Category Archives: Office 365

Upgrading DirSync to AADSync for Office 365 and Azure environments

As of 11/11/2014, Microsoft has released their next generation tool for providing synchronization between an on-premise Active Directory environment and Microsoft based cloud service (Azure, Office 365 Suite (Lync Online, CRM, SharePoint, Exchange, etc.)).  The utility is now referenced as Microsoft Azure Active Directory Sync Services (AADSync).

In this tutorial, we will go over the process to ensure you are on the new generation of their synchronization tool.  The process is fairly straight forward, uninstall the old DirSync utility, install the new AADSync utility.  If you wish to install the utility on a new server, stop the DirSync service, install the AADSync utility on the new server, and then uinstall DirSync after you have verified synchronization is successful on the new machine.

Here is the uninstall DirSync and install AADSync process

  1. Download a copy of the AADSync utility from Microsoft’s website: http://www.microsoft.com/en-us/download/details.aspx?id=44225
  2. Login to the server currently running DirSync
  3. Open up Control Panel
    Server - Start Menu - Control Panel
  4. Select Programs and Features (notice I am in the View By Small icons view)
    Control Panel - Small Icons - Programs and Features
  5. Uninstall the Windows Azure Active Directory Sync tool
  6. Select Yes to uninstall when prompted
    Windows Azure Active Directory Sync - Another instance dialog - Uninstall
  7. Uninstall Forefront Identity Manager Synchronization Service if it wasn’t uninstalled already
    Uninstall - Forefront identity Manager Synchronization Service
  8. Run the MicrosoftAzureADConnectionTool.exe application you downloaded from Microsoft
    MicrosoftAzureADConnectionTool Installer
  9. Check I agree to the license terms and click Install
    Microsoft Azure Active Directory Sync Services - Install
  10. Once the install has finished, open up Computer Management and navigate to System Tools -> Local Users and Groups, Groups, and double click on ADSyncAdmins
    Computer Management - Local Users and groups - Groups - ADSyncAdmins
  11. Ensure your user account, user group, or local machine has been added to the security group
    ADSyncAdmins - Group Membership
  12. Log out of Windows
    Windows 8-Server 2012 - Sign Out

    1. Note: This step is needed to ensure you have proper user privileges when running the sync tool.  When running through the sync tool’s installer, your user account will automatically be placed in a local security group called ADSyncAdmins.  A logout is needed to update your session otherwise you may receive the following error message:
      Your account is not a member of the ADSyncAdmins security group.  If you have recently installed Azure AD Sync, sign out before running this installation guide again.
      Microsoft Azure Active Directory Sync Services - Your account is not a member of the ADSyncAdmins security group
  13. Upon login, open up the DirectorySyncTool application
    DirectorySyncTool
  14. Enter your Azure or Office 365 admin credentials and click Next
    Microsoft Azure Active Directory Sync Services - Azure AD Credentials
  15. Enter in your forest name, username (must be in domain\username format), and password (Active Directory on-premise credentials) and click Add Forest
    Microsoft Azure Active Directory Sync Services - AD DS Credentials

    1. Note: If you are unsure what your forest name is, login to your domain controller and execute the following powershell command to list all forests in your deployment:
       Get-AdForest | FT Name
  16. Click Next once your forest has been validated
    Microsoft Azure Active Directory Sync Services - AD DS Credentials - Forests Validated
  17. Click Next on User Matching
    Microsoft Azure Active Directory Sync Services - User Matching
  18. Check the boxes that are applicable to your deployment and click Next
    Microsoft Azure Active Directory Sync Services - Optional Features
  19. Click Configure
    Microsoft Azure Active Directory Sync Services - Configure
  20. Click Finish
    Microsoft Azure Active Directory Sync Services - Finish

 

Office 365 – Renew your certificates (on-premise ADFS) alert

Symptom: After you replace your SSL certificates on your ADFS servers you continue to receive the following alert inside of the Office 365 portal.

Renew your certificates
One of your on-premises Federation Service certificates is expiring.  Failure to renew the certificate and update trust properties within XX days will result in a loss of access to all Office 365 services for all users.  Update now

Office 365 - Alert - Renew your certificates

Solution: This error can be caused if any of the three primary SSL Certificates that are required to federate to an external identity are nearing their experation date (Service Communications, Token-decrpting, and Token-signing).

