Welcome to the US SMB&D TS2 Team Blog

Helping partners understand the value of Microsoft solutions.

The Directory Sync tool can now be installed on a Domain Controller!

The Directory Sync tool can now be installed on a Domain Controller!

  • Comments 11
  • Likes

Todd Sweetser

Hi Cloud Sellers!

Some great news for those that are selling into the smaller SMB accounts that may be running a single Domain Controller and don’t have the resources to have a second server.  Historically you were required to install the Office 365 Directory Sync (DirSync) tool (now called Windows Azure Directory Sync Tool) on a MEMBER SERVER but it was not possible to install it on a Domain Controller directly.  That is no longer the case! 

Now customers with only one server that is a DC can also take advantage of this Directory Sync tool….  which now also can do Password Sync as described in my colleague’s earlier blog post here.

The instructions on how to do this are posted on the Best Practices for Deploying and Managing the Windows Azure Active Directory Sync Tool Wiki site.  Note that you will need to download the newest version (version 6553.0002 and newer) to be able to accomplish this.

Thanks!  And good selling!

 

Comments
  • I have Server 2012 DC with AD DS and ADFS installed. The Federation trust has been established between Office 365 and the Sever 2012 DC. Now I am trying to install DirSync on same server i.e DC and getting error that "DirSyc cannot be installed on Domain Controller".whilst troubleshooting the issue,

    I am using latest DirSync version, Any Idea what am I missing here?

  • I have just found out that the download of the updated DirSync client that allows this was backed out to a previous release due to unrelated issues.  I will let you know when it is available again.

  • Any ETA on when the updated version might be available?

  • Is now available!  See social.technet.microsoft.com/.../18429.windows-azure-active-directory-sync-tool-version-release-history.aspx

  • Just grabbed the latest version and now I can't install because I'm not a local admin, and I can't be a local admin on a DC, whats the deal guys? Make up your minds. >.

  • ITLee. if you're part of the domain admin then you have admin rights on a DC.

  • Todd, I'm really not sure where I could ask this. Do you have any plans to support SMTP matching for a new on-premises domain? We had to migrate our users to a new domain because

    a) we had a storage failure and due to other technical errors we only had one of the domain controllers backed up
    b) we had a .local TLD, which causes troubles on OS X, Linux and sometimes even on Windows

    So instead of trying an error-prone domain renaming procedure and adding another DC, we decided to start from scratch to make sure everything will be working flawlessly.

    Now everything's fine, user and computer accounts, group policy etc. are migrated, passwords are reset, all is good. Except dirsync won't work anymore. And I noticed only now that paragraph in the SMTP matching article (KB2641663):

    "SMTP matching can be used only one time for user accounts that were originally authored by using Office 365 management tools. After that, the Office 365 user account is bound to the on-premises user by an immutable identity value instead of a primary SMTP address."

    My only hope is that

    a) you might consider supporting this scenario in the future
    b) you might have any suggestion as to what other options we have to re-link our on-premises and 365 users, other than deleting the 365 users and recreating (re-syncing) them from scratch, which might be fine except we'd have to migrate several dozens of GBs of emails, which would be extremely tedious and time-taking

    Regards,

    Viktor

  • Never mind, I've found this guide:

    http://365lab.net/2014/01/26/office-365-migrating-dirsync-to-new-ad-domain/

    Basically, all you have to do is:

    Connect-MsolService
    Set-MsolUser -UserPrincipalName user@foo.bar -ImmutableId "$null"

    So if it's that simple, why isn't it mentioned anywhere in the official docs? Or even, why can't there be a button in the MS portal for such a basic task?

  • Yes I have admin rights but the installer very specifically wants you to be part of the local admin group, not just an admin in general and the local admin group doesn't exist on a domain controller. If this wasn't a problem, everything would have been fine when I installed using my admin account. It is a problem though, so the install didn't work and I ended up complaining here.

  • Ugh, that was me intending to post at PowerMonkey007.

  • Powder*

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment