This was a question asked by a community college customer deploying Office 365 for Education near Seattle. 

Dirsync server syncs AD user objects, groups, contacts to Office 365. User objects are synced as MSO IDs and all mail enabled objects are synced to Exchange Online.

What server hardware do I need for Dirsync?

Sizing your Dirsync server is based on number of objects in your Active Directory. Here is a matrix from the deployment guide:

It also has to be hosted on a 32-bit Windows Server for now. Future Dirsync for Office 365 is more than likely slated for 64-bit. Update 11-28-11: 64-bit Dirsync version available here for download.

Can I run this on a virtual server?

Yes, Dirsync is supported on a virtual server.

How can I prepare my AD Forest prior to setting up Dirsync?

Run the Office 365 readiness tool to analyze your AD Forest and remediate any objects the tool identifies prior to running Dirsync. This will save you a lot of headaches to run this tool first.  Grab the tool here.

Do I setup Dirsync first or ADFS (SSO) first?

Setup ADFS and federation first and then setup Dirsync. Logically you would think it would be the other way around however this is the order of operations.

What if I have more than 300,000 Active Directory objects to sync to the cloud?

If you have more than 300,000 (it used to be 20,000 object limit) Active Directory objects you need to open a ticket with support before you enable Dirsync.  Additionally, your AD user object size will determine which type of tenant you will be hosted on so you need to be sure you are provisioned on the correct tenant prior to enabling Dirsync as well.  Check with support to ensure you are on the correct tenant when going beyond 300,000 AD user objects.

To determine the total amount of AD objects you can run the Office 365 readiness tool to get a ballpark count of objects. Grab the tool here.

How do I size the SQL database for Dirsync?

If you have more than 50,000 AD objects to dirsync it is recommended to move to full blown SQL Server 2008 to handle the database size.  If you have less than 50,000 AD objects, you can continue to use the default SQL Server 2008 Express database.

Can I run Dirsync on the same server as ADFS 2.0 server?

No, it is not recommended to run them on the same hardware.

Do I need to make Dirsync server highly available?

No, if your Dirsync server fails you will not be out of commission nor will objects get deleted. You can stand up a new Dirsync server and the objects will get into sync again.

How often does it Dirsync sync with Office 365? Can I force dirsync?

It syncs by default every 3 hours or you can manually force a dirsync process via PowerShell with ‘Start-OnlineCoexistenceSync’ cmdlet. See a reference in Greg’s Dirsync step by step below.

Is there a good place to read about deploying Dirsync server?

Yes, the Office 365 deployment guide here and the setup accelerator here are great sources of information on configuring Dirsync. Additionally, Greg Katz posted a step by step here on our blog.

If you are an Exchange Online or Outlook Live tenant administrator, then you can access the Forefront Online Protection for Exchange (FOPE) Administration Center via a hyperlink in the Exchange Control Panel. And with a few additional steps, you can login directly to the FOPE Admin Center.

Accessing the FOPE Admin Center from the Exchange Control Panel

1. Sign in to the Exchange Control Panel as an Administrator
2. Click Mail Control (left side) then click the hyperlink underneath Forefront Online Protection for Exchange (right side), e.g. “Configure IP safelisting, perimeter message tracing, and e-mail policies.”

After about 30 minutes of inactivity, the FOPE Admin Center will timeout.

When you click the “Configure IP safelisting, perimeter message tracing, and e-mail policies” hyperlink in the Exchange Control Panel, you may receive the an error saying, “We are sorry but your session has expired.” 

So, how do you login again to the FOPE Admin Center?

You could sign out of the Exchange Control Panel and sign in again. Then, click Mail Control and click “Configure IP safelisting, perimeter message tracing, and e-mail policies.” But, you may need to close all of your browser windows.

If you have as many open browser windows and tabs as I do, then this could become a major interruption. “Should I save this tab or that tab? What’s the password for the firewall’s web GUI? Should I save a Draft in OWA or send this email before closing all the browser windows?”

I’ve gone on too long…you get the idea.

Instead, why not sign in directly to the FOPE Admin Center? You can stay logged in to the Exchange Control Panel, leave open your browser windows and tabs, and simply sign in again with your user name and password.

