Solved

Dirsync\Password Sync Scenario

Posted on 2014-03-18
4
1,037 Views
Last Modified: 2014-03-20
I have a shop which formerly had an Exchange 2010 server in-house but was moved to Office 365 some time ago.  The Exchange server was decommissioned and staff use Outlook 2010 configured for the o365 servers.  They're now interested in setting up dirsync, and more specifically, password sync to manage all the o365 accounts via in-house AD so users only need one password to keep track of.

First, note that their in-house domain is not internet routable (contoso.local) so I've added a UPM (contoso.com) which matches their email domain.  The in-house domain and the UPM\email domain, however, do not match each other, so it's more like contosox.com vs contoso.local.

The OnRamp for o365 where I test the environment before enabling synchronization only offers 3 scenarios:  fresh start, mailbox migration, and hybrid.  This isn't really any of those.  

I have several questions that I'm not finding clear answers for.

How does dirsync identify and match up the existing mailboxes in o365 with the corresponding user in AD?  Or can it only create new mailboxes based off the AD objects?

As an extension of the first question (if we're not full-stop from it), there are several service accounts which have o365 mailboxes but no AD object and vice versa.  Should I make AD objects\can I skip mailbox creations?

The first half of the user email address matches the AD login, but as noted, the in-house domain does not match their email domain (and I used the email domain as the alternate UPM).  Do I have to change each user's config in AD to the alternate UPM?  Is this how I can associate AD users with the existing mailboxes?  This has the downside of making their in-house login names become their full email address when the goal here is to simplify things.

Basically the documentation is incredibly iffy but there are warnings all over about how dirsync should be considered permanent while fixing things post-sync is extremely complicated so clean up AD first.  Not a very nice combo.  Can someone with more experience with this product comment?  I can provide whatever additional info you need.  Thanks!
0
Comment
Question by:GS-Help
  • 2
  • 2
4 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 39938095
To get the local account and the cloud accounts working properly, the UPN for each user in the Local domain has to match the login name for the user accounts in Office 365. So if the user has a login name in Office 365 as bob@company.com, that user will have to have their AD UPN changed to @company.com instead of @company.local. If the two don't match, Dirsync will create a separate user in the cloud rather than matching the user's AD info up with their cloud account, so you have to change the UPN on all your users to do what you want. And you will want to make sure that's in place before you implement dirsync because Dirsync doesn't handle changes like that well at all.
0
 

Author Comment

by:GS-Help
ID: 39940130
Thanks much for the reply.  So the pre-existing mailboxes in o365 are not a problem, the sync won't overwrite them or anything so long as I've set the corresponding user's UPN to match?  They also have several users in AD who do not have email.  I assume sync will offer to create mailboxes for them but I can decline, since 1) they dont need them and 2) they don't have the licenses anyway?
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 39940919
As long as the UPNs match up, it will sync the info to the cloud account without issues. That's the primary key that Dirsync uses when exporting changes.

Also, Dirsync won't every create mailboxes for you. It will create account objects in Office 365, but those will not have mailboxes until you assign a license to the account objects that Dirsync creates.
0
 

Author Comment

by:GS-Help
ID: 39942374
Beautiful.  Thanks again, I think I'm ready to push the button over the weekend.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now