Installing Azure Active Directory Connect (formerly AADSync and DirSync)

What you need to know about AADConnect - our experiences with AADConnect and Office 365, by David Parizek and Henry Verlander.

AADConnect can help simplify Active Directory users’ experiences with Office 365, and eliminate the need for multiple passwords without adding major infrastructure. However, we found that the setup process was somewhat difficult to navigate that there was much more to the program than first met the eye. In this article, we are attempting to provide a brief and concise step-by-step guide for using AADConnect with Office 365 for email purposes.

Introduction

InfoStream does a lot of Office 365 email migrations, so when we heard about Microsoft’s Azure Active Directory Connection tool previously known as DirSync, it definitely sounded like something we’d want to use. After migrating a client to Office 365, end users would often have problems with usernames and passwords in the two environments. It was relatively easy for users to get confused. The number one feature that drew Infostream to AADConnect is “Password Synchronization”. That feature can definitely simplify the experience for end users. We dove into the deep end of the pool and are now using AADConnect at a number of our clients. Our usage of AADConnect has been confined exclusively to syncing between local Active Directory environments and Office 365.

As with all Microsoft products there is more than one version. It gets confusing with this product, because Microsoft changed names with each new version. Directory Sync (DirSync) was released and tied to Office 365, becoming the default name everybody uses. Azure Active Directory Sync (AADSync) was rolled out with the Azure Cloud platform, and has several additional capabilities as well as the password sync. Azure Active Directory Connect is the newest version, and is linked below. As a newer version that still does what we want, AADConnect is the version this paper will focus on. If you are working with DirSync, or AADSync the theory and the steps will be similar, but some of the command line syntax may change.

Locations of critical files

Windows Management Framework 4.0 (required before installing AADConnect)

Microsoft Azure Active Directory Sync Services can be downloaded from the following location:

MIIS Client for Azure Active Directory (for configuration) is at

  • “C:\Program Files\Microsoft Azure AD Sync\UIShell”

Microsoft Azure Directory Sync Client Command

  • “C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe”

Scenarios

When your organization decides to implement AADConnect, it is critical to know where you are in the following scenarios. We have grouped our own experiences into three distinct scenarios. Each scenario is designed to be a complete series of steps to implement AADConnect. The scenarios vary, depending on the status of in-house Exchange and Office 365 at the time you start implementation. We suggest that you read the headings of each of the following scenarios carefully and decide which one applies to your organization. Then, follow the steps that apply to you in that section.

blog_05

blog_01

SCENARIO 1- In-house exchange is active with a planned migration to Office 365 not yet underway

One of the hardest parts of using AADConnect is matching of local users to cloud users. In this scenario, it is easy. The Office365 environment is empty, so when AADConnect doesn’t find a matching user to sync with, it creates a new user and automatically links them together.

The sequence of steps is as follows:

  1. In local ADUC, move all local users, groups and contacts to a new OU named Office365.
    1. You can have sub-OU’s, but there should be a parent OU which defines the objects which will be syncing to Office 365.
  2. Change all users’ UPN to match their email address.
    1. Example: contoso.com, NOT contoso.local in ADUC properties.
    2. Here’s how to do that https://technet.microsoft.com/en-us/library/cc772007.aspx
    3. After creating the new Suffix, you must apply it to all users in ADUC.
  3. Make sure that each user has their default email address filled in under the GENERAL PROPERTIES tab in ADUC.
  4. Enable Directory Synchronization in Office 365
    1. Go to Office 365 Admin Center
    2. Click on Users, then Active users
    3. Click on “Set up” next to Active Directory Synchronization
  5. Install AADConnect, but do not SYNC. Configure OU FILTERING and MAILBOX GUID exclusion first.
    1. OU filtering
    2. Excluding mailbox GUID.
    3. Although this may appear obvious, we highly recommended that you do not include the O365 account used to authenticate the directory sync as a directory sync account. If necessary you can create an extra Global Admin account without a license to be used as the directory sync administrator account.
  6. Perform Sync. Upon initial Sync, if Office 365 is empty, DirSync will create all the new users and link them to their counterpart in local Active Directory.
    1. There are several syncs that are required to update both Office 365 and Active Directory. Microsoft Recommends that for future manual DirSync’s, you use the Directory Sync Client Command. This performs all of the Full and Delta sync’s for both connectors that would occur during a scheduled, automated sync.
    2. The Recommended Sync tool is NOT listed in the Start menu. It’s located at:
      • i. “C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"
    3. Adding a shortcut to the desktop for this command is also recommended. If you do, fill in the “Start In” field with:
      • i. "C:\Program Files\Microsoft Azure AD Sync\Bin"
  7. NOTE: The first sync often fails to update passwords. The website will show that the account is Synced with Active Directory, but the passwords will still be different. Changing the password in Active Directory will force another sync and the passwords will be matched.
  8. Optional: Uninstall Exchange (See Wrap up)
    1. Uninstalling Exchange will remove all users’ email addresses from Active Directory and you must be prepared for that before allowing synchronization to occur.

