m17_o365_aadconnect_v1.4

56
Module 17 Office 365 Active Directory Synchronization Presenter Name Presenter Role

Upload: beto

Post on 09-Jul-2016

18 views

Category:

Documents


4 download

DESCRIPTION

M17_O365_AADConnect_v1.4

TRANSCRIPT

Page 1: M17_O365_AADConnect_v1.4

Module 17Office 365 Active Directory SynchronizationPresenter NamePresenter Role

Page 2: M17_O365_AADConnect_v1.4

Conditions and Terms of UseMicrosoft ConfidentialThis training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks © 2014 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Complying with all applicable copyright lAdmin Web Service is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/

Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Page 3: M17_O365_AADConnect_v1.4

3

Overview This module covers the integration of an on-premises Active Directory with the Azure Active Directory through the use of the Azure AD Connect tool, including:• Purpose – What does it do?• Requirements• Permissions• Understanding Synchronization• Key Deployment Considerations

Page 4: M17_O365_AADConnect_v1.4

4

Objectives This module will cover:• Directory synchronization overview• The Azure AD Connect Tool• Preparing On Premises Active Directory for directory

synchronization• Password synchronization

Page 5: M17_O365_AADConnect_v1.4

5

What is the Azure AD Connect Tool?

• Azure AD Connect is the single tool and experience for connecting and synchronizing your on premises directories to Azure Active Directory

• Designed as a software based appliance• Set it and forget it• Relies on Forefront Identity Manager 2010 R2 (aka FIM)• Bundled with SQL Server 2012 Express LocalDB

• Enables a unified Global Address List (GAL) experience between your on-premises organization and Office 365 as well as:• The ability to manage all Active Directory user accounts on-

premises• The ability to synchronize on-premises Active Directory password

hashes• All account changes replicate automatically to Office 365• Required for single sign-on (ADFS)• Required for Exchange Hybrid Deployment or Staged Migration

Page 6: M17_O365_AADConnect_v1.4

6

Synchronization Direction

• Directory synchronization is mostly one way to Azure Active Directory

• Hybrid requires 7 attributes to be written back to the on-premises user objects for coexistence purposes

• Password write back capability (requires Azure AD Premium license)

• On-premises AD being the authoritative source for all changes• Delete a user on-premises and directory synchronization will

delete the corresponding user in Office 365

Page 7: M17_O365_AADConnect_v1.4

7

Software Requirements

System requirements:• Windows 2008, 2008 R2, 2012 and 2012 R2 supported• Microsoft .NET Framework 4.5• Windows PowerShell 3.0 or NewerAdditional requirements:• Standalone , Member Server or a Domain Controller • Local Administrator to install AADSync• Azure AD account “Global Administrator“The following components are installed automatically:• Forefront Identity Manager 2010 R2• Microsoft SQL Server Express 2012 LocalDB (a light version

of SQL Server Express)• Microsoft Online Services Sign-in Assistant

Page 8: M17_O365_AADConnect_v1.4

8

Network Requirements

• Synchronization with Office 365 occurs securely over HTTPS port 443

• Internal network communication will use typical Active Directory related ports

Page 9: M17_O365_AADConnect_v1.4

9

Hardware Recommendations and Directory service quota

• SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects

Number of objects in Active Directory CPU Memory Hard disk size

Fewer than 10,000 1.6 GHz 4 GB 70 GB

10,000–50,000 1.6 GHz 4 GB 70 GB

50,000–100,000 1.6 GHz 16 GB 100 GB

100,000–300,000 1.6 GHz 32 GB 300 GB

300,000–600,000 1.6 GHz 32 GB 450 GB

More than 600,000 1.6 GHz 32 GB 500 GB

Page 10: M17_O365_AADConnect_v1.4

10

Directory Service Object Quota

The default directory service quota is calculated according to the following guidelinesIf you don't have any verified domainsThe current directory service quota in Windows Azure AD is 50,000 objectsIf you have at least one verified domainThe default directory service quota in Windows Azure AD is 300,000 objects.What happens when quota is exceeded ?016: Synchronization has been stopped. This company has

exceeded the number of objects that can be synchronized. Contact Microsoft Online Services Support.

