Directory Sync and Password Sync Cookbook – part 2 – Preparation

Hi, Andrzej (KAZM) again 😉 … with 2nd part of Directory Sync and Password Sync.

  1. Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions
  2. Directory Sync and Password Sync Cookbook – part 2 – Preparation
  3. Directory Sync and Password Sync Cookbook – part 3 – UPN Sync Scenarios
  4. Directory Sync and Password Sync Cookbook – part 4 – Installation
  5. Directory Sync and Password Sync Cookbook – part 5 – Configuration and Operations
  6. Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting
  7. Directory Sync and Password Sync Cookbook – part 7 – Important FAQ

If you decided to go for DirSync with Password Sync option, then you need to do some preparations:

  1. Check and verify your environment
    1. AD Forest: Windows Server 2003 forest functional level or higher,
    2. Domain controller: 32-bit or 64-bit Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1) or higher,
    3. Important! If you have multi child domains forest please refer to Troubleshooting part of this article.
    4. Important! DirSync doesn’t support AD forest trust between different forests. It is a Microsoft Forefront Identity Manager (FIM) scenario. So, one DirSync per one forest.
  2. DirSync Server
    1. Windows Server 2008 R2 SP1 or higher. Recommended Windows Server 2012 R2 for the time of writing this article,
    2. Domain joined,
    3. Installed .NET 3.5 SP1 and .NET 4.0,
    4. Microsoft recommended that you cannot install DirSync on a Domain Controller. But since the version 6553.0002 release of DirSync it is possible.
    5. Important! You must be running version 6382.0000 or greater of the Directory Sync tool in order to enable the Password Sync feature.
  3. Add Alternative UPN suffixes to the domain (depends if your organization can do that in terms of different business policies)
    1. UPN suffix for users in AD, as current recommendation, should be set to public (publicly resolvable) and should be the same suffix as you have your public domain verified in Office 365 (f.e. user@fabrikam.com.pl),
    2. Important! If UPNs don’t have public suffix, users will be created in Office 365 with @yourcompany.onmicrosoft.com UPN suffix. Please read UPN Sync Scenarios part of this article to better understand this situation,
    3. Please refer to Important FAQ part of this article to see how to set alternative UPN Suffixes in AD.
  4. Prepare O365 service account that will be used for synchronization
    1. Login to Microsoft Office 365 Portal (MOP) as administrator,
    2. Create new user (f.e. DirSyncSvcAcct) and do not assign any Office 365 license to that account,
    3. Assign Global Administrator rights to that DirSyncSvcAcct account,
    4. Login to MOP using that account with temporary password that was generated,
    5. Change the password using new, strong password,
    6. Log off and log on making sure that new password is working,
    7. Set NeverExpire attribute to that account
      1. Run PowerShell and connect to Office 365 (howto described in Important FAQ part of this article),
      2. Execute command Set-MsolUser -UserPrincipalName DirSyncSvcAcct@yourdomain.onmicrosoft.com -PasswordNeverExpires $true,
      3. Execute command Get-MsolUser -UserPrincipalName DirSyncSvcAcct@yourdomain.onmicrosoft.com | fl ,
      4. Make sure that this account has attribute PasswordNeverExpires set to True.
  5. You need to know credentials for
    1. Active Directory Enterprise Administrator,
    2. Office 365 service account with Global Administrator permissions – the one, you have created in previous steps.
  6. If your O365 domain is already federated and is using ADFS SSO, you need to switch it back to standard domain
    1. Important! Be careful with that. Plan some downtime carefully, because users will get converted and will get new passwords generated automatically, which means they cannot login until Password Sync syncs passwords for the first time.
    2. Use “AAD Sync: How To Switch From Single Sign-On To Password Sync” Microsoft TechNet article.
      1. In short: execute Convert-MSOLDomainToStandard DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\user_passwords.txt command.
    3. If you run on any problems, try re-runnig above command. Alternatively you can use “Sample script to manually convert all users in a domain” from “AAD Sync: How To Switch From Single Sign-On To Password Sync” site to manually convert users.
  7. Use AD remediation tool called IdFix that will simulate DirSync sync process and will display errors requiring remediation within your AD
    1. Use “IdFix DirSync Error Remediation Tool” site for System Requirements and Download,
    2. Use Office 365 – IdFix DirSync Error Remediation Tool” artictle by Benoit HAMET on how to Install and use IdFix,
    3. If you find issues please refer to Troubleshooting part of my article.
  8. Activate Directory synchronization in Office 365 through
    1. Web
      1. Login to O365 as Administrator,
      2. Go to Users and groups,
      3. Click Setup next to the Active Directory Synchronization,
      4. Under Activate Active Directory Synchronization click Activate,
      5. Once again click Activate in popup window,
      6. It should be activated in matter of few minutes – check status on the Office365 portal (Users and Groups).
    2. PowerShell
      1. Execute Set-MsolDirSyncEnabled -EnableDirSync $true command.
Category: Knowledge Base

Leave a Reply