After the migration is completed, and Exchange is disabled, most of the management of users and groups is done locally. For example, Distribution Group memberships are managed locally, with the changes syncing to Office365.

blog_06

SCENARIO 2 – The Organization has already migrated to Office 365, and Exchange is still installed

In this scenario, the Office 365 mailboxes were created manually with no SYNC to local Active Directory. Exchange has been disabled but not uninstalled from Active Directory. All mailbox management is being performed in the Office 365 portal. Users are forced to manage 2 usernames and 2 passwords.

Here are the steps if you are a scenario 2 organization.

  1. Move all local users, groups and contacts to a new ADUC OU structure named Office365.
    1. You can have sub-OU’s, but there should be a parent OU which defines the objects which will be syncing to Office 365.
    2. Do not change the users’ UPN. Leave all users with the existing .local suffix.
  2. Enable Directory Synchronization in Office 365
    1. Go to Office 365 Admin Center
    2. Click on Users, then Active users
    3. Click on “Set up” next to Active Directory Synchronization
  3. Install AADConnect and configure the OU filter before performing a Sync.
    1. If the filter is not set, then AADConnect will find all the users in the entire Active Directory and try to sync them. Here is a good step by step for configuring “Organizational Units Based Filtering”.
    2. http://msexchangeguru.com/2012/08/10/office-365-2/
    3. Although this may appear obvious, we highly recommended that you do not include the O365 account used to authenticate the directory sync as a directory sync account. If necessary you can create an extra Global Admin account without a license to be used as the directory sync administrator account.
  4. Configure Mailbox GUID filtering, before performing the first Sync.
    1. http://www.cheddon.co.uk/msexchmailboxguid-office-365/
  5. Perform the procedures in “SMTP MATCHING” from the article below
    1. https://support.microsoft.com/en-us/kb/2641663/en-us
  6. Perform initial sync.
    1. Run AADConnect wizard
    2. There are several syncs that are required to update both Office 365 and Active Directory. Microsoft Recommends that for future manual AADConnect’s, you use the Directory Sync Client Command. This performs all of the Full and Delta sync’s for both connectors that would occur during a scheduled, automated sync.
    3. The Recommended Sync tool is NOT listed in the Start menu. It’s located at:
        i. “C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"
    4. Adding a shortcut to the desktop for this command is also recommended. If you do, fill in the “Start In” field with:
        i. "C:\Program Files\Microsoft Azure AD Sync\Bin"
  7. NOTE: The first sync often fails to update passwords. The website will show that the account is Synced with Active Directory, but the passwords will still be different. Changing the password in Active Directory will force another sync and the passwords will be matched.
  8. Optional: Uninstall Exchange (See Wrap up)
    1. Uninstalling Exchange will remove all users’ email addresses from local Active Directory. You must be prepared for that before allowing synchronization to occur.

With a little luck at this step, users will be matched via default SMTP address and then linked with their “immutable ID”. If things go wrong, you might see duplicate users appear in Office 365. In that case, use PowerShell to permanently delete the duplicates from Office 365 and try again. From this point forward, you must manage many of the users’ Office 365 attributes from local Active Directory.

blog_04

SCENARIO 3 – The Organization has already migrated to Office 365 and Exchange never was installed locally or is completely removed

When EXCHANGE does not exist in the local Active Directory, the users do not have email addresses included in their ADUC properties. In this scenario, Technicians must use the ADUC Advanced Attribute “PROXY ADDRESSES” field to manage the data that is synced to Office 365. The most critical part of implementing AADConnect in Scenario 3 is to perform the steps in the proper sequence. Here is our advice.

  1. Move all local users, groups and contacts to a new OU named Office365.
    1. a. You can have sub-OU’s, but there should be a parent OU which defines the objects which will be syncing to Office 365.
  2. 2) Enable Directory Synchronization in Office 365
    1. Go to Office 365 Admin Center
    2. Click on Users, then Active users
    3. Click on “Set up” next to Active Directory Synchronization
  3. Change all users’ UPN to match their email address.
    1. Example: contoso.com, NOT contoso.local in ADUC properties.
    2. Here’s how to do that https://technet.microsoft.com/en-us/library/cc772007.aspx
    3. After creating the new Suffix, you must apply it to all users in ADUC.
  4. Edit Users’ Proxy Addresses:
      1. Enter the default email address in the “GENERAL” properties tab for each user or group in ADUC.
      2. Manually, open each user and group in ADUC Advanced Properties,
        • i. go to the Attribute Editor tab,
        • ii. Scroll down to PROXY ADDRESSES.
        • iii. Enter all of the email addresses for that user or group.
          1. The default address must be formatted as SMTP:[email protected]
          2. Alternate addresses must be added with the “smtp” in lower case.
          3. Do the same for all users and groups.