Page 11: M17_O365_AADConnect_v1.4

11

Azure AD Connect credentials and permissions

• Express Setup: requires more privileges to setup more easily, without requiring you to create users or configure permissions separately

• Credentials collected during Express Setup:

• Custom setup: offers more choices and options, but has situations where you need to ensure you have the correct permissions yourself

Wizard Page Credentials Collected Permissions Required Used For

Connect to Azure AD

Azure AD directory credentials

Global administrator role in Azure AD

-Enabling sync in the Azure AD directory.-Creation of the Azure AD account that will be used for on-going sync operations in Azure AD.

Connect to AD DS

On-premises Active Directory credentials

Member of the Enterprise Admins (EA) group in Active Directory

Used as the local AD Connector account, that is, it is the account that reads and writes the directory information for synchronization.

N/A Logon credentials of the user running the wizard

Administrator of the local server

The wizard creates the AD account that will be used as the sync service logon account on the local machine.

Page 12: M17_O365_AADConnect_v1.4

12

Summary of the accounts that are created by Azure AD Connect

Account created Permissions assigned Used for

Azure AD account for sync

Dedicated Directory Synchronization Role

On-going sync operations (Azure AD MA account)

Express Settings: AD account used for sync

Read/write permissions on the directory as required for sync+password sync

On-going sync operations (Azure AD MA account)

Express Settings: sync service logon account

Logon credentials of the user running the wizard

Sync service logon account

Custom Settings: sync service logon account NA Sync service logon

account

AD FS:GMSA account (aadcsvc$) Domain user FS service logon

account

Page 13: M17_O365_AADConnect_v1.4

13

Objects that Synchronize

The Azure AD Connect tool synchronizes the following objects:• All Active Directory Users

• Synchronized as a logon enabled with no license assigned though

• Mailbox enabled users are synchronized as a mail-enabled users• Mail-Enabled Contacts• Mail-Enabled GroupsThe Azure AD Connect tool does not synchronize:• Built-in administrative user accounts• Built-in administrative groups• Exchange System Mailbox accounts• Dynamic Distribution Groups• Mail-enabled Public Folder objects

Page 14: M17_O365_AADConnect_v1.4

14

Objects that Do Not Synchronize

Contact objects:• DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE • mailNickName starts with "CAS_" AND mailNickName contains "{“

SecurityEnabledGroup objects:• isCriticalSystemObject = TRUE• mail is present AND displayName is not present• Group has more than 15,000 immediate members

MailEnabledGroup objects:• DisplayName is empty • (ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't

present/invalid - i.e. indexof ('@') <= 0) • Group has more than 15,000 immediate members

Page 15: M17_O365_AADConnect_v1.4

15

Objects that Do Not Synchronize (continued)

Object is a conflict object (DN contains \0CNF:)

User objects:• mailNickName starts with "SystemMailbox{"

mailNickName starts with "CAS_" AND mailNickName contains "{" sAMAccountName starts with "CAS_" ANDsAMAccountName has "}" sAMAccountName equals "SUPPORT_388945a0" sAMAccountName equals "MSOL_AD_Sync" sAMAccountName is not presentisCriticalSystemObject is not presentmsExchRecipientTypeDetails == 0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)

Page 16: M17_O365_AADConnect_v1.4

16

Mandatory Attributes

• Objects must contain values in the following core attributes to be considered for synchronization to Office 365 by Azure AD Connect:• cn• member (applies only to groups)• samAccountName (applies only to users)• alias (applies only to groups and contacts)• displayName (for groups with a mail or proxyAddresses

attribute populated)

Page 17: M17_O365_AADConnect_v1.4

17

DirSync and Account Status

Active Directory DirSync Action Office 365Mailbox Enabled Account Create Account Creates a mail-enabled user.

*Assigning a license will not create a mailbox as msExchMailboxGUID attribute is populated on-premises

Non-Mail Enabled Account Create Account Creates a user. *Assigning a license will create a mailbox

Modify Account Make changes to an existing account

Update changes

Delete Account Delete account Delete account and mailbox and license removed

Disabled account Disable account Sign-in blocked but still retains a license and mailbox

Page 18: M17_O365_AADConnect_v1.4

18

High Level Architecture Overview

ON-PREM IDENTITYBRIDGE

MICROSOFT CLOUD

SAAS APPS

IdentityManager

AD DS

HR

Other Apps

AAD SyncOr

AAD ConnectOr

DirsyncOr

FIM w/ ConnectorOr

MIM 2016

Admin WebService (AWS)

Cloud SyncFabric

GoogleBoxSalesforceOthers

Tenant forests forEXO, LYO, SPO, etc.

