osp325 scenariouse directory synchronization? initial on-boarding/bulk provisioning of users only*...
Post on 04-Jan-2016
220 Views
Preview:
TRANSCRIPT
Microsoft Office 365: Directory Synchronization
Jono LukProgram Manager IIMicrosoft
OSP325
What we’ll talk about
What is Directory Sync?Who did we build Directory Sync for?What does Directory Sync do for you & your users When to use Directory Sync
Using Directory SyncRequirementsHow Directory Sync worksCommon asksComing featuresGotchas
Who did we build Directory Sync for
You!
Any customer that wants to use and unlock power of Office 365
Office 365 Enterprise subscribers
From smallest (10 objects) to largest (1M objects) customers
What does Directory Sync do for you
Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365
Runs as an applianceInstall and forget
Proactively reports errors via email“No news is good news”
What does Directory Synchronization do for users
Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)
Flavors of Co-ExistenceIdentity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)Application Co-Existence
What does Directory Synchronization do for usersIdentity Co-Existence
Facilitates “Single Sign-On” Experience
For users: Single set of credentials to manage
On-premise users, security groups, distribution lists, contacts are available in the cloud
Complete Address Books in Exchange OnlineSharePoint Online ACL’ing via Security Groups
Users, contacts, groups can be created directly in Office 365, or sync’d from on-premise!
What does Directory Synchronization do for usersApplication Co-Existence
2 types:Simple Rich
Simple Co-Existence:Full, consistent Address Book available across all O365 services
Exchange Online users can receive mail at any of their (valid) on-premise Proxy Addresses
Conf Room support (Outlook Room Finder)
What does Directory Synchronization do for usersApplication Co-Existence
Rich Co-Existence:Hybrid Deployments
Staged migrationsKeep data on-premise for various business or legal requirements
Free/Busy available to users on-premise and in cloud
What does Directory Synchronization do for usersApplication Co-Existence
Rich Co-Existence (con’t)Cross-Premise Services
Customers with on-premise mailbox can have voicemail in cloudCloud ArchivingFiltering Co-Existence (safe senders, blocked senders)
When to use Directory Synchronization
• Directory Synchronization is a long-term commitment
• Common Scenarios:Scenario Use Directory Synchronization?
Initial on-boarding/bulk Provisioning of users only*
No
Identity Federation Yes
Long-term migration/adoption of Office 365 Services
Yes
Partial adoption/migration to Office 365 Services
Yes
Setting up Directory Sync - Requirements
3 types of requirements:
1. Host OS that runs Directory Sync32-bit ONLY
Microsoft Windows Server® 2003 SP2 x86Microsoft Windows Server 2008 x86
Cannot be Domain Controller
2. Active Directory Forest functional level sync’d by Directory SyncMicrosoft Windows Server 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008Microsoft Windows Server 2008 R2NOTE: known incompatibility with Recycle Bin feature
Setting up Directory Sync - Requirements
3. Rich Co-ExistenceRich co-existence, need Exchange 2010 SP1 Client Access Server (CAS) – FreeInstalls schema extensions required to support Rich Co-Existence
demo
Demo: Microsoft Online Directory Sync Setup
Customer Network
How Directory Synchronization worksArchitecture
AD
Directory Sync
Office 365 DatacenterO
ffic
e 36
5 F
Es
Microsoft Online ID
Exchange
Office Sub
SharePoint
LyncO365
Directory
How Directory Synchronization worksArchitecture - Client
Uses Enterprise Admin credentials at configuration to create self-managed account for sync purposes:
Attribute-level write permissions for Rich Co-Existence
Uses managed account with Global Administrator privileges for TenantAuthenticates to O365 via Microsoft Online ID
Syncs all users, contacts and groups from your (single) AD forest Queries AD DirSync control for changesFilters out well-known objects and attributes patterns
Syncs every 3 hours
How Directory Synchronization worksArchitecture - Client
First sync run “full sync”Start-up, sync’s all objects
Subsequent runs “delta sync”Changes only
Time required depends on data size/complexity
How Directory Synchronization worksArchitecture - Client
Microsoft Windows Server 2003 SP2 or higher (32-bit)
SQL Server 2008 R2 ExpressShould use full Microsoft SQL Server 2005 / 2008 for larger customers10GB DB size limit
Microsoft Online ID components for Authentication to Office 365
Available for download in 23 languages
How Directory Synchronization worksArchitecture - Server
Syncs objects in “batches”
Users provisioned into Microsoft Online ID for login to Office 365
All objects provisioned into Office 365 Directory Storeobjects flow into services based on subscription (Exchange Online, Lync Online, SharePoint Online)
How Directory Synchronization worksArchitecture – Sync Object Limits
All customers initially subject to 10,000 object limit “objects” = users, security groups, distribution lists, contactsWill receive emailcontact support to increase object limit
Larger customers (20,000+ users) sign-up for special subscription type
work with your MS account reps for more details!
