in same office/network.
However, from now on we plan to focus on Cloud Service. So, we will stop sing-up a new user on this Exchange Server. But, we will subscript all of them Office 365 using same domain.
My question is:
– In same domain, can we have multi location of the email server. Some users is on-premises Exchange Server and some users is on the Office 365?
If so, can you advise draft steps or the an idea how to set this up?
– Since users are in same Organization. How they can communicate to each other, between users inside on-premises server and users on Office 365?
– We want Office 365 Users to be able to user shared file in same network too, and with same username and password as they sign-in to Office 365. Do we need to setup anything more, or it require any license for?
Hello Weerawat,
Answering your questions:
– Yes, it is absolutely possible to have such environment – it is called Hybrid Deployment:
– If you are talking about email communication it really depends on how you configure your Hybrid. Various options are available – centralized mail transport (or not-centralized), on-prem Exchange as a central mailflow point (or Office 365 as a central one) etc. No matter the option, once a hybrid is deployed your users will be able to communicate.
– If you are talking about simple network sharing – you do not have to do anything (maybe only setting up a VPN for those, who are not working in your local network). Let me know if I am missing the point.
What attribute do I need to remove from users in AD if I don’t want them synced with O365.
Say, I have 10 users in OU, 5 of them have email address (mail) specified as [email protected], and userPrincipalName as [email protected], and the last 5 users have nothing in the ‘mail’ attribute, (don’t require a mailbox) and userPrincipalName set as [email protected] (note @companydomain.com is different than mail domain name)
When I sync the whole OU, I get 5 users with correct email address and 5 with [email protected].
I need to remove an attribute from these users, but which one? Or is there a better way to manage that? Moving users to diff OUs is out of the question.
Thank you.
Hello Martin,
You can exclude specific users from the sync scope by adding the e.g. “nosync” string in the custom attribute field for each of these users. Once you enter this custom value for each user you do not want to sync, open Sync Service Manager, click Management Agents and then double-click SourceAD. Next go to Configure Connection Filter, highlight the User position on the list and then click the New button below. In the next window select extensionAttribute1 from the list – make sure to choose the one that you populated with the “nosync” phrase in users’ properties (if you entered “nosync” in e.g. Custom Attribute 5, then you need to select extensionAttribute5 from the list). Then select the Equals operator and in the Value field enter “nosync”. Click Add Condition, then OK. Lastly on the Management Agent tab, right-click SourceAD, click Run, then click Full Import Full Sync and then OK;
HI. Great article thanks. I recently moved a small organization to Office 365. I imported their account from AD (SBS 2011) using a CSV. I then ran Migration Wizard to migrate their exchange accounts. All is working good but the last piece is setting up dirsync so that the users can use their domain passwords to login to O365. I’m not interested in SSO..just password sync. They do not have another Domain joined machine so I’m going to take a chance and try dirsync on the domain controller (yes I know its not recommended but kinda don’t have a choice as the client only has the one server).
My question is: Do I need to be concerned that the existing O365 accounts might be corrupted when the sync kicks off? Better yet..can I test a sync with just one user once I get it installed?
Thanks
Hi Mike,
Firstly – yes, you can sync just one user for testing purposes. As described in the article you can select a particular OU for the sync task. So it is a matter of moving one user to a different OU and then performing a sync of that OU. Regarding your account corruption concern – since you’ve created users using your actual AD data, there should be no problem. Bear in mind that all users AD properties present in the local environment will be synced up to Office 365 (e.g. phone numbers, personal info etc.).
Lastly – be aware that passwords synced from your on-prem server will never expire on Office 365. Even if they expire and stop working locally, they’ll be still useful in Office 365 portal.
Moving to another OU will not work. You need to sync these users from scratch with a modified sync job. In short – you need to stop the sync for already synced users, reconfigure it and sync again:
– Remove all already synced users from the sync scope and wait for the change to be replicated up to the Office 365.
– Purge deleted users in Office 365 by running the following PowerShell commands (while connected to Office 365 PS console):
1. Get-MsolUser-ReturnDeletedUsers
2. Remove-MsolUser -RemoveFromRecycleBin
– Next modify your sync job properties. Navigate to the Configure Attribute Flow in the left pane, then locate the msExchMailboxGUID on the list. Highlight it and on the bottom of the window locate the Delete button, then click it.
– Include all the users you want to recreate in Office 365 in the sync scope, and then run the sync.
Once it’s done you should be able to create mailbox in Office 365 for replicated users.
Let me know how it went, Mad!
Awesome. Thank you Adam. They disappeared within a couple of hours.
Another issue – I set up DirSync per this article first and replicated users to o365. Now I can’t create mailboxes as the users have the on prem msExchMailboxGUID in their profile.
How can I remove this attribute so I can run codetwo without mucking with my local exchange?
If i move the users to another OU (or just don’t replicate them via dirsync) they are still “there” in o365 with all attributes.
Try to remove the license for this particular user in Office 365, next remove him/her from the syncing scope in DirSync, lastly – wait for the sync to occur.
Let me know if that helped.
How would one “if you remove a user from the syncing task, you need to remove this particular account directly in the Office 365 administration panel”
The Delete button is grayed out…
Hi Frank,
That is correct – as long as you are syncing data from your local AD you need to manage aliases there. When you disable sync and decommission your Exchange you can manage users’ aliases directly in 365 administration console:
https://support.office.com/en-NZ/Article/Add-an-email-alias-to-a-user-account
Hi,
great article.
I have 10 users already present in the Office365 portal, local clients already use the new profile in outlook. Now I want do activate Azure AD Sync – UPN matches the local users – synchronisation works fine. The only thing that bothers me – I can only add aliases to users on my on-premise environment?? what if I unistall my current exchange??
Thanks!
Hello Liam,
DirSync won’t do that – if you remove a user from the syncing task, you need to remove this particular account directly in the Office 365 administration panel.
So the answer is – log into your Office 365 administration panel and remove manually all unwanted users, that were synced from your local AD.
I have a question. We have DirSync setup and we allowed it to sync all directories at initial set-up, we have now realised this is/was a bad idea as it’s pulled a LOT of users up that won’t be using O365. So my question is now I have set-up OU specific syncing, what happens to the unwanted users that are already in O365 but are no longer set to be synced? Also what happens to their assigned licenses? Are the users deleted and licenses revoked?
Thanks in advance!
Hi!
@Jaco Nel – check step 12 of the guide above – you simply mark the Enable Password Sync checkbox in the Configuration Wizard to activate that service.
@lunchroom – If you enable password sync – it’ll overwrite existing Office 365 passwords. All users will be able to still work as this action does not log them out from Office 365 service, however they would need to provide new (synced from AD) passwords as soon as the cloud service requires them to re-authenticate.
Regarding the user that does not exist in AD – you would need to manage his/hers password directly in Office 365 or create a corresponding user in local AD.
@Michael – Passwords are synced every two minutes so they are overwritten in Office 365 quite fast. However, as mentioned above, password sync does not impact currently logged on users. New password is required next time they try to log on.
I have the same question as above. If I enable this now with users that are already using Office365, what will the users experience? Will it impact theor passwords right away? What am I about to break? :)
I’ve been using O365 in my organization for 3 years now and have about 130 users. I’d like to setup and start using AD Sync so that users have one password instead of two. How do I go about initiating sync now, making sure it doesn’t “break” my existing 130 users? And, can a user exist in O365 that doesn’t exist in AD (I have a service account just for automated sending of emails)? Thanks in advance for your knowledge.
Very helpful. I feel confident on the way forward. How do you activate the service to check for password changes on your domain? That is to update the changed password to Office 365.
Not All my users are located in the same place and most of them doesnt have access to the AD so they will probably need to change their passwords through Office 365, so is there a way to Sync Only From O365 to AD and thanks in advance.
Hello Mohamed,
The sync is one way only, from AD to 365. The bigger question is – why would you want to allow the user to reset his/hers own password? Correct me if I am missing the point, however this seems normal for the end user to have no direct access to the AD and to leave all these duties to the Administrator.
Thanks for this article, very helpful! Is it possible to sync based on security group OR to sync a few people in an OU without having to sync the entire OU? We are still in the testing phase of migrating to Office 365, so just want to activate a few people at a time.
Hello Marques!
Yes, it is possible to filter out specific users based on their AD attributes. Check out this article for details: https://technet.microsoft.com/en-us/library/jj710171.aspx
Great article, thanks very much. I did have one important question. I currently have the same naming structure for my local AD and for the Office 365. I want to sync so I can enable single sign on but I’m afraid once I sync it will overwrite the users that are currently in Office 365. Will this overwrite my Office 365 users? I’m hoping it will merge them together so I don’t have to reconfigure every users in Office 365.
Thanks!
Hello Tim,
I could not find specific information on this. Even MS is quite vague: “Before you reactivate directory synchronization, it’s a best practice to back up your cloud user object data. You should make a backup even if you have made minimal changes to user objects since you last deactivated directory synchronization.”
I would assume that since dirsync is a one-way operation it would overwrite your Cloud information with the on-prem data. Hence Microsoft’s advice to backup.
You can find more details on this here:
http://msdn.microsoft.com/en-us/library/azure/jj863117.aspx
http://support.microsoft.com/kb/2641663
Hello JB!
As mentioned before – the direction of the synchronization of passwords is from the local AD to Office 365. In other words contents of AD will be replicated to the Cloud.
Hi Marcello,
This is a very nice and helpful article.
Just a question please :
Our Office 365 and AD usernames are different as we are using google apps for mail. Will this password sync works for office 365 and AD? Or will the contents of AD be replicated/exported to the office 365 cloud?
Hi Marcello,
The sync is one way – from local to cloud. Same rule applies to passwords, as they are pulled from the local AD and applied in Office 365. So if you change your password in Office 365 it’ll be overwritten with the value from your AD shortly.
Hi, I have a question. If I change password in Office365 the change is also replicated in my on-premises AD or not? I mean sync is only one way or two way?
Thanks
Hi Dan!
Unfortunately there is no other way than PowerShell or logging directly into the DirSync server. There is no GUI tool.
Good article, thanks. Quick question about these tools.
I’ve been able to install and configure my DirSync server successfully. However, is there a console (UI) that I can use on Windows 7 or 8, or some way to see the current DirSync status, history, etc. w/o having to log on to the DirSync server to do it (UI, not PowerShell)?
Thanks
Many thanks for the article Adam it helps a lot…Cheers!