o365Adm
asked on
Azure active directory sync connector to sync only one OU with xyz.com
We have hybrid Exchange environment (Exchange 2010 with local AD and Exchange online) .
All the local AD objects with mail enabled attributes( only abc.com) sync to azure.
We now have a requirement to sync another domain xyz.com oly from a particular OU.
Can some one guide me with the steps to achieve the requirement.
All the local AD objects with mail enabled attributes( only abc.com) sync to azure.
We now have a requirement to sync another domain xyz.com oly from a particular OU.
Can some one guide me with the steps to achieve the requirement.
Vasil Michev (MVP)
Just configure OU filtering on the associated connector. Steps can be found here: https://msdn.microsoft.com/en-us/library/azure/dn801051.aspx#BKMK_ConfigureOrganizationalUnitBasedFiltering
ASKER
Hi Vasil,
Thanks again for the quick and prompt response.
I will try these steps by creating a new connector.
Thanks again for the quick and prompt response.
I will try these steps by creating a new connector.
ASKER
Hi Vasil,
The article above states to modify an existing connector, select the required OU, run FULL import and Full sync. IN our case we already have connectors and we are supposed to create a new connector.
I will follow the same steps in the new connector and select the new test ou which contains only 5 objects with xyz.com smtp.
Do I still need to run Full import, Full sync and export so that these 5 objects are visible in GAL for all online users. Is there any risk that all the other objects will sync and duplicate the address list.
Please advise.
The article above states to modify an existing connector, select the required OU, run FULL import and Full sync. IN our case we already have connectors and we are supposed to create a new connector.
I will follow the same steps in the new connector and select the new test ou which contains only 5 objects with xyz.com smtp.
Do I still need to run Full import, Full sync and export so that these 5 objects are visible in GAL for all online users. Is there any risk that all the other objects will sync and duplicate the address list.
Please advise.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Vasil,
Is there any impact or risk to the production if we create an additional connector just for testing purpose. We wanted to make sure the new domain smtp objects are synced to the cloud.
Please advise.
Is there any impact or risk to the production if we create an additional connector just for testing purpose. We wanted to make sure the new domain smtp objects are synced to the cloud.
Please advise.
ASKER
Hi Vasil,
we have an exclusion in the current connector not to sync xyz.com smtp addresses. If we add OU filtering to existing connector I am afraid if the exclusion will get away and all the xyz objects from other OU also will be synced.
we have an exclusion in the current connector not to sync xyz.com smtp addresses. If we add OU filtering to existing connector I am afraid if the exclusion will get away and all the xyz objects from other OU also will be synced.
Can you clarify what the exclusion is exactly? Initially I thought you have several domains in the forest and you have scoped the sync based on domain filtering. Now I'm wondering whether you meant that you have an attribute based filtering for the SMTP addresses or similar, instead of actual per-domain filter?
If my initial assumption is right, you can have both OU and domain filering configured with no problems. Each domain is listed as separate "partition" and the OU filtering applies only to said partition. Any additional rules (such as the attribute based filtering) will apply on top of that, so you can combine all 3 methods. But if you do have an existing rule in place it's best to double and triple check before making changes indeed...
If my initial assumption is right, you can have both OU and domain filering configured with no problems. Each domain is listed as separate "partition" and the OU filtering applies only to said partition. Any additional rules (such as the attribute based filtering) will apply on top of that, so you can combine all 3 methods. But if you do have an existing rule in place it's best to double and triple check before making changes indeed...
ASKER
Hi Vasil,
Sorry I should have been more clear.
We have a forest with DNS suffix abc.com and abcd.com. I have checked the configuration and cound we have only few OU's excluded and the current filtering is only OU based filtering. Any objects in the selected OU with abc.com or abcd.com are being synced to online address list.
However we have few objects in our active directory with xyz.com smtp in one of the OU which is already included in AD connector as a source and our team wants to sync these xyz.com addresses to the GAL.
The xyz.com is not added as a domain in O365 portal. Please suggest if we will be able to sync an external address which is not a registered domain to Exchange online address list.
Also can you share me how to achieve this task.
Looking forward for your valuable feedback.
Thank you in advance.
Sorry I should have been more clear.
We have a forest with DNS suffix abc.com and abcd.com. I have checked the configuration and cound we have only few OU's excluded and the current filtering is only OU based filtering. Any objects in the selected OU with abc.com or abcd.com are being synced to online address list.
However we have few objects in our active directory with xyz.com smtp in one of the OU which is already included in AD connector as a source and our team wants to sync these xyz.com addresses to the GAL.
The xyz.com is not added as a domain in O365 portal. Please suggest if we will be able to sync an external address which is not a registered domain to Exchange online address list.
Also can you share me how to achieve this task.
Looking forward for your valuable feedback.
Thank you in advance.
If the objects are mail users/contacts, you can sync any address to them. If the objects are mailbox-enabled in O365 however, you can only use verified domain.
In your case, wouldn't it be easier if you just move the objects in question to one of the OUs that are in the scope of dirsync? Or am I missing something?
In your case, wouldn't it be easier if you just move the objects in question to one of the OUs that are in the scope of dirsync? Or am I missing something?
ASKER
Hi Vasil,
All the objects with xyz.com are mail enabled users and contacts, but still I am not sure why the objects are not synced with online. Is there something we need to do?
All the objects with xyz.com are mail enabled users and contacts, but still I am not sure why the objects are not synced with online. Is there something we need to do?
Apart from filtering, that might be because they are missing some attribute needed for the sync. You can find the list here: http://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx#How_directory_synchronization_determines_what_isn_t_synced_from_the_on-premises_environment_to_Windows_Azure_AD
ASKER
Appreciate the excellent support from Vasil. I am interested to know your timezone, never mind as you always reply to my answers irrespective of your timezone.