Azure Active Directory (AAD)

Page 19: M17_O365_AADConnect_v1.4

19

Core AAD Connect Concepts

UserPrincipalName:• Used to sign-in to the cloud services• Recommended to be the same as users primary SMTP address• Needs to use a domain suffix that is registered and verified in the

tenant• Critical for successful single sign-on using AD FS• If missing, is constructed as:

• sAMAccountName + “@” + Microsoft Online Default Domain (i.e. [email protected])

SourceAnchor:• Used as the immutable identifier for any given object that is

synchronized between on-premises and Office 365• Base64-encoded value generated from AD object’s on-premises

ObjectGUID • Providing the AD object is never deleted, the ObjectGUID will never

change• SourceAnchor is the DirSync term and ImmutableID is the ADFS

term

Page 20: M17_O365_AADConnect_v1.4

20

Source of Authority

• Refers to the location where Active Directory objects are mastered (on-premises or Office 365)

• Activating directory synchronization and installing Azure AD Connect makes the on-premises Active Directory the source of authority

• Once enabled, changes to objects replicated to Office 365 can only be made on-premises

• Deactivating directory synchronization transfers the source of authority back to the Azure AD

Page 21: M17_O365_AADConnect_v1.4

21

Hard Match vs. Soft Match

For attribute updates, the Admin Web Service must identify what Azure AD object to act upon:

• HardMatch attempted first:• Checks to see if the object already exists with the same

SourceAnchor value (ObjectGUID) from the on-premises AD

• SoftMatch if no hard match found:• Authoritatively matches an object in Office 365 with on-premises

through a matching ProxyAddresses value• If a match exists, stamp the ObjectGUID from on-premises as base64-

encoded SourceAnchor attribute in Azure AD Connect Database• SourceAnchor flows into Azure Active Directory object’s

ImmutableID, allowing Source Of Authority Transfer from Office 365 to on-premises

Page 22: M17_O365_AADConnect_v1.4

22

Sync OverviewOn-Premises

AAD Connect uses two managements agents:• “Active Directory Connector” management agent• “Azure Active Directory” management agentAAD Connect stores information in two places:• Connector Space• MetaverseConnector Space:• Replica of the managed objects in the Active Directory• Each management agent or connector has its own connector spaceMetaverse:• Aggregate information about a managed object (i.e. User, Group, etc.)Synchronization data flow:• User is imported from AD into the Active Directory Connector Connector space• User is projected to the Metaverse• User is provisioned to the Azure Active Directory Connector space• User is exported to the Office 365 Admin Web Service

Page 23: M17_O365_AADConnect_v1.4

Microsoft Confidential

Sync Overview On-Premises (Continued)Synchronization data flow:

23

AD DS

AD DS

CONNECTOR

CONNECTOR

CONNECTOR

Run Profiles and Steps:Full ImportDelta ImportFull SynchronizationDelta SynchronizationExport

CONNECTOR SPACE

CONNECTOR SPACE

CONNECTOR SPACEMETAVERSE

INBOUND SYNC RULE

INBOUND SYNC RULE

OUTBOUND SYNC RULE

Page 24: M17_O365_AADConnect_v1.4

24

Sync Overview Office 365

Office 365 Admin Web Service receives the object data from AAD Connect• Import from AAD Connect:

• Only specific attributes defined in FIM are synchronized for each object

• Validate that changed data is not corrupted at the attribute level:• Data is normalized using “_” for UPN and SamAccountName• Otherwise when an update is invalid for attribute a rejection

email is sent to the tenant contact• If an update is a user Account Creation event:

• Admin Web Service attempts to create an account for the user• Failure causes a reject email to be sent to the tenant contact

Page 25: M17_O365_AADConnect_v1.4

25

Sync Overview Office 365 (continued)

• If an update is an attribute change event:• Hard-match process to verify object already exists in Azure

AD• Hard-match failure causes reject email to AAD Connect

administrator• Ships data to the Azure Active Directory:

• Object creations and hard-matched object updates pushed at the attribute level

Page 26: M17_O365_AADConnect_v1.4

26

Forward and Back Sync

Forward-sync from Azure Active Directory to individual services:• Each online application in Office 365 has their own

directory service• Once an object is changed in Azure AD, further

synchronization daemons are constantly running that parse relevant changes and ship them to these services’ directory partitions

• Can cause delay in applications becoming available to newly commissioned accounts/users

Page 27: M17_O365_AADConnect_v1.4

27

Forward and Back Sync (continued)

Back-Sync/Write-Back:• There are certain attributes for the Exchange Online (ExO)

service that require reverse propagation to the on-premises environment for Exchange co-existence features to work

• Back-Sync: Data is changed in the ExO partition and then sync’d back to Azure AD using daemons similar to those used for Forward-sync

• Write-back: Data is shipped from Azure AD, back through Admin Web Service, to AAD Connect service using bi-directional FIM functionality

• AAD Connect updates local the AD objects with these updated attributes

Page 28: M17_O365_AADConnect_v1.4

28

Write Back Attributes

Attributes that are written back to the on-premises Active Directory from Azure Active Directory in an Exchange Hybrid deployment scenario:

Write-Back attribute Exchange "full fidelity" featuremsExchArchiveStatus Online Archive: Enables customers to archive mail.

msExchUCVoiceMailSettings Enable Unified Messaging (UM) Online voice mail: This attribute is used only for UM-Microsoft Lync Server integration to indicate to Lync Server on-premises that the user has voice mail in online services.

msExchUserHoldPolicies Litigation Hold: Enables cloud services to determine which users are under Litigation Hold.

ProxyAddresses Enable Mailbox: Offboards an online mailbox back to on-premises Exchange

(LegacyExchangeDN as X500)msExchSafeSendersHash Filtering: Writes back on-premises filtering and online

safe and blocked sender data from clients. msExchBlockedSendersHashmsExchSafeRecipientsHash

Page 29: M17_O365_AADConnect_v1.4

29

Microsoft Online Default Routing Domain

The Microsoft Online Default Routing Domain is constructed from the tenant name (contoso.onmicrosoft.com)• All Office 365 users receive this domain as an email address

in a non-hybrid scenario• This special email address is inextricably linked to each

Exchange Online recipient• The domain cannot be managed, changed, or deleted• The email address can be over-ridden as the primary SMTP

address by using the attributes in the on-premises Active Directory user object but will always remain as a users secondary SMTP address

Page 30: M17_O365_AADConnect_v1.4

30

AAD Connect and SMTP Addresses

Active Directory Attribute Active Directory Value Office 365 Value

proxyAddresses SMTP:[email protected] SMTP:[email protected]:[email protected]

proxyAddresses smtp:[email protected] SMTP:[email protected]:[email protected]

proxyAddresses SMTP:[email protected]:[email protected]

SMTP:[email protected]:[email protected]:[email protected]

mail [email protected] SMTP:[email protected]:[email protected]

UserPrincipalName [email protected] SMTP:[email protected]:[email protected]

Page 31: M17_O365_AADConnect_v1.4

31

AAD Connect Process

1. Prepare the on-premises Active Directory• Account and attribute clean-up (idFix)• UPN of users matches federated domain (if using ADFS)

2. Create and verify your custom domain(s)3. Setup Identity Federation (if applicable)4. Enable Directory Synchronization in the Portal or via

PowerShell Set-MSOLDirSyncEnabled –EnableDirSync $True5. Download and run Directory Synchronization6. Verify the synchronization was successful7. Activate users by assigning them a license in the Portal or via

PowerShell

Page 32: M17_O365_AADConnect_v1.4

32

Estimating Synchronization Time

*Actual times may vary depending on activity and environmental factors such as available bandwidth, object count and throttling by the service

Page 33: M17_O365_AADConnect_v1.4

33

Password Sync Overview

• Password Synchronization is the process of copying a customers on-premises password hash to Azure Active Directory

• Allows the customer to use their on-premises password to log into their Office 365

• Password Synchronization does not replace Identity Federation

• Changes to on-premises passwords are synced to the cloud in minutes.

• If the user is currently logged into a cloud service with their old password, then change their password in the on-premises AD, their current cloud service session will continue uninterrupted

Page 34: M17_O365_AADConnect_v1.4

34

Are Passwords safe?

• The Password Sync tool, Azure AD, and all associated services never see or store the on-premises user's plain text password

• A digest of the Windows Active Directory Password Hash is used for transmission between the on-premises AD and Azure Active Directory

• To authenticate a user, the password presented by the user is hashed and compared with the stored hash

• The digest of the Password Hash cannot be used to access resources in the customer's on-premises environment.

