How to sync local Active Directory to Office

365 with DirSync

Posted on October 22, 2014 by Adam the 32-bit Aardvark
[UPDATE] This article refers to Directory Synchronization Tool (DirSync), which is now
deprecated and replaced by Azure AD Connect (ADD Connect). To see how to synchronize
directories using Azure AD Connect visit this blog post.

When moving to the Office 365 environment quite commonly the old on-premises structure must
be preserved. Sometimes it is because the migration process can take quite a bit of time to finish,
sometimes because the company wants to follow the hybrid scenario, when both environments
are used.

No matter the reason, one of the important aspects of the coexistence setup is synchronization of
Active Directory between local and Cloud Exchange. The article below describes steps required
to achieve such a sync.

Directory Synchronization Tool

To sync the local AD with the Office 365 service the installation of the Directory
Synchronization Tool (Dirsync) is required. You can download the tool from Microsoft pages:
http://go.microsoft.com/fwlink/?LinkID=278924. Bear in mind that the tool is available only in a
64 bit version.

The program syncs all accounts, with their access passwords up to Office 365. However, it does
not provide Single Sign-On (SSO) capability. To achieve SSO AD Federation Services (ADFS)
needs to be configured.

Microsoft recommends installing Dirsync on a server within a domain, however, it should not be
a domain controller. More specific system requirements are available on this Microsoft Technet
website: http://technet.microsoft.com/en-
us/library/jj151831.aspx#BKMK_ComputerRequirements.

Installation
NOTE: all actions below are performed on a test Office 365 environment.

Steps are as follows:

1. Log in to Office 365 with administrative user credentials.

2. Go to Users, then Active Users.
3. Click the Active Directory synchronization Set up link visible above the
list of users.
4. In point „3” on the list click the Activate button. A notification should
appear that the synchronization is active:

5. In point „4” click Download to get the Dirsync tool:

6. On the machine, where you are installing the tool make sure that the .net
3.5 sp1 and .net 4.0 libraries are installed. Otherwise the Dirsync tool
setup will return the following error:

In Windows Server 2008 R2 SP1 the .net 3.5 SP1 library is available for
installation via the Server Manager program, in the Features tab, while
the .net 4.0 needs to be downloaded from the following location:
http://www.microsoft.com/en-US/download/details.aspx?id=17718.In
Windows Server 2012 and 2012 R2 both libraries can be installed using
the Server Manager console.
7. Follow the installation wizard until finish. The process might take a couple
of minutes.
8. Once the installation is complete select Start Configuration Wizard now
and click Finish.

9. In the configuration wizard, enter credentials of a user with administrative

privileges in Office 365. These credentials are stored within the tool – if
they change (e.g. the password is changed) the program needs to be
 reconfigured.

10. In the next step enter administrative user credentials of the on-premises
AD. Opposite to step 9., these credentials are not stored, and there is no
need to reconfigure the program if e.g. the password changes.
11. Next step shows the Exchange settings for the hybrid deployment. Leave
them unchecked, as they are not covered in this article. Click Next.
12. In the following step, mark the Enable Password Sync checkbox. Click
the Next button.

13. Wait for the program to finish configuration. Once it’s done – click the
Finish button. Leave the Synchronize your directories now option
 marked:

Synchronization monitoring
After Dirsync is installed, you need to verify that the process works as expected. To do so use the
Synchronization Service Manager console:

1. Go to the following disk location: C:\Program Files\Windows Azure

Active Directory Sync\SYNCBUS\Synchronization Service\UIShell.
2. Launch the miisclient.exe program. It might happen that the program will
not start, right after Dirsync installation. In such situation simply log out
and then log back on to the system.
 3. Once the program is running you can check the sync progress:

In the upper part of the window, there is a list of all current sync cycles. In lower left all current
modifications to AD are listed.

4. Log on to the Office 365 portal again.

5. In the Users section, in Active Users part you can check which accounts
are already synced:

Dirsync post-installation tweaks

Changing time between sync cycles

By default, the sync cycles are launched in 3-hour intervals. To reduce the time between syncs
(e.g. for testing purposes) do the following:
 1. On the server, where the Dirsync tool is installed go to the C:\Program
Files\Windows Azure Active Directory Sync folder.
2. Open the Microsoft.Online.DirSync.Scheduler.exe.Config file with the
Notepad.
3. Locate the following string:<add key=”SyncTimeInterval”
value=”3:0:0″ />and change the “3:0:0” value to e.g. “0:5:0”. This
changes the sync interval from 3 hours to 5 minutes.
4. Save changes in the file and restart the Windows Azure Active Directory
Sync Service in system services.

Limiting the number of synced objects

In situations, when the on-premises organization is large, and only some users or groups are
using Office 365 it is useful to limit the sync to specific Organizational Units (OU) only.