How Directory Synchronization worksAttribute Validation
As batches of objects processed by Office 365, objects are validated
First-in-wins conflict-resolutionIf key attributes are duplicated, second object receives errors
How Directory Synchronization worksAttribute Validation
ProxyAddresses sanitizationproxy addresses with non-registered domains are stripped
UPN ValidationIf UPN uses a non-registered domain, it will be replaced with:
mailNickName ‘@’ domain.onmicrosoft.com
(where domain is the primary domain the customer registered at sign-up)
How Directory Synchronization works Attribute Validations
Attribute Most common issues
userPrincipalName • cannot have dot ‘.’ immediately preceding ‘@’• cannot exceed 113 chars (64 for username, 48 for domain)• cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < > ( )• cannot have duplicate UPNs
sAmAccountName • cannot contain “ \ / [ ] : | < > + = ; ? ,• cannot end with dot ‘.’• cannot be more than 20 chars• cannot be empty
proxyAddresses • cannot contain smtp addresses with domains that are not registered for the tenant
• cannot have duplicate proxy addresses
All errors are reported to Technical Notification Contact by email!
How Directory Synchronization worksWriting to On-Premise AD
If Rich Co-Existence disabled, Directory Sync will not modify customer’s on-prem AD
If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on users:
Attribute Feature
SafeSendersHashBlockedSendersHashSafeRecipientHash
Filtering Coexistence enables on-premise filtering using cloud safe/blocked sender info
msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud
How Directory Synchronization works Identifying on-premise and Cloud Objects
Objects in Office 365 uniquely identified by sourceAnchorvalue derived from the ObjectGUID of on-premise objectsset on first sync
Customer can create objects in Office 365 before running Directory Sync
Objects may overlap with on-premise objects!
Sync tries to “map” objects being sync’d with objects already present in the cloud
Prevent duplicate objects!
How Directory Synchronization worksMatching on-premise and Cloud users
On sync, if no user object in cloud has sourceAnchor value, try and match based on SMTP addresses
If SMTP address match succeeds, sourceAnchor value stamped on object already in cloud, objects are “matched”
Subsequent sync runs will use sourceAnchor values
Matching for user objects only
How Directory Synchronization worksSynchronization Errors
Synchronization errors are communicated to the IT Generalist via email
Technical Contact is a very important to Microsoft Online Directory Sync for communication of sync health, errors, etc.
Administrators must address these errors through on-premise changes
Planning for Directory Synchronization
Things to think about:1. Do you plan to enable Identity Federation?
Register domains with Office 365Activate Federation
2. Do you plan to enable Rich Co-existence?Exchange 2010 SP1 CAS deployed on-premise?
3. Is your Active Directory “ready”?Microsoft Online Deployment Guide (http://www.microsoft.com/online/deploy.aspx)Office 365 Best Practice Analyzer
Common Asks
FilteringNot supportedAutomated “scoping out” can lead to data loss (user mailboxes!)Filter file no longer supported
Highly available Directory SyncDirectory Sync tool not configurable for high availability
NOTE: when Directory Sync tool down, Office 365 data goes “stale”, Federated Authentication, etc. still works!
Common Asks
Scale & Large customers?Directory Sync is used for MSFT! (~1M objects)Customers with 50K+ objects - use full SQL installation
Powershell-based configuration
Coming: 64-bit client
64-bit Directory Sync client releasing soonProvides W2K8 R2 Recycle Bin object re-animation (not supported in 32-bit Directory Sync client)
Coming: Multi-Forest Support
Fact: Customers may have more than 1 AD Forest containing users, groups and contacts to sync to Office 365
Fact: Microsoft Online Directory Sync Appliance cannot be configured to sync from multiple Forests
Fact: customers of BPOS v1 have done work to “aggregate” multiple AD forests into one for sync to BPOS v1
Coming: Multi-Forest Support
Plan: provide prescriptive guidance for existing BPOS v1 customers to migrate to Office 365
Customers with specific, supported configurations can enable new Office 365 scenarios (Federated Identity, Rich Co-Existence)
BPOS v1 outside supported configurations, or new Office 365 Customers must wait until later in 2012 for a comprehensive Office 365 multi-forest solution
Gotchas
Sync’d objects are mastered on-premiseneed to update on-premise object to update cloud object
Stopping Directory SynchronizationCannot “de-activate” Directory Synchronization via Microsoft Online Portal
Can “turn off” Directory Synchronization client
Can’t delete users that have been sync’d in unless removed from on-premise
Support coming post-General Availability
Gotchas
Removing domainsCan’t de-register domain from Office 365 until all users that have attributes with that domain are removed
Demo: Back to Directory Sync
Other Sessions/Resources
SIM320 - Using Active Directory with Microsoft Office 365Breakout session about Identity Federation & Directory Synchronization
OSP381-INT -Microsoft Office 365: Identity and Access Solutions - Q&A Follow UpCustomer-driven deep dive
Office 365 booth
Appendix – Directory Synchronization FeaturesCore DirSync features supported in V1:
Full shared GALRich messaging (Full format)Meeting requestsWorks over the InternetAppliance-like setup
New DirSync V2 features (out of the box):Identity coexistence –identities & security principals are mastered on-premisesConf room synced as Conf roomSupport for identity federation (ADFS)Support for application coexistence (Mail, OC)Syncs security groups (SharePoint security)Syncs additional on-premise data (i.e., photos), enabling richer experienceProxies for contacts and mail-enabled users are respected (unchanged) Support for Rich Coexistence features
New DirSync V2 features (optional)Free/Busy coexistence (w/ Exchange Server 2010 CAS server on premise)Supports additional Rich Coexistence with Exchange Server 2010 (Cloud Archive, Filtering Coexistence, Delegation)
** DirSync does not require Exchange to exists on premises **Microsoft Confidential
38
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
top related