As an administrator, you need to do some preparation before you synchronize your local Active Directory to Microsoft Office 365 for enterprises. First, you must decide whether you want to set up single sign-on, also known as identify federation, which enables your company’s users to sign in to Office 365 by using their corporate credentials.
 Important: |
|---|
| We strongly recommend that you set up single sign-on before you set up Active Directory synchronization. |
After you’ve set up single sign-on, verify that the following statements are true:
-
You have the required software.
-
You have set up the correct permissions.
-
You understand the performance considerations related to directory synchronization.
Only then should you activate directory synchronization for your Office 365 account.
|
Important: |
|---|
| Activating directory synchronization should be considered a long-term commitment. After you have activated directory synchronization, you can edit only synchronized objects by using on-premises apps. To learn more about deactivating and reactivating directory synchronization, see Directory Synchronization and source of authority. |
If you choose to set up single sign-on, your users can sign in to access the services in Office 365, such as Microsoft Exchange Online, using their corporate credentials. We strongly recommend that you set up single sign-on before setting up directory synchronization. To get started, see Prepare for single sign-on.
If you haven’t yet set up single sign-on when an account is synchronized from your local Active Directory, the account password is not synchronized with the account. Directory synchronization does not copy on-premises passwords to Office 365. When the administrator activates the synchronized account in Office 365, a new password is assigned to that account. If the password associated with a local Active Directory account is changed, that new password is not updated in your Office 365 directory. Users must manually change their Office 365 passwords.
If you set up single sign-on after you synchronize your directories instead of before you synchronize, it may take up to 24 hours for all your users to be able to use their corporate credentials to sign in to Office 365. In this situation, we recommend that you set up single sign-on during low-usage periods, such as at night or on the weekend.
If you decide not to set up single sign-on, you must add and verify your company’s domains. For more information, see Work with domain names and DNS records in Office 365.
The default installation of the Directory Synchronization tool (32-bit and 64-bit) includes a version of Microsoft SQL Server 2008 Express.
|
Important: |
|---|
|
The directory synchronization computer must meet the following requirements:
-
It must be running the right version of Windows Server. The Directory Synchronization tool can be run on the 32-bit or 64-bit versions of the following Windows Server operating systems:
-
32-bit: Windows Server 2003 Standard or Windows Server 2008 Standard
-
64-bit: Windows Server 2008 R2 Standard or Windows Server 2008 Standard
-
32-bit: Windows Server 2003 Standard or Windows Server 2008 Standard
-
It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.
-
It cannot be a domain controller. The Directory Synchronization tool cannot be installed on Active Directory domain controllers.
-
It must run Microsoft .NET Framework 3.x. If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations:
-
It must run Windows PowerShell: If you are running Windows Server 2003, you need to download Windows PowerShell. If you are running Windows Server 2008, you need to enable Windows PowerShell. For more information, see Install Windows PowerShell for directory synchronization.
-
It must be located in an access-controlled environment. Access to the computer that is running the Directory Synchronization tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.
When you activate directory synchronization, you are turning on this feature for your Office 365 subscription. You must activate directory synchronization before you install the Directory Synchronization tool.
To activate directory synchronization, run the Microsoft Office 365 Deployment Readiness Tool. This tool inspects your Active Directory environment, and then provides a report that includes a prerequisite check and an attribute assessment that are specific to the directory synchronization tool requirements.
If your environment doesn’t meet these requirements, the tool lists the changes you have to make before you can begin directory synchronization. It’s much easier to make directory changes before you activate and install the directory synchronization tool than to troubleshoot configuration errors after you have activated directory synchronization.
An important statistic to consider in the report that is created by the Office 365 Deployment Readiness tool is the estimated total number of objects. This number is listed under Statistic in the Office 365 Deployment Readiness tool. You must follow the recommendations made by the tool if you exceed the default total number of objects that the directory synchronization installation allows.
If the total number of objects in your on-premises domain exceeds 20,000, you will need to contact Office 365 Support before you activate directory synchronization. If your object count exceeds 20,000 and you don’t contact Support to increase your licensing count, directory synchronization will not complete.
To activate directory synchronization, use the following steps:
-
Install and run the Microsoft Office 365 Deployment Readiness Tool.
-
In the Office 365 header, click Admin.
-
On the Admin page, in the left pane, click Users.
-
At the top of the page, click the link next to Active Directory synchronization.
-
On the Set up and manage Active Directory synchronization page, under Activate Active Directory synchronization, click Activate.
When you install the Directory Synchronization tool, the Directory Synchronization Configuration wizard creates a service account to read from your local Active Directory and write to the Office 365 synchronization database. The wizard creates this account using both your local Active Directory permissions and your Office 365 permissions, which you provide as part of setup.
To run the Directory Synchronization tool, you must have administrator permissions for the following:
-
The computer running the Directory Synchronization tool.
-
Your company’s local Active Directory; see Active Directory Credentials.
-
Your company’s Office 365 account; see Microsoft Online Services Credentials.
The first time that the Directory Synchronization tool runs, it copies all the relevant objects (user accounts and security groups) to Office 365. Before performing this operation, you must know the number of objects that will be copied so that you can plan ahead for the effect this operation will have on your network response time and the computers that are running Microsoft Exchange Server.
 Note: |
|---|
| Office 365 supports synchronization of up to 20,000 objects. To synchronize more than 20,000 objects, contact Office 365 Support. |
Objects that have been synchronized from your on-premises Active Directory service appear immediately in the Global Address List (GAL); however, these objects may take up to 24 hours to appear in the Offline Address Book (OAB) and in Microsoft Lync Online.
To set up Active Directory synchronization, you must designate one computer as your directory synchronization computer, and then install the Microsoft Online Services Directory Synchronization tool on that computer. The following table shows the minimum recommended hardware requirements for the directory synchronization computer (32-bit) in relation to how many objects you have in your on-premises Active Directory.
| Number of objects in Active Directory | CPU | Memory | Hard drive size |
|---|---|---|---|
|
Fewer than 10,000 |
1.6 GHz |
4 GB |
70 GB |
|
10,000–50,000 |
1.6 GHz |
4 GB |
70 GB |
|
50,000–100,000 |
1.6 GHz |
16 GB |
100 GB |
|
100,000–300,000 |
1.6 GHz |
32 GB |
300 GB |
|
300,000–600,000 |
1.6 GHz |
32 GB |
450 GB |
|
More than 600,000 |
1.6 GHz |
32 GB |
500 GB |
After you have optionally set up single sign-on, prepared your computer, and have activated directory synchronization, you are ready to Install and Upgrade the Microsoft Online Services Directory Synchronization tool.