Page 35: M17_O365_AADConnect_v1.4

35

Password Sync Limitations

Password Sync and Federated Identities• Customers cannot have both Password Synchronization and Federated

authentication configured for the same domain (namespace). • The Password Sync feature will not synchronize passwords for users

with Federated Identities• Customers must manually remove/disable federation from individual

accounts, making them a managed account, before they can utilize Password Synchronization

Password Complexity Policy• Password Synchronization requires all on-premises synchronized users

to follow the on-premises Active Directory password policy• Users managed in the cloud remain with cloud defined Password

Policies• Password Synchronization sets cloud password for all on-premises

synchronized users to “Never Expire”

Page 36: M17_O365_AADConnect_v1.4

36

How does Password Hash Sync work?

• Azure AD Connect monitors the pwdLastSet user attribute to identify password change events, such as resets

• It then extracts and hashes the user’s password from the on-premises Active Directory and to Azure AD

• The synchronization process is similar to that of objects, with the difference that passwords are synchronized in minutes, rather than the default three (3) hours for objects

• Password hashes are sync’d in batches of up to 50 users per batch

• Passwords are never sent to Azure AD nor stored in AAD in clear text

• Password has sync can be used together with password write-back to enable self service password reset (Azure AD Premium license needed)

Page 37: M17_O365_AADConnect_v1.4

37

Enable Password Hash Synchronization

• Select “Enable Password Synchronization” in the configuration wizard of AAD Connect

Page 38: M17_O365_AADConnect_v1.4

38

Password Hash Sync versus SSO

• Talking point A, • * Talking point B, • * Talking point C,

Page 39: M17_O365_AADConnect_v1.4

39

Password write back

• Talking point A, • * Talking point B, • * Talking point C,

Page 40: M17_O365_AADConnect_v1.4

40

Monitoring Password Synchronization using the event logs

Event logsEvent ID Description Cause

650 Provision credentials batch start. Count: 1 Password synchronization starts retrieving updated passwords from the on-premises AD DS.

651 Provision credentials batch end. Count: 1 Password synchronization finishes retrieving updated passwords from the on-premises AD DS.

653 Provision credentials ping start. Password synchronization starts informing Azure AD that there are no passwords to be synced. This occurs every

30 minutes if no passwords have been updated in the on-premises AD DS.

654 Provision credentials ping end. Password synchronization finishes informing Azure AD that there are no passwords to be synced. This occurs

every 30 minutes if no passwords were updated in the on-premises AD DS.

656 Password Change Request - Anchor : H552hI9GwEykZwof74JeOQ==, Dn : CN=Viola

Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08

Password synchronization indicates that a password change was detected and tries to sync it to Azure AD. This identifies the user or users whose password changed and will be synced. Each batch contains at least one user and

at most 50 users.

657 Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola

Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success.

User or users whose password was successfully synced.

Page 41: M17_O365_AADConnect_v1.4

41

Forcing Full Password Sync

To trigger a full Password Sync to re-synchronize all user passwords• Import the Powershell module by running Import-Module AdSync• Run Get-ADSyncConnector |FL Name to get the connectors

name• Disable password sync by running the cmdlet Set-ADSyncAADPasswordSyncConfiguration -SourceConnector <OnPremADDomain> -TargetConnector <AzureADDomain -Enable $false • Re-enable password sync by running the cmdlet

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector <OnPremADDomain> -TargetConnector <AzureADDomain> -

Enable $true

Page 42: M17_O365_AADConnect_v1.4

42

Forcing Delta Objects Sync

DirSync is scheduled to perform delta syncs once every three hours:• You can force an immediate synchronization rather than wait

3 hours• For example, for employee terminations, or bulk attribute

changes

To force object synchronization:• Open the Command Prompt • Navigate to the folder C:\Program Files\Microsoft Azure AD

Sync\Bin• Then run DirectorySyncClientCmd.exe Delta to trigger a delta

DirSync

Page 43: M17_O365_AADConnect_v1.4

43

Verifying and Monitoring DirSync

You can verify if DirSync has performed a successful sync by:• Looking for Event ID 104 in the Application Event Logs• Running Get-MSOLCompanyInformation and checking the

LastDirSyncTime value• Checking the emails sent to the technical contact of the tenant• Using miisclient.exe to view the status of the last sync cycle

Page 44: M17_O365_AADConnect_v1.4

44

Throttling Sync

• Throughput shared across tenants at Admin Web Service layer (throttled per directory partition)

• DirSync client automatically handles throttling and retries again

• Error Code 81 – Server Busy gets logged in the event logs when DirSync has been throttled

• Throttling can lead to variable sync times especially for a first full sync cycle after installation

Page 45: M17_O365_AADConnect_v1.4

45

DirSync and Deletes

• Objects owned by DirSync cannot be edited directly in the portal, but they can be deleted via PowerShell directly in the Office 365 tenant

• Remove-MSOLUser/Contact/Group will allow you to delete an object that is owned by DirSync

• Deleted objects get moved to a Recycle Bin in the tenant• To view contents run Get-MSOLUser –ReturnDeletedUsers• Purge Recycle Bin using Remove-MSOLUser -RemoveFromRecycleBin• If object still exists on-premises, will be recreated on next Sync cycle• If deleted on-premises, object needs to be restored from on-premises• Use the AD Recycle Bin (requires W2K8 R2 Forest Functional Level)• Or AD authoritative restore of deleted object(s)

Page 46: M17_O365_AADConnect_v1.4

46

Accidental Deletes

Scenario:• On-premises AD Admin accidentally deletes a user object in

AD (Oops)• DirSync propagates delete to the cloud• User object is deleted in the cloud (mailbox lost)

What do you do now?

Page 47: M17_O365_AADConnect_v1.4

47

Accidental Deletes (continued)

Manual recovery:• Admin identifies object to be recovered on-premises and uses

the recycle bin feature or an authoritative restore of the object

Via AAD Connect:• When admin restores the user object in AD the object is

automatically recovered by AAD Connect, mailbox is also recovered, etc.

• Recovery is dependent on keeping the same SourceAnchor value

• New SourceAnchor value with same attribute values will not recover the user object in Office 365 and instead will create a new user

Page 48: M17_O365_AADConnect_v1.4

48

Filtering What Objects Sync

DirSync filtering is now supported, tread carefully.• You can sync , based on:

• Domain• OU• Attribute based

• Useful for filtering-out service accounts and protected objects• Incorrect filtering can mass delete objects (and their

mailboxes) from the Azure Active Directory• Filtering configuration is lost if you reinstall or upgrade the

DirSync tool

Configure filtering for directory synchronizationhttp://technet.microsoft.com/en-us/library/jj710171.aspx

Page 49: M17_O365_AADConnect_v1.4

50

Attribute based filtering

Follow-along Example of attribute-based filtering:1) Open Synchronization Rules Editor 2) Rule Types Inbound Select “In Fom AD – User Join”3) Click Edit4) Go to Scoping Filter5) Any users that match the query will sync

Page 50: M17_O365_AADConnect_v1.4

51

Troubleshooting

• Use the MIISClient UI to monitor export errors and track down objects

• Use the DirSync error mail notifications from Office 365• Search for duplicate proxyaddresses against Exchange online

by running Get-Recipient <allegedduplicateaddress>• Use the IdFix tool to identify and fix problem objects or

attributes in the on-premises Active Directory• The best approach is to make sure the AD objects are as clean

as possible before implementing AD Azure Connect

Page 51: M17_O365_AADConnect_v1.4

52

Key Deployment Considerations

• Complete Active Directory cleanup work before implementing DirSync

• Understand how “soft match” works• Consider Exchange schema extensions for non-Exchange AD

environments• Verify on-premises user objects have a value (not null) for UPN

suffix and that it is correct• The default routing domain (e.g. contoso.onmicrosoft.com) is

used for Office 365 UPN suffix if the on-premises UPN suffix does not contain a public routable DNS domain (i.e. cannot use *.local)

Verified domains• Add all SMTP domains as verified domains before synchronizing

Page 52: M17_O365_AADConnect_v1.4

Lab: Activate, Install and Configure Azure AD Connect Tool

53

Page 53: M17_O365_AADConnect_v1.4

54

Module Review

• What objects does the Azure AD Connect tool synchronize?• What port does Azure AD Connect use to synchronize with

Office 365?• How can you force directory synchronization to run?

Page 54: M17_O365_AADConnect_v1.4

55

Module Review (Answers)

• What objects does the Azure AD Connect tool synchronize?Answer: Users, contacts, and groups

• What port does Azure AD Connect use to synchronize with Office 365?Answer: HTTPS 443

• How can you force directory synchronization to run?Answer 1: Run DirectorySyncClientCmd.exe Delta from the Command prompt. OR Answer 2: Open Task Scheduler, and right-click and run the Azure AD Sync Scheduled Task

Page 55: M17_O365_AADConnect_v1.4

Module Summary

56

In this Lesson, you learned:• The on-premises requirements and preparation

required to run directory synchronization• How the Azure AD Connect tool synchronizes objects

and simplifies user provisioning and administration of objects

Page 56: M17_O365_AADConnect_v1.4

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION