Dirsync is required to support Single Sign On (SSO) and creates Mail Enabled Users (MEU) in the cloud tenant. Installing Dirsync allows you have a unified Global Address List (GAL) between on-premise and cloud (Office 365). It also allows you to on-board/off-board users to and from Office 365 (this requires a 2 way sync).
Note: When user accounts are first sync’d they are marked as non-activated (therefore do not consume any licenses)
Here are the steps for installing and verifying Disync has completed. Also to verify Dirsync has completed check the event logs for:-
1
Steps
Action
Activate directory synchronisation from the online portal
Sign in to the online portal https://portal.microsoftonline.com, under Admin (as per above steps) click users
Select ‘Activate’ Active directory Synchronization
Note:
User users that there are no synchronized users from your on-premise AD
Select Step 3 ‘Active directory Synchronization’ and click ‘Activate’
Select ‘Yes’ to activate Directory Synchronization
Now we need to install the Directory Synchronization Tool
Launch the Directory Synchronization Tool by double clicking on Dircync.exe
Click next on the welcome screen
Accept the license agreement and default install location
The Directory Synchronization Tool will install and click finish when it’s completed
On the Directory Synchronization server launch ‘directory Sync configuration’ and click next on the welcome screen
Specify your Office 365 administrator credentials
Specify Enterprise Admin credentials to create the service account
The credentials specified here are not saved or cached in memory.
Click Next on the configuration page
Verify the ‘Synchronize directories now’ is selected and click finish
Review the wizard and click ok
Verify users have been synchronized
If might take a few minutes for the user appear, if they don’t appear refresh your browser
Sign into the online portal https://portal.microsoftonline.com
All changes to the user account needs to managed on-premise and then the changes will synchronised to Office 365 by the directory synchronization tool.
On the home page, select ‘Admin’ the under management select ‘Users’
Directory synchronization will occur every 3 hours, but you can force synchronization if required
Navigate to C:\Program Files\Microsoft Online Directory Sync and Double-click DirSyncConfigShell.psc1. Then run Start-OnlineCoexistenceSync
Update your domain to a shared domain
On the home page, select Admin and then manage under Exchange Online (this takes you into the Exchange Control Panel (ECP))
In the ECP, select ‘Mail control’ then ‘domains and Protection’ and select company.com as a shared domain
Written by Daniel Kenyon-Smith
Launch Microsoft Online Services Identity Federation Management tool
At the PowerShell command prompt type
Type $cred = Get-Credential
In the pop up window specify the username used for online account management (your Office 365 administrator credentials)
Connect ADFS 2.0 and Office 365
Type Set-MSOLContextCredential -MSOLAdminCredentials $cred
Add a federated Domain
This creates a domain in Office 365 and marks it for federated authentication. You will need to verify domain ownership by performing the step indicated in the warning message.
For example:
WARNING: Please verify company.com domain ownership by adding a DNS ms123456789.company.com CNAME record targeting ps.microsoftonline.com at your domain registrar. More information can be found
http://technet.microsoft.com/en-us/library/cc742578.aspx
Add-MSOLFederatedDomain -DomainName Company.com
Verify a federated domain
Run the following command again
Add-MSOLFederatedDomain -DomainName Company.com (because the domain has already been created (as this commad was run in the previous step) the link will be created between the Microsoft Federation Gateway and your local ADFS 2.0 server. Office 365 will verify the CNAME record you created matches the information you were given to verify ownership of the domain.
Then run Get-MSOLFederationProperty -DomainName Company.com
Sign into Office 365 using you corporate credentials (you need to have AD synchronisation running). If you are successfully logged in then federation has been successfully verified
View the Active Domain in the Microsoft Online Services portal.
Sign into https://portal.microsoftonline.com
On the home page, select Admin
Select domains
Select you federated domain and notice to says domain type ‘federated’
1 Here are the steps i followed for configuring ADFS for Office 365 (see my previous post for installing ADFS)
Click, Start, Admin Tools, ADFS 2.0 Management
Click ‘ADFS 2.0 Federation server Configuration Wizard’
Click ‘Create a new Federation Service’ unless you want to join you server to an existing federation server farm
Select ‘Create a new Federation Farm’
You create an Active Directory Federation Services (ADFS)-enabled Web server farm when you want to balance the load of incoming federated access requests that are made to one or more protected applications. The obvious benefits that can be obtained from a Web server farm are fault tolerance for the hosted applications and a possible increase in client-side browser performance. To client computers, the Web server farm performs like a single Web server servicing a highly scalable federated application.
For more details see – When to Create a Web Farm
Select the SSL certificate name and Federation name specified earlier when creating the SSL certificate
Review the results and close
Here are the steps i followed when installing ADFS 2.0
Start the ADFS installation
Launch AdfsSetup.exe
On the Welcome to the ADFS 2.0 Setup Wizard page, click Next
Accept the End-User License Agreement and click Next
Select the required role, in this case I’m using ‘Federated Server’
Click Next on the Prerequisites screen
Installation will begin
Restart once completed
Also note that you will need to create a certificate that matches the CN of the federation name (e.g. adfs.company.com) and assign it to the default website bindings in IIS
Please find a list of typical namespaces that are required when setting up and installing Active Directory Federation Services (ADFS) 2.0 and rich coexistence/hybrid with Office 365
Namespace
Value
Description
On premise SMTP Namespace
Company.com
On-premise SMTP namespace
Online Tenant Namespace
Company.onmicrosoft.com
Name of the namespace given by Microsoft when the tenant is created
Service Namespace
Office365.Company.com
SMTP mail routing namespace for determining where the mailbox is located.
Delegation Namespace
Exchangedelegation.Company.com
Federation delegation to the Microsoft Federation Gateway. Allows sharing of free/busy between external organisations
Federation Service Name
Federation.Company.com
ADFS name that O365 will redirect clients to
Autodiscover
Autodiscover.Company.com
Autodiscover service for Outlook client on-premise
Autodiscover.Office365.Company.com
Autodiscover service for Outlook clients migrated to O365