Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Online Services Partner Deployment Training for Office 365

Published byAlan Erik Gilbert Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Online Services Partner Deployment Training for Office 365"— Presentation transcript:

1 Microsoft Online Services Partner Deployment Training for Office 365
Directory Synchronization Module 5

2 Agenda Purpose Coexistence – What is it? Coexistence Mail Routing
Installation Configuration How Synchronization works Identity Management Roadmap

3 Purpose

4 Purpose Enables “simple” and “hybrid” (formerly known as “rich”) coexistence scenarios Provisions Microsoft Online identities Performs Global Address List synchronization Enables application coexistence for Microsoft Lync 2010 Enables hybrid coexistence for Microsoft Exchange 2010 SP1+ Application coexistence for Lync means that the Lync client can share presence information with Outlook and SharePoint 4 | Microsoft Confidential

5 Purpose Enables Single Sign-On (a.k.a Identity Federation)
Enables ongoing identity management and provisioning Synchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365 Not intended as a single use bulk upload tool Currently, DirSync cannot be disabled Emphasize that Dirsync cannot be disabled at this time Prevents the removal of sync’d objects (perform all AD cleanup work before the first sync!) 5 | Microsoft Confidential

6 Coexistence What is it?

7 Coexistence Defined MX record points to on-premise server or message filtering service provider Domain is configured as “Shared” in Office 365 Some users are provisioned in Office 365 while the remaining users are still using the on-premise infrastructure Office 365 users see the same objects in the Global Address List as the on-premise users messages are routed seamlessly from Office 365 users to on-premise users, and vice-versa Basic definition of coexistence DirSync enables coexistence by providing the same GAL experience in the cloud that users have in the on-premises environment (affirmation of the purpose) As a result of synchronizing the GAL, messages are routed from on-premises to Office 365 and vice versa. Requires that the domain is setup as “shared” in Office 365 7 | Microsoft Confidential

8 Coexistence Simple Coexistence Uses DirSync for GAL synchronization
Uses standard Microsoft Online identities Does not require an on-premise Exchange 2010 SP1+ CAS server Simple coexistence high level overview Simple coexistence to be discussed in more detail in the respective module 8 | Microsoft Confidential

9 Coexistence Hybrid Coexistence Uses DirSync for GAL synchronization
Requires Exchange 2010 SP1+ CAS server Enables free/busy sharing between on-premise Exchange organization and Office 365 Exchange organization Enables migration of on-premise mailboxes to Office 365 via on-premise Exchange 2010 Management Console or Exchange Management Shell Hybrid coexistence high level overview Hybrid coexistence to be discussed in more detail in the respective module 9 | Microsoft Confidential

10 Coexistence Hybrid Coexistence
Preserves Outlook profile after migration (no OST re-sync) DirSync “Write Back” Easily move mailboxes back to on-premise (off-boarding) Enables filtering coexistence Enables cloud archive Does not require Identity Federation Hybrid coexistence high level overview Hybrid coexistence to be discussed in more detail in the respective module 10 | Microsoft Confidential

11 Coexistence – “Write Back”
Exchange “Full Fidelity” feature Write Back To attribute Filtering Coexistence – provides on premise filtering cloud safe/blocked sender data SafeSendersHash BlockedSendersHash SafeRecipientHash Cloud Archive – allows customers to archive mail in the Microsoft Online cloud msExchArchiveStatus Enable Mailbox – offboards a cloud mailbox back to on-premises ProxyAddresses (LegacyExchangeDN (cloud LegDn) as X500) Enable UM/cloud voice mail – this new attribute is only used for Exchange Unified Messaging-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on premises that the user has voice mail in the cloud. cloudmsExchUCVoic Settings 11 | Microsoft Confidential

12 Coexistence Mail Routing
12 | Microsoft Confidential

13 Mail Routing: Pre-Coexistence
MX Record: contoso.com Message Filtering On-premise Exchange Server User Object Mailbox-Enabled ProxyAddresses: SMTP: Active Directory DirSync Mail routing before deploying Office 365 Could apply to Notes, GroupWise, Exchange, etc. Animation Walk-through “Joe internet user” sends a message to “John Doe” Follows MX record to on-premises server and is delivered to the mailbox Everyone is, most likely, very familiar with this scenario 13 | Microsoft Confidential

14 Mail Routing: On-premises To Office 365
MX Record: contoso.com MX Record: contoso.onmicrosoft.com Message Filtering FOPE On-premise Microsoft Online Services Exchange Server AWS User Object Mail-Enabled ProxyAddresses: SMTP: TargetAddresses: SMTP: Active Directory DirSync Online Directory Exchange Online Message routing from on-premise to Office 365 Does not illustrate hybrid coexistence using a service domain (e.g. service.contoso.com), but the principle of coexistence mail routing would still apply to hybrid coexistence Starts out with the same on-premises mail platform, design, and message flow Customer subscribed to Office 365 and has already implemented DirSync Assumption behind slide is that “John Doe” has been migrated to Office 365 and already has mail forwarding setup in the on-premises environment First animation walk-through “Joe Internet User” sends a message to “John Doe” Follows MX record for contoso.com Exchange performs a query for a matching SMTP address Finds the object with the matching SMTP address and sees that there is also a target address Message is then delivered to on-premises mailbox (assumes deliverAndRedirect is set to true) and a copy is forwarded to the target address Follows MX record for contoso.onmicrosoft.com and is delivered to the mailbox Second animation walk-through “Jane Doe” (who has not been migrated and still exists on-premises) sends a message to “John Doe” Logon Enabled User Mailbox-Enabled ProxyAddresses: SMTP: Logon Enabled User Mailbox-Enabled ProxyAddresses: SMTP: smtp: 14 | Microsoft Confidential