Sign in directly to the FOPE Admin Center for the first time

1. Browse to https://admin.messaging.microsoft.com/
2. On the “Sign in” page, click the “Need your password?” link
3. Enter your Administrator’s User Principal Name (UPN) or Windows Live ID, e.g. admin@fabrikam.onmicrosoft.com (Office 365) or admin@live.contoso.edu (Live@edu), and click Send
4. Login to your Administrator’s Inbox, open the Password Change Confirmation email and follow the link in the body of the message
5. On the “Set your new password” page, enter User Name, New Password and Confirm new Password
6. Go to https://admin.messaging.microsoft.com/ and login with User Name and new Password 

Steps 1 and 2	Step 3

Step 4

Step 5	Step 6

Forefront Online Protection for Exchange – Administration Center

At this point, you can go directly to the FOPE Administration Center at https://admin.messaging.microsoft.com/

…

So, how do you pronounce FOPE?

In my previous article, How do YOU pronounce FOPE? An Introduction, I discussed some of the key features of Forefront Online Protection for Exchange (FOPE) and invited you to explore additional resources:

• TechNet Edge – FOPE
• TechNet Library – Forefront Online Protection for Exchange
• FOPE 11.1 Administration Center User Guide
• Spam Filtering and Message Hygiene

And, hopefully, you’ve had an opportunity to sign in to the FOPE Administration Center via the hyperlink in the Exchange Control Panel or by entering your user name and password at https://admin.messaging.microsoft.com/.

Okay, I didn’t spell it out. The truth is that there isn’t a right or wrong answer.

Please leave a comment to tell us how YOU pronounce FOPE. There’s bonus points for using the International Phonetic Alphabet (IPA) or Pronunciation Respelling Key!

______________________________

Thanks for joining us today!

Zion Brewer

______________________________

If you are new to PowerShell or the Office 365 specific tenant cmdlets in PowerShell, here is a nice tool called the PowerShell Command Builder. It allows you to visually build your Office 365 tenant PowerShell scripts.  It doesn’t have Exchange Online PowerShell but is a great start to learning tenant scripts.

Pick “Office 365” from the Products list to show you all the Office 365 tenant “verbs” and “nouns”

To build a script, just drag your “Verb” and drag a “Noun” over to the design surface and it will autogenerate a PowerShell script for you which you can quickly copy.

It even allows you to put in your actual domains to leverage in your script.

Visit the PowerShell Command Builder tool here.

To learn more on how to actually use these scripts with Office 365 via remote PowerShell visit my other post here.

This was a question from a university in New Orleans looking to move to Office 365 for Education. 

There are two PowerShell scenarios applicable to Office 365 for Education. The first scenario is leveraging PowerShell for overall management of your Office 365 tenant and the other PowerShell scenario is for leveraging PowerShell to manage Exchange Online. You can combine them into one PowerShell session or separate them into two different administrative streams if you have different Office 365 tenant administrators and Exchange Online tenant administrators. I broke them out into two distinct roles but you can certainly combine them into a single session.

What types of things can I do with Office 365 Remote PowerShell?:

Manage users

Manage group and role membership

Manage Office 365 domains

Manage Single Sign-on

Manage subscriptions and licenses

Manage company information and service

Manage Exchange Online

Setting up Office 365 Remote PowerShell to manage the tenant:

Step 1: On the administration workstation – the MS Online Services Sign-In Assistant is required as a prerequisite to leverage O365 PowerShell:

• Microsoft Online Services Sign-In Assistant 32-bit
• Microsoft Online Services Sign-In Assistant 64-bit

Step 2:  Install the Office 365 Services module OR leverage PowerShell (if you don’t have Windows 7 or Windows Server 2008+)

• Microsoft Online Services Module for Windows PowerShell 32-bit
• Microsoft Online Services Module for Windows PowerShell 64-bit

OR

Leverage existing Windows 7/Windows Server 2008+ PowerShell or Grab Windows PowerShell here for older workstations.

I chose to leverage the stock PowerShell of all of my Office 365 for Education management but you could also use the Online Services module as well.

Step 3: Launch PowerShell – you can launch either one below – I launched ‘Windows PowerShell’

In either ‘Online Services PowerShell’ or ‘Windows PowerShell’ type in:

Import-Module msonline

$cloudcred = Get-Credential    - Note: this can be any variable I just used ‘cloudcred’

Connect-Msolservice –cred $cloudcred

You are now connected to Office 365 via remote PowerShell.

If you want to see all your cmdlets available type:

Get-Command –Module msonline

The end output should look like this:

Step 4: optional – to manage Exchange Online in the same PowerShell session skip to Step 2 in the Exchange Online steps

Here I show how you can manage the Office 365 tenant and Exchange Online in a single session from either native PowerShell or Online Services Module:

or

How to connect to Exchange Online using PowerShell:

Step 1:  You need to configure your workstation to support Remote PowerShell

Start Powershell or Start Online Service Module (from above) – I used native 64-bit version but you can use either (native with Win7 or Win Server 2008+) or grab it here.

You need to set a variable to equal Get-Credential. You can set it to any variable you want as long as you are consistent:

$CloudCred = Get-Credential

Type in your O365 Creds with powershell administrator permissions in the dialog – check your powershell permissions for O365 here.

 

Step 2: connect to Exchange Online by typing in:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $CloudCred -Authentication Basic –AllowRedirection

to connect to the Exchange Online service remotely via PowerShell

Finally type in:

Import-PSSession $Session

to grab the Exchange Online specific cmdlets

 

This should be your screen when you are all done:

For more information visit here.

You can list all the available Exchange Online cmdlets with:

get-command |more

It will be a subset of cmdlets as not all on premises Exchange 2010 cmdlets are available to you for example. The good news is you can leverage some of your on prem Exchange 2010 scripts against Office 365.

Step 3: Disconnect when finished

Be sure to disconnect from the service when you are done as you are limited to 3 concurrent PowerShell sessions per tenant (15 min timeout after disconnect) by using:

Remove-PSSession $Session

Where can I find a list of all the Office 365 PowerShell cmdlets?

You can find a list of all your Office 365 cmdlets here.

What are the differences between Exchange 2010 on prem cmdlets vs. Exchange Online cmdlets?

You can find a list of all the Exchange Online cmdlets here.

Can I manage SharePoint Online or Lync Online with PowerShell?

As of today’s post, it is not possible to manage these with remote PowerShell.

Do I have to go through entering above every time I want to manage Office 365 via remote PowerShell?

No, you can write a PS1 script to automate the typing above.  Here is a sample you can use:

Step 1:

Create your PS1 file in notepad or PowerShell ISE such as this (note: all the code is there even though it doesn’t appear that way  just copy and paste below)

Import-Module msonline
$cloudcred = get-credential
Connect-msolservice -cred $cloudcred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $CloudCred -Authentication Basic –AllowRedirection
Import-PSSession $Session

Step 2:

Save file with .PS1 extension in your c:\users\username folder – this is key to make it easy to execute in PowerShell

Step 3:

Open up PowerShell or Online Services Module and just type first two letters of PS1 file name and hit “Tab” key to autocomplete and then “Enter” to launch the script

Step 4:

Type in valid tenant administrator credentials

Should look something like this:

You are now connected to Office 365 via PS1 script file so you don’t have to remember all of this each time.

This was asked by a university in Southern California.

Here are some new tools to help you troubleshoot your ADFS and your Office 365 setup:

ADFS Connectivity Analyzer tool

You can also use the Remote Connectivity Analyzer to help you troubleshoot your ADFS configuration or other coexistence settings.

I provided my on prem AD creds and the analyzer provided successful results of an Office 365 ADFS test:

Visit the Remote Connectivity Analyzer tool here.

Another Advanced diagnostic ADFS tool:  MOSDAL 3.2

This is a Office 365 diagnostics tool used by Microsoft Online support folks but it now has the ability to check your ADFS configuration:

• Identity Federation/ADFS Diagnostics – Identity federation tool built by the ADFS product team into MOSDAL to help us with O365 Identity and ADFS related issues troubleshooting

You can select what tests you want it to run if you are having issues with just one area.

It generates many diagnostic files you can send to Microsoft Support or review on your own. This one is the ADFS diagnostic test you can review on your own:

Grab the MOSDAL diagnostic tool here:

· Download

· MOSDAL KB Article

· Using MOSDAL 3.2 to Troubleshoot Identity Federation  - has nice steps to remediate errors found in the ADFS log above

· Training