1. On the Dirsync server open the C:\Program Files\Windows Azure Active

Directory Sync\SYNCBUS\Synchronization Service\UIShell location.
2. Open the Synchronization Service Manager console by launching
miisclient.exe.
3. Open the Management Agents tab:

4. Right-click Active Directory Connector and select Properties.

5. Navigate to Configure Directory Partitions and click the Containers
button:

6. In the next window enter credentials of the AD administrative user:

7. Select the OU container of your choice and click OK:

8. Click OK again to return to the main window (Management Agents tab).

9. Right-click the Active Directory Connector agent and click Run:
10. Select Full Import Full Sync and hit OK:

11. You should already notice the effect of above settings in the main program
window, in the Operations tab:
That’s it – you have now a fully synced AD with Office 365. Every change to any Active
Directory object is now synchronized to the Cloud.

The next step is usually the mailbox migration. To perform it you can use a third party tool, such
as CodeTwo Office 365 Migration. What is even more interesting – you can get it completely
free of charge.

Tweet

105 thoughts on “How to sync local Active Directory to Office 365 with DirSync”

1. henrie

October 31, 2017 at 7:18 pm

Dear Adam,

Currently our company email has already used Office 365 for 1 year and it has been
working fine and all are cloud users. we are creating office 365 mailbox from the portal
directly.

However, currently i am being instructed by company whether it is feasible to sync

between windows domain login password with office 365. In my previous company
when we are using hybrid configuration, we are creating our mailbox from the on
premise exchange and then it will be sync to office 365 via AAD Connect server. Then
after sync, we will assign license in office 365 portal. However, in my past company,
windows login domain is same as office 365 domain, as we are using company.com for
both windows login and office 365 domain. There is no UPN suffixes required at all.

Now my current situation is: my new company has already completed the migration and
currently all are cloud users. is it feasible to do sync windows login password and
office365 mailbox password and currently we are on different domain between windows
login and office 365. Windows login is using cpy.net domain whereby office 365 is using
company.com.

May i know is it feasible to do this task?

in my mind, looks like there are some consequences:

1. password can’t be changed from OWA

2. windows profile may need to be created again?
3. how will the mapping be between the AD users with their office 365 mailboxes?
 4. how is the mailboxes created since there are no more on premise exchange.
5. is there any risks associated with this task

Many thanks

Regards,
H

Reply

2. Mohamed Faizal

April 25, 2017 at 12:22 pm

Hello
i want to sync the AD with office 365

there are more than 1000 users in AD and they have in house exchange account.

when i sync with azure sync tool kindly confirm over all users of local AD sync with
office 365?

Reply

o Adam the 32-bit Aardvark

April 25, 2017 at 4:06 pm

Hi Mohamed,
If I understand correctly, you want to know if Azure AD Connect syncs over 1000
users? By default, Azure AD tenant allows 50k objects, so it should not be a
problem. Still, I will advise you to try it in a test environment before syncing on
the production server.

3. Amena Abdrabo

April 18, 2017 at 5:37 pm

Hi!
I’ve a problem when creating new users they default to the .onmicrosoft.com address,
even though they are specified differently on prem.
 They have to use PowerShell to change this each time, however, would like a way to do
this by default.

Any suggestions?

Thanks in advance

Reply

o Adam the 32-bit Aardvark

April 19, 2017 at 9:29 am

Hi Amena,
I am sorry, but I have not come across this problem before. You could try asking
the tech community at spiceworks.com, or at Microsoft’s TechNet. I wonder
myself what solution will work in this situation.

4. windows azure training

April 5, 2017 at 8:18 am

Nice Article. How it help to developer in terms of balance the day to day life.

Reply

5. abrar ahmad

December 26, 2016 at 10:24 am

i have a question.
i want to sync the AD with office 365 but in office 365 my domain name is different and
these user are premium.
when i sync with azure sync tool kindly confirm over all users of local AD sync with
office 365 AD so in this case we need to pay the extra money for the user that are using
in local ad or not .

thanks

Reply
o Adam the 32-bit Aardvark

January 19, 2017 at 10:56 am

Hi abrar ahmad,

As far as I know, you need to assign an Office 365 license only to a user that
exists in Office 365, not local AD.
Once you have synchronized users from on-premises Active Directory to Azure
Active Directory with Azure AD Connect tool, you need to manually assign them
licenses before they can use Office 365 applications.

If you have two different domains for Exchange and Office 365 environments,
make sure to set an Alternative UPN Suffix in the Active Domain and Trust to
avoid creating double user accounts in Office 365. See this Technet post for more
details: https://answers.microsoft.com/en-
us/msoffice/forum/msoffice_o365admin-mso_dirservices/after-setting-up-ad-
connect-i-now-have-two-users/833628ec-b8e7-4e58-87b3-687a31d7162f.