15 Mail Routing: Office 365 to On-premise
MX Record: contoso.com MX Record: contoso.onmicrosoft.com Message Filtering FOPE On-premise Microsoft Online Services Exchange Server AWS Active Directory DirSync Online Directory Exchange Online Mail routing from Office 365 to on-premises Applies to simple coexistence and/or hybrid coexistence scenarios Starts out with the same on-premises mail platform, design, and message flow Customer subscribed to Office 365 and has already implemented DirSync Assumption behind slide is that “Jane Doe” has not been migrated to Office 365 – mailbox still resides on-premises Animation walk-through “John Doe” sends a message to “Jane Doe” Exchange performs a query for a matching SMTP address Finds the object with the matching SMTP address and sees that there is also a target address targetAddress is the same as primary SMTP address, but Exchange will route the message out of the Exchange organization because of the fact that the targetAddress has a value (default Exchange behavior) As long as the contoso.com domain was configured as a “shared” domain, the message will follow the MX record back to on-premises and is delivered to the mailbox Logon Enabled User Mailbox-Enabled ProxyAddresses: SMTP: Logon Disabled User Object Mail-Enabled User (not Mailbox-Enabled) ProxyAddresses: SMTP: smtp: TargetAddress: 15 | Microsoft Confidential

16 Installation

17 Installation Software Requirements Windows Installer 4.5 or later
Windows PowerShell version 2.0 Microsoft .NET Framework version 3.5 or later. Windows Server 2003/R2 x86 with Service Pack 2 or later, or Windows Server 2008 x86 with the latest service pack installed. Installation onto x64 operating system is not supported

18 Installation Hardware Requirements
At least 600MB of available hard drive space for a complete installation of all Directory Synchronization Tool components An additional 400MB of hard drive space is checked before creating the initial SQL Server 2008 Express Edition database file Additional space may be required for the DirSync database for mid-size or larger companies 8GB max file size for SQL Server 2008 Express Edition Database file may max out ~50,000 objects Use Full SQL Server if syncing 50,000 objects or more Server hardware should meet the minimum requirements for SQL Server 2008 Express Edition and Identity Lifecycle Manager 2007 Feature Pack 1

19 Installation Network Requirements
The computer on which DirSync is installed must be able to communicate with any/all domain controllers forest wide. Communication with Office 365 occurs over SSL 1 This is the range in Windows Server 2008 and in Windows Vista. Service Protocol Port LDAP TCP/UDP 389 Kerberos 88 DNS 53 Kerberos Change Password 464 RPC TCP 135 RPC randomly allocated high TCP ports SMB 445 SSL 443 SQL 1433

20 Installation Permission Requirements
The account used to install DirSync must have local administrator permissions on the computer on which DirSync is to be installed If using a full installation of SQL Server 2005/2008, the account performing the installation must have rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner 20 | Microsoft Confidential

21 Installation Computer Requirements
The computer on which DirSync is installed must be joined to an Active Directory domain within the same forest that you plan to synchronize with Office 365 Installation onto an Active Directory domain controller is not supported If using a full installation of SQL Server 2005/2008, a domain account is required for use as a service account for the following Windows Services Microsoft Identity Integration Server Microsoft Online Directory Services Synchronization Service 21 | Microsoft Confidential

22 Configuration

23 Configuration Permission Requirements
Administrator permission in the Office 365 subscription is required Enterprise Administrator permission in the on-premise Active Directory is required Credential is not saved by the configuration wizard Used to create the “MSOL_AD_Sync” domain account in the “CN=Users” container of the root domain of the forest Used to delegate the follow permissions on each domain partition in the forest Replicating Directory Changes Replicating Directory Changes all Replication Synchronization 23 | Microsoft Confidential

24 How Synchronization Works

25 How Synchronization Works
Sync Cycle Step 3: Export Users, Groups, and Contacts that do not already exist in Microsoft Online Services On-premise Microsoft Online Services Sync Cycle Step 2: Imports Users, Groups, and Contacts from Microsoft Online Services via AWS Exchange Server AWS (DirSync Web Service) Live ID Sync Cycle Step 1: Import Users, Groups, and Contacts from source Active Directory forest Exchange Online Active Directory DirSync (client side) Online Directory SharePoint Online Lync Online Logon Disabled User Object Mail-Enabled User (not Mailbox-Enabled) ProxyAddresses: SMTP: smtp: TargetAddress: User Object Mailbox-Enabled ProxyAddresses: SMTP: Other Online Services 25 | Microsoft Confidential