    If a user is matched and synced to Office 365 when they do not have a local email address, then DirSync will REMOVE ALL EXISTING EMAIL ADDRESSES and replace them with [email protected]

  5. Install AADConnect and configure the OU filter before performing a Sync.
    1. If the filter is not set, then AADConnect will find all the users in the entire Active Directory and try to sync them.
    2. Article for configuring “Organizational Units Based Filtering”.
  6. Although this may appear obvious, we highly recommended that you do not include the O365 account used to authenticate the directory sync as a directory sync account. If necessary you can create an extra Global Admin account without a license to be used as the directory sync administrator account.
  7. Perform the procedures in “SMTP MATCHING” from the article below
    1. https://support.microsoft.com/en-us/kb/2641663/en-us
  8. Perform SYNC. Run the AADSYNC wizard.
    1. There are several syncs that are required to update both Office 365 and Active Directory. Microsoft Recommends that for future manual DirSync’s, you use the Directory Sync Client Command. This performs all of the Full and Delta sync’s for both connectors that would occur during a scheduled, automated sync.
    2. The Recommended Sync tool is NOT listed in the Start menu. It’s located at:
      • i. “C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"
    3. Adding a shortcut to the desktop for this command is also recommended. If you do, fill in the “Start In” field with:
      • i. "C:\Program Files\Microsoft Azure AD Sync\Bin"
  9. NOTE: The first sync often fails to update passwords. The website will show that the account is Synced with Active Directory, but the passwords will still be different. Changing the password in Active Directory will force another sync and the passwords will be matched.
  10. With a little luck here, users will be matched via initial SMTP address, then permanently linked with their “immutable ID”, and there will be no duplicates created. From this point forward, you must manage many of the users’ Office 365 attributes from local Active Directory.

Optional Wrap up (Uninstall Exchange)

blog_02
  1. Temporarily stop the Synchronization schedule from running while completing the remaining steps.
      • i. To stop DirSync, go to the C:\Program Files\Windows Azure Active Directory Sync folder.
      • ii. Open the Microsoft.Online.DirSync.Scheduler.exe.Config file with the Notepad. Edit the “SyncTimeInterval” value to a higher number of hours.
      • iii. For AADConnect (or AADSync), go to “TASK SCHEDULER” in administrative tools and edit the timing of the task there.
  1. Manually add Email addresses to active directory objects (users and groups)
    1. open each user or group in ADUC Advanced Properties View
    2. go to the Attribute Editor tab,
    3. Scroll down to PROXY ADDRESSES.
    4. Enter all of the email addresses for the user.
      • i. The default address must be formatted as SMTP:[email protected]
      • ii. Alternate addresses must be added with the “smtp” in lower case.
      • iii. Do the same for users and groups.
      • iv. Additionally, enter the default email address under the “GENERAL” properties tab for each user or group in ADUC.
  2. Uninstall Exchange
    www.infostream.cc/2011/10/04/removing-exchange-2007-from-small-business-server-2008
  3. Reinitiate normal AADConnect synchronization interval by reversing step 1

GENERAL TIPS:

  1. There are several different versions of ADDSYNC and DirSync. Make sure you get the latest version. The official name of the new version is Azure Active Directory Sync. Here is a good Microsoft article about the differences in the versions.
    https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx
  2. AADSYNC will attempt to Sync every user in the entire ADUC if you don’t stop it. Make sure users are organized into OU’s and configure OU FILTERING immediately after installing DirSync. We suggest starting with a “TEST OU” with only 1 or 2 test users in it. When you have gotten a feel for it, then change the OU Filter or add more users. Synchronization mistakes and errors can be very difficult to fix.
  3. If local users have User Logon Names which differ from their email addresses, it can be confusing for them. If the user logs on to their computer as JSmith, but their email address starts with JohnS, you will need to be careful when setting up User Logon Name in ADUC. Make sure the local AD User Logon Name field matches the default email address.

CONCLUSION

AADConnect is a great tool for connecting two powerful systems, Active Directory and Office 365. In a world where everything needs a password and every password should be changed regularly, limiting the number of those passwords is a great benefit for end users. After being configured, AADConnect does not require a lot of changes or maintenance, so after the initial setup, its simplifying features become more and more valuable as time goes on.