Verify which SSL certificate is about to expire

  1. Login to your primary ADFS server
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Select Tools -> AD FS Management
    Server Manager - Tools - AD FS Management
  4. Under AD FS expand Service and select Certificates
    AD FS Management Console - AD FS - Service - Certificates
  5. Verify if any certificates are set to expire
    1. Note: In this case, you can see the Token-decrypting and Token-signing certificates are set to expire soon

Replace the expir(ed)(ing) certificates

Unfortunately, I don’t currently have a tutorial on the processes behind replacing each certificate.  The process for replacing each certificate is a tad different.  Here are a few articles that might help you:

Replacing the Service Communication certificate: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx

Replacing the token-signing and token-decrypting certificates can be found here: http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx#Replacing_the_Token-Signing_certificate

Update the federated trust with Office 365

  1. Once your certificates are not nearing their experation date, open up the Windows Azure Active Direcotry Module for Windows PowerShell as an administrator
    1. Note: Installation instructions and the download for this can be found here: http://technet.microsoft.com/en-us/library/jj151815.aspx
      Windows Azure Active Directory Module for Windows PowerShell
  2. Execute the following command
    1.  Connect-MsolService
      Windows Azure Active Directory Module for Windows PowerShell - Connect-MsolService

      1. Note: Enter in your Office 365 administrator credentials on this step
  3. Execute the following command
    1. Update-MsolFederatedDomain -DomainName mydomain.com -SupportMultiDomain
      Windows Azure Active Directory Module for Windows PowerShell - Connect-msolservice - update-msolfederateddomain

      1. Note: Replace mydomain.com with your federated domain.  If you have multiple domains you are federating with Office 365, add the optional -SupportMultiDomain paramter as well

DirSync (Directory Synchronization) (Windows Azure Active Directory Sync Tool) attributes federated to Office 365

Here is a complete listing of the attributes that are federated to Office 365 by your on-premise Active Directory environment.

An official listing of these attributes can be found on the following technet article: http://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-windows-azure-active-directory-sync-tool.aspx

Synced Object Attribute User Group Contact (Src) Description
assistant Read Read The name of the assistant for an account.
authOrig Read Read Read Relationship that indicates that the mailbox for the target object is authorized to send mail to the source object.
C Read Two-letter ISO 3166 [ISO3166] country code.
cn Read Read Read The common name of the object.
co Read Read The country/region in which the person (user or contact) or company is located.
company Read Read The person’s (user or contact) company name.
countryCode Read Read The country code for person’s (user or contact) language of choice.
department Read Read The name of the person’s (user or contact) department.
description Read Read Read Human-readable descriptive phrases about the object.
displayName Read Read Read The display name for an object, usually the combination of the person’s first name, middle initial, and last name.
dLMemRejectPerms Read Read Read Relationship that indicates that members of the target object are not authorized to send mail to the source object.
dLMemSubmitPerms Read Read Read Relationship that indicates that members of the target object are authorized to send mail to the source object.
ExtensionAttribute1 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute10 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute11 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute12 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute13 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute14 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute15 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute2 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute3 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute4 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute5 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute6 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute7 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute8 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute9 Read Read Read Custom attribute that is defined in the customer on-premises directory.
facsimiletelephonenumber Read Read Telephone numbers (and, optionally, the parameters) for facsimile terminals.
givenName Read Read Name strings that are the part of a person’s (user or contact) name that is not their surname.
GroupType Read Flag attribute indicating the type of group (security, global, etc.)
hideDLMembership Read Hide the membership list on a distribution list from senders.
homephone Read Read The person’s (user or contact) main home telephone number.
info Read Read Read “Notes” field on “Telephone” tab of ADUC.
Initials Read Read Strings of initials of some or all of an individual’s names, except the surname(s).
ipPhone Read Read The TCP/IP address for the telephone.
l Read Read Names of a locality or place, such as a city, county, or other geographic region.
legacyExchangeDN Read Read Read
mail Read Read Read The list of email addresses for a person (user or contact).
mailnickname Read Read Read
managedBy Read Resource/owner relationship, where the source object (a group) is the resource, and the target object is the owner.
manager Read Read Manager/direct report relationship between two individuals, where the source object is the direct report, and the target object is the manager.
member Read Membership of the target object (of class User, Contact, or Group) in the group that is identified as the source object.
middleName Read Read Additional names for a person (user or contact), for example, middle name, patronymic, matronymic, or other names.
mobile Read Read The primary mobile phone number for a person (user or contact).
msDS-HABSeniorityIndex Read Read Read
msDS-PhoneticDisplayName Read Read Read
MsExchArchiveGUID Read
MsExchArchiveName Read
msExchArchiveStatus Read/Write Created in the Exchange cloud for “write back” to on-premises when the customer has a cloud archive.
msExchAssistantName Read Read The name of the assistant for an account.
msExchAuditAdmin Read
msExchAuditDelegate Read
msExchAuditDelegateAdmin Read
msExchAuditOwner Read
MsExchBlockedSendersHash Read/Write Read Populated through an upgrade from Business Productivity Online Standard Suite. Not synced from on-premises.
msExchBypassAudit Read
MsExchBypassModerationFromDLMembersLink Read Read Read
MsExchBypassModerationLink Read Read Read
msExchCoManagedByLink Read
msExchDelegateListLink Read
msExchELCExpirySuspensionEnd Read
msExchELCExpirySuspensionStart Read
msExchELCMailboxFlags Read
MsExchEnableModeration Read Read
msExchExtensionCustomAttribute1 Read Read Read
msExchExtensionCustomAttribute2 Read Read Read
msExchExtensionCustomAttribute3 Read Read Read
msExchExtensionCustomAttribute4 Read Read Read
msExchExtensionCustomAttribute5 Read Read Read
MsExchGroupDepartRestriction Read
MsExchGroupJoinRestriction Read
msExchHideFromAddressLists Read Read Read Indicator to control the visibility of a mail recipient for name resolution.
MsExchImmutableID Read
msExchLitigationHoldDate Read Read Read
msExchLitigationHoldOwner Read Read Read
MsExchMailboxGuid Read The GUID of the user’s mailbox.
msExchMailboxAuditEnable Read
msExchMailboxAuditLogAgeLimit Read
MsExchModeratedByLink Read Read Read
MsExchModerationFlags Read Read Read
MsExchRecipientDisplayType Read Read Read
msExchRecipientTypeDetails Read Read Read
MsExchRemoteRecipientType Read
msExchRequireAuthToSendTo Read Read Read When enabled for a distribution list (DL), unauthenticated users are rejected.
MsExchResourceCapacity Read
MsExchResourceDisplay Read
MsExchResourceMetaData Read
MsExchResourceSearchProperties Read
msExchRetentionComment Read Read Read
msExchRetentionURL Read Read Read
MsExchSafeRecipientsHash Read/Write Read Populated through an upgrade from Business Productivity Online Standard Suite. Not synced from on-premises.
MsExchSafeSendersHash Read/Write Read Populated through an upgrade from Business Productivity Online Standard Suite. Not synced from on premises.
MsExchSenderHintTranslations Read Read Read
msExchTeamMailboxExpiration Read
msExchTeamMailboxOwners Read
msExchTeamMailboxSharePointLinkedBy Read
msExchTeamMailboxSharePointUrl Read
msExchUCVoiceMailSettings Read/Write
msExchUsageLocation Read
msExchUserHoldPolicies Read/Write Litigation Hold allows cloud services to determine which users are under Litigation Hold
msOrg-IsOrganizational Read
msRTCSIP-ApplicationOptions Read
msRTCSIP-DeploymentLocator Read Read Fully qualified DNS name of the Microsoft Lync Server 2010 deployment, as specified in the authoritative (customer, on-premises) directory.
msRTCSIP-Line Read Read The device ID (either the Session Initiation Protocol (SIP) uniform resource identifier (URI) or the TEL URI) of the telephone that the user controls.
msRTCSIP-OwnerUrn Read
msRTCSIP-PrimaryUserAddress Read Read SIP URI for instant messaging, as specified in the authoritative (customer, on-premise) directory.
msRTCSIP-UserEnabled Read Read Indicates whether the user is currently enabled for SIP instant messaging, as specified in the authoritative (customer, on-premises) directory.
msRTCSIP-OptionFlags Read Read
objectGUID Read Read Read Key for the object: this key is immutable, even if the object moves from one context to another, for example, as a result of a company merge or split.
oOFReplyToOriginator Read Governs whether out-of-office notifications should be sent to a sender of a message to this distribution list (DL).
otherFacsimileTelephone Read Read A list of alternative facsimile numbers.
otherHomePhone Read Read A list of alternative home telephone numbers.
otherIpPhone Read Read A list of alternative TCP/IP addresses for the telephone.
otherMobile Read Read A list of alternative mobile phone numbers.
otherPager Read Read A list of alternative pager numbers.
otherTelephone Read Read A list of alternative office telephone numbers.
pager Read Read The primary pager number.
photo Read
physicalDeliveryOfficeName Read Read Names that a postal service uses to identify a post office.
postalCode Read Read Codes that a postal service uses to identify postal service zones.
postOfficeBox Read Read Postal box identifiers that a postal service uses when a customer arranges to receive mail at a box on the premises of the postal service.
PreferredLanguage Read The preferred written or spoken language for a user.
proxyAddresses Read/Write Read/Write Read/Write The address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system.
PublicDelegates Read/Write Read Read Cross-premises public delegation: allows users to specify delegates for their mailbox.
reportToOriginator Read Governs whether to send delivery reports to the message originator when a message that is sent to a group is not delivered. The delivery report lets the group owner know that the message was not delivered.
ReportToOwner Read
samAccountName Read
sn Read Read Name strings for the family names of a person (user or contact).
st Read Read The full names of states or provinces.
streetAddress Read Read The person’s (user or contact) address.
targetAddress Read Read The destination address for the person (user or contact).
TelephoneAssistant Read Read
telephoneNumber Read Read