26 Identity Management

27 Identity Management User Objects
Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon disabled Target address is synchronized for mail-enabled users Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365 Resource mailboxes are synchronized as resource mailboxes Synchronized users are not automatically assigned a license 27 | Microsoft Confidential

28 Identity Management Group Objects
Mail-enabled groups and security groups are synchronized Contacts Objects Only mail-enabled contacts are synchronized On-premise target address is synchronized to Office 365 28 | Microsoft Confidential

29 Identity Management New user, group, and contact objects that are created on-premise are added to Office 365 Existing user, group, and contact objects that are deleted from on-premise are deleted from Office 365 Existing user objects that are disabled on-premise are disabled in Office 365 Existing user, group, or contact objects that are modified on-premise are modified in Office 365 29 | Microsoft Confidential

30 Identity Management Entire Active Directory forest is scoped for synchronization to Office 365 Passwords are not synchronized Synchronization is typically from on-premise to Office 365 only unless “write-back” is enabled When DirSync is enabled, synchronized objects are completely managed on-premise – not via Microsoft Online Portal Synchronization occurs every 3 hours Use “Start-OnlineCoexistenceSync” cmdlet to force a sync 30 | Microsoft Confidential

31 Identity Management First synchronization cycle after installation is a full synchronization Can be time consuming process relative to the number of objects synchronized ~5000 objects per hour Subsequent synchronization cycles are deltas only Authorization and synchronization occur via SSL 10GB SQL Express Edition R2 database file size is estimated to max out ~50,000 objects 50K+ total objects requires full SQL Server By default, only the first 10,000 objects are synchronized Limit can be increased by contacting technical support 31 | Microsoft Confidential

32 Identity Management Provision Tenant with appropriate tenant SKU type
SKU type determines whether SharePoint Online service is available SKU type is based on total user objects Group and/or contact objects do not count Total # User Objects SKU Type SharePoint Online? <20,000 Normal Yes. Customer will have SharePoint Online service. 20,000 – 99,999 “XL” No. Customer will not have SharePoint Online service to start, but will get it later (TBD). 100,000+ “XXL” No. Customer will not have SharePoint Online service now or later. Scenario Based Question If a company/subsidiary has 5000 users and 100K+ groups and/or contacts, which SKU do should be used? Normal SKU There is no solution in place to transition from one SKU to another Important to select the correct SKU from the start to minimize impact to the customer 32 | Microsoft Confidential

33 Identity Management Not all on-premise attributes are synchronized for each object type On-premise userPrincipalName must have a public DNS suffix to be synchronized Default Office 365 domain is used in place of non-public DNS suffix Common GAL attributes are synchronized FirstName, LastName, DisplayName, etc. msExchHideFromAddressLists and targetAddress values are synchronized Verify that targetAddress contains a publicly routable DNS suffix to prevent NDR’s 100+ attributes are synchronized 33 | Microsoft Confidential

34 Identity Management Synchronization errors are ed to the Technical Contact for the subscription Recommend using a distribution group as the Technical Contact address Example errors include: Synchronization health status Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization Objects whose attributes contain invalid characters Objects with duplicate/conflicting addresses 34 | Microsoft Confidential

35 Roadmap Features Coming Soon…

36 Roadmap Increase default sync quota from 10K to 20K
64-bit DirSync client Replaces current 32-bit client Documented guidance for scoping and/or filtering By Domain By OU By attribute Available after “soft delete” feature is implemented Self-service PowerShell cmdlets Enable/disable DirSync Remove synchronized objects Multi-forest support Sync multiple on-premises forests into one tenant 36 | Microsoft Confidential

37 Roadmap DirSync appliance Microsoft Online Management Agent
Overview of multi-forest support in the form of a custom management agent for existing FIM deployments 37 | Microsoft Confidential

38 Additional Resources

39 Additional Resources Prepare for Directory Synchronization
Attributes Synchronized 39 | Microsoft Confidential

40 Questions?

41 © 2010 Microsoft Corporation.

Download ppt "Microsoft Online Services Partner Deployment Training for Office 365"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Name | Title | Microsoft Corporation

Name | Title | Microsoft Corporation
IMAP migration Cutover migration Staged migration 2010 hybrid2013 hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.

IMAP migration Cutover migration Staged migration 2010 hybrid2013 hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.

RequirementsDeployment Options 2 3 Dirsync Overview 1 Understanding Synchronization 4.
Identity management integration options for Office 365

Identity management integration options for Office 365
Installing Exchange 2010 IT:Network:Applications.

Installing Exchange 2010 IT:Network:Applications.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
2 Part 1 What should I know before I jump into the deep water? Office 365 - Subscription plans Office 365 – Trail account Office 365 – what should I know.

2 Part 1 What should I know before I jump into the deep water? Office Subscription plans Office 365 – Trail account Office 365 – what should I know.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.

IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Service Overview & Offering Features & Requirements Office 365 Administration | Portals & PowerShell Partner Opportunity.

Service Overview & Offering Features & Requirements Office 365 Administration | Portals & PowerShell Partner Opportunity.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

Similar presentations

Ads by Google