If you would like to read the other parts of this article series please go to:
In part 5 of this multi-part article series revolving around Exchange hybrid deployment based migrations to Office 365 or more precisely Exchange Online, we installed and configures Active Directory Federation Service (ADFS) 2.0 on the two ADFS Proxy servers in the perimeter network. After we configured the servers, we also verified they worked as expected.
In this part 6, we will continue where we left off in part 5. That is we convert our Office 365 domain to a federated domain as well as install the Directory Synchronization (DirSync) tool.
Let’s get going…
Converting Domain to a Federated Domain
So during the last four articles in this series, we prepared for identity federation between the on-premise environment and Office 365. We did so by deploying and configuring two ADFS servers on the internal network and two ADFS Proxy servers in the perimeter network.
Despite creating the federation service farm, we have yet to configure the actual federation with our Office 365 tenant in order to configure single sign-on. We can do this using Windows PowerShell on a machine that has the Microsoft Online Service Module for Windows PowerShell installed. Personally, I like to install this PowerShell module on the primary ADFS server in a federation farm as you then don’t have to set the ADFS context using the Set-MsolAdfscontext cmdlet prior to converting the domain that has been added to the Office 365 tenant.
Alright, let’s log on to the primary ADFS server and lunch the Office 365 Portal. When logged on to the portal, click on the “Downloads” link in the right side of the page and then click “Setup” under step 3 as shown below.
Figure 1: Click Setup under step 3 on the downloads page
Figure 2: Click run
Now sign into Office 365 with your account.
Figure 3: Enter your Office 365 admin credentials
Make sure everything is de-selected as we only want to install the Microsoft Online Service Module for Windows PowerShell, which is required by the PowerShell module.
Then click “Continue”.
Figure 4: Make sure everything is de-selected
Click “I Accept”.
Figure 5: Accept the license agreement
When setup has completed, click “Finish”.
Figure 6: Click finish to exit the setup wizard
The Sign-in assistant has now been installed and we can move on to installing the Microsoft Online Service Module for Windows PowerShell.
So in the Office 365 Portal, click “Users” and then “Manage”.
Figure 7: Clicking Users in the Office 365 Portal
You’re now at the page where you can download the Microsoft Online services Module for Windows PowerShell. Do so and then install it.
Figure 8: Downloading the Microsoft Online services Module for Windows PowerShell
When downloaded, launch setup and then on the “Welcome” page, click “Next”.
Figure 9: Welcome page for Microsoft Online Services Module for Windows PowerShell
On the “License Terms” and click “Next”.
Figure 10: License agreement page
On the “Install Location” page, leave the defaults and click “Next”.
Figure 11: Install Location page
On the “Ready to Install” page, click “Install”.
Figure 12: Ready to Install page
When the module has been installed, click “Finish” to exit the setup wizard.
Figure 13: Completing the setup wizard
After installing the module, you will see the following shortcut appear on the desktop.
Figure 14: PowerShell Module shortcut
Launch the Microsoft Online Services Module for Windows PowerShell, and then create a credential variable containing your global tenant admin credentials using the following command:
Figure 15: Creating a variable storing the credential of the Office 365 global administrator
With the variable created, connect to the Office 365 tenant using the following command:
Connect-Msolservice –Credentials $Cred
Figure 16: Connecting to the Office 365 tenant using Powershell
Now convert the domain that you wish to use for federation. In this example, it’s office365lab.dk:
Convert-MsolDomainToFederated –DomainName “office365lab.dk”
Figure 17: Converting the domain to a federated domain
When the command has finished, let’s verify that the domain has been converted to a federated domain. We can do so using: Get-MsolDomain | fl
Figure 18: Domain converted to a federated domain
Okay the domain has now been converted with success.
If you need to configure support for multiple UPN domains, check out this blog post I wrote on the topic.
Next up, let’s test whether the login.microsoftonline.com site detects the respective domain as a single sign-on domain. To do so, enter a fictive UPN with a domain matching the one you just configured federation for. When you have entered the UPN and click tab, you should see the password field grey out as shown below. This means that Office 365 will redirect all authentication requests for the respective domain to our ADFS based identity service.
Figure 19: Testing federation is detected by the Office 365 Login Page
Installing and Configuring Directory Synchronization (DirSync)
The very first preparation step we want to complete before concentrating on installing and configuring the DirSync tool on the domain member server in our on-premise environment is to activate DirSync for our Office 365 tenant. This can be done by logging on to the Office 365 portal followed by clicking on the “Users” and from here on “Set up” under “Directory Synchronization” in the top of the page.
Figure 20: Activating Active Directory Synchronization
The reason why I want you to get that done as the very first step is because once you click that ”Activate” button, it can take several hours before the activation itself occurs! As you can see in Figure 21, the synchronization is in a ”being activated” state. In the past this step didn’t take more that around 15 minutes, but the aggressiveness of the scripts that activates DirSync for Office 365 tenants has been lowered signicantly, which makes sense in a multi-tenant environment like Office 365 hosting millions of users.
Figure 21: Are you sure you want to activate Directory Synchronization?
When DirSync has been activated, you can see the status message has changed as shown in Figure 22.
Figure 22: Directory Synchronization is being activated
While we wait for DirSync to be activated for our Office 365 tenant, let’s log on to the domain member server on which we want to install the DirSync tool. From the server, open the Office 365 portal and then click ”Users” followed by clicking ”Set up” under Active Directory Synchronization. Under ”Step 4” download the relevant version of the DirSync tool.
If you have more than 50.000 Active Directory objects of the type users, service accounts, security groups, distribution groups and contacts, you should use a dedicated SQL instance for DirSync instead of the Windows Internal Database (WID), which is used when you perform a default installation. For details on how to install DirSync with a dedicated SQL instance, see this link.
If you launch setup for the DirSync tool immediately, you will see an error message stating that the tool requires .Net Framework 3.5 SP1 installed on the respective server.
Figure 23: .Net Framework 3.5.1 SP1 must be installed on the server
We can install the framework using the ”Add Features Wizard” in the “Server Manager” or by downloading the full .NET Framework 3.5.1 SP1 package here.
If you installed the .NET Framework 3.5.1 component using the Server Manager also make sure you update the .NET Framework component with the cumulative .NET Framework 3.5.1 Service Pack 1 update, which can be downloaded here. In addition, no matter which method you use to install it, it’s important you also install an SP1 specific update that fixes issues contained in SP1. You can grab that update here.
When you have installed .NET Framework 3.5.1 SP1 plus the important update, install the DirSync tool by launching it via “Start” as shown below.
Now launch the DirSync Setup file. On the “Welcome” page, click “Next”.
Figure 24: DirSync tool Installer – Welcome Page
Click ”Next” then accept the EULA and click ”Next” again.
Figure 25: Accepting the license terms
On the ”Select Installation Folder” leave the defaults and click ”Next”.
Figure 26: Selecting the installation folder
The tool will now be installed, and this can take several minutes to complete.
Figure 27: DirSync tool is being installed
When the tool has been installed, click “Next”.
Figure 28: Installation complete
On the “Finish” page, untick “Start Configuration wizard” now and click “Finish”. We will need to wait for DirSync support to be enabled in the Office 365 tenant.
Figure 29: Finishing the installation wizard
Ok with this part 6 of this article series ends, but fear not there is still plenty coming your way.
If you would like to read the other parts of this article series please go to: