+ Post New Thread
Results 1 to 15 of 15
Cloud Services Thread, Office 365 user synchronization in Technical; We have an internal ( .local ) domain that is different from the Office 365 domain, looking at DirSync and ...
  1. #1

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    772
    Thank Post
    175
    Thanked 57 Times in 55 Posts
    Rep Power
    35

    Office 365 user synchronization

    We have an internal ( .local ) domain that is different from the Office 365 domain, looking at DirSync and ADFS will this cause any problems with either.


    With DirSync we know we can schedule the sync down to half an hour but we have 7000+ accounts that will be in Office 365 so would DirSync synchronize the whole lot or is there some intelligence only the differences since last synchronization.

  2. #2
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    Our internal domain is also a .local whereas our office 365 email domain is @schoolname.sch.uk - ADFS and Dirsync are fine in this environment.

    In terms of the Dirsync, from what I've observed in the Forefront manager part of ADFS, it seems to just sync changes. When ours runs it seems to only take less than 30 seconds to update everything adding/removing users as needed

  3. Thanks to themightymrp from:

    Davit2005 (24th April 2014)

  4. #3

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Hi,

    In terms of your .local domain name that is not a problem at all, you just need to remember to add your External Vanity Domain [domain.sch.uk] as an additional UPN Suffix via domain.msc and then update your users UPN accordingly.

    Upon the initial configuration, the tool will do a FULL IMPORT FULL SYNC Run Job, after this DELTA Run Job's will complete every 3 hours and only changes/updates will be made. You can also do OU Filtering so when you implement Directory Sync uncheck the box at the end of the wizard so the the initial sync does not complete and then follow the instructions here to implement OU Filtering Configure filtering for directory synchronization

    Then, wait your 3 hours and the FULL SYNC will run... or you can force this using the DirSyncConfig.psc1 > Start-OnlineCoexistenceSync file. :-)

    I hope that helps,

    James.

  5. Thanks to EduTech from:

    Davit2005 (24th April 2014)

  6. #4

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    772
    Thank Post
    175
    Thanked 57 Times in 55 Posts
    Rep Power
    35
    Quote Originally Posted by themightymrp View Post
    Our internal domain is also a .local whereas our office 365 email domain is @schoolname.sch.uk - ADFS and Dirsync are fine in this environment.

    In terms of the Dirsync, from what I've observed in the Forefront manager part of ADFS, it seems to just sync changes. When ours runs it seems to only take less than 30 seconds to update everything adding/removing users as needed
    Thanks for this

    Do you use both DirSync and ADFS i.e. DirSync for Uploading new users and then ADFS for authentication?

    Thanks again for help, I'm glad the .local won't cause problems, did you have to do anything for your internal users to get that to work i.e. DNS.

  7. #5
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    Sorry, slow reply.

    As EduTech says above, you just need to add the second UPN suffix into your Active Directory and then update your users to use that. This is dead easy and you can highlight all users in an OU and do them in bulk. This won't affect their logons to the domain one bit.

    I use the DirSync for uploading/synchronising users and the ADFS for authentication and single sign-on.

    If you don't require single sign-on, you can use the newer Dirsync with PasswordSync which will synchronise their passwords into the cloud as well. This removes the need for ADFS altogether! But a password change will only take effect after the next timed sync

  8. Thanks to themightymrp from:

    Davit2005 (7th May 2014)

  9. #6


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,589
    Thank Post
    228
    Thanked 856 Times in 735 Posts
    Rep Power
    296
    Quote Originally Posted by themightymrp View Post
    Sorry, slow reply.

    As EduTech says above, you just need to add the second UPN suffix into your Active Directory and then update your users to use that. This is dead easy and you can highlight all users in an OU and do them in bulk. This won't affect their logons to the domain one bit.

    I use the DirSync for uploading/synchronising users and the ADFS for authentication and single sign-on.

    If you don't require single sign-on, you can use the newer Dirsync with PasswordSync which will synchronise their passwords into the cloud as well. This removes the need for ADFS altogether! But a password change will only take effect after the next timed sync
    can you set the sync schedule or is it fixed?

  10. #7
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72

  11. #8

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    Sorry to but in here, but can I make reference to the use of .local for an internal domain.
    .local - Wikipedia, the free encyclopedia
    Probably too late for you to change it but anyone who finds this thread and is building a new domain and O365 into it can people follow the standards?

  12. #9
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    Quote Originally Posted by GrumbleDook View Post
    Sorry to but in here, but can I make reference to the use of .local for an internal domain.
    .local - Wikipedia, the free encyclopedia
    Probably too late for you to change it but anyone who finds this thread and is building a new domain and O365 into it can people follow the standards?
    It is too late for us, without doing a big do-over for the whole domain. I assume from what I'm reading in this article that we should have the domain name set to what we are going to use in Office 365? Therefore leaving only one possible UPN suffix?

  13. #10
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    576
    Thank Post
    3
    Thanked 130 Times in 121 Posts
    Rep Power
    50
    Generally using anything but .local is fine, but keeping it the same, or as close as possible to your FQDN is always a good idea

  14. #11

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    You can use any domain really, just not one of the restricted domains (from RFC 6761 or RFC 6762).

    I know quite a number of people who use .internal or short names to do with their business (.shop, .car, etc) ... but with domains being opened up by ICANN people are finding things like .info, .name and so on being real domains ... ... I know one museum that is having fun and games over .info with the parish council, who run a local information service. At the moment there is not a clear internal domain for production environments it is down to the Sysadmin to consider what the risks are.

    O365 doesn't really care, to be honest, and the guide from EduTech covers that side.

  15. #12
    jbailey's Avatar
    Join Date
    Jan 2011
    Posts
    77
    Thank Post
    21
    Thanked 31 Times in 17 Posts
    Rep Power
    34
    Just to add, Using the latest dirsync and password sync doesn't require you to wait for the cycle for password to change, the password sync is a separate process you install to dc servers, and password changes are synced "instantly".

  16. Thanks to jbailey from:

    themightymrp (25th April 2014)

  17. #13

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Quote Originally Posted by jbailey View Post
    Just to add, Using the latest dirsync and password sync doesn't require you to wait for the cycle for password to change, the password sync is a separate process you install to dc servers, and password changes are synced "instantly".
    You do not install anything on your domain controller, The password sync configuration actually is contained with the binaries of the Directory Sync Tool & the configuration like most is held within the DLL's etc. The passwords themselves are not synchronized instantly there is an upto 2 minute window for this to take place.

    But yes, In terms of the 3 hour interval this is purely for Directory Synchronization in terms of User Objects & Values. Password Sync is done continuously and you will events being logged around every 2 min and this cannot be forced.

    James.

  18. Thanks to EduTech from:

    themightymrp (25th April 2014)

  19. #14
    jbailey's Avatar
    Join Date
    Jan 2011
    Posts
    77
    Thank Post
    21
    Thanked 31 Times in 17 Posts
    Rep Power
    34
    Quote Originally Posted by EduTech View Post
    You do not install anything on your domain controller, The password sync configuration actually is contained with the binaries of the Directory Sync Tool & the configuration like most is held within the DLL's etc. The passwords themselves are not synchronized instantly there is an upto 2 minute window for this to take place.

    But yes, In terms of the 3 hour interval this is purely for Directory Synchronization in terms of User Objects & Values. Password Sync is done continuously and you will events being logged around every 2 min and this cannot be forced.

    James.
    Oh yeah, sorry was thinking of the old live@edu password sync I had to remove.

    (cough) bedtime... (Cough)

  20. #15
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,204
    Thank Post
    212
    Thanked 223 Times in 192 Posts
    Rep Power
    72
    Useful to know!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 1
    Last Post: 19th February 2014, 09:06 AM
  2. Bulk change Office 365 user names using Powershell?
    By adamf in forum Cloud Services
    Replies: 7
    Last Post: 10th July 2013, 08:14 AM
  3. Office 365 alternate email for users
    By timbo343 in forum Cloud Services
    Replies: 4
    Last Post: 27th March 2013, 10:33 PM
  4. Office 365 federated users, locked out
    By mbedford in forum Cloud Services
    Replies: 5
    Last Post: 27th February 2013, 07:34 PM
  5. Windows/Office Live/Edu/365 Users
    By synaesthesia in forum General Chat
    Replies: 2
    Last Post: 6th November 2012, 03:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •