How to Sync an Existing Office365 Tenant into a New Active Directory Domain
Normally you would have a network setup in a domain and you need to migrate into Office365. Usually away from small business server or another type of email system but what do you need to do if there is no existing domain? What if you work in a workgroup and users use Office365 but now you need to setup a domain infrastructure and synchronise that local domain with Office365, what do we need to do?
Well no worries let’s see how you do it!
You can either watch the video here or scroll down to read the blog post 🙂
Part 1 – Add UPN Suffixes into Active Directory
Log in to the portal as a global administrator and navigate to settings then domains. Make a list of all of the custom domains you are using not including the default onmicrosoft.com. These will be added as UPN suffixes into active directory so that users can have the same username in the local AD as they do in Office 365
Log into a domain controller and open Active Directory Domains and Trusts. Right click on the root and click on properties. This will allow you to add the UPN suffixes. Add all of the custom domains you have listed in the domains section in Office 365 with exception of the onmicrosoft.com domain.
Here we add office365lab.co.uk and press OK.
Part 2 – Check all user accounts and groups have a logon domain
Check each user account has one of your custom domains included in the user name and not the onmicrosoft.com domain.
If any user accounts have a username which is not a custom domain then go into the account and update the username and save the changes. Its ok to have a cloud admin account with is cloud only and has the onmicrosoft.com. If you want to sync everything else into your active directory then ensure all accounts have a logon domain which matches one of your custom domains.
As well as all user accounts do the same to each group in the Office 365 tenant.
Part 3 – Create object in active directory
Now its time to go down your list of user accounts in the portal and recreate them in your local active directory. Pay special attention to the user names and primary email address and aliases.
On one of your domain controllers open up active directory users and computers and start creating new user objects.
Enter the details exactly as you see them in the Office365 portal and ensure you set the user logon name suffix so that it matches the office 365 logon name in the portal.
Set a password and press Next, its not too important what the password is here because it will need resetting after the initial sync before the user can logon.
Now ensure the primary address of the user in the portal is entered on the general tab in the e-mail field.
Next go to the Attribute editor and find the proxyAddresses attribute. Here is where you enter all of the email addresses assigned to the account so add any email alises which are listed on the account in the portal.
The primary email address must be prefixed with SMTP: in capitals and all other aliases should be added in lowercase smtp: This is important so pay attention when adding all of the addresses.
The primary address (aka the send as address) has SMTP: prefixed on it and all others have a lowercase smtp:
Part 4 – Install Azure Active Directory Connect (AAD Connect)
Download the latest version of the AAD Connect tool onto one of your domain controllers or a member server which will host the sync software.
Run the installer, agree to the terms and select Continue.
We are going to go for an express setup here but if you want to explore the advanced options go for it. Select Express if you want it to work using this guide.
Enter the logon credentials of a global administrator in the Office365 tenant. Just remember that if you update the password to this account you will need to rerun the AAD Connect configuration wizard to update the password.
Enter the a domain administrator account and the same applies as above, if you update the password then simply rerun the wizard.
The wizard will verify that your custom domains have been added as UPN suffixes. If you followed part 1 of this guide your good to go.
Press install and let the configuration complete which will take a few minutes.
Once AAD Connect has been installed it will kick off a sync. Leave the system for about 20 minutes to allow this initial sync to complete in the background.
You can test the sync is working correctly by adding a new email alias into one of your active directory user accounts and see if those changes sync into the office 365 portal. We can see all of the additional aliases we added earlier in this guide have synced into the 365 portal so we have success!
Every change you make from now on will sync with Office 365 every 30 minutes by default. You wont see the changes straight away so be patient or open Powershell on the domain controller and type the following command to force a sync
Start-ADSyncSyncCycle -PolicyType delta
Setting up a new AD when a client is already using Office365 involves a lot of manual work. Never fear because Power Shell can do all of this for us within a minute! sign up for the newsletter at the top of the page to be informed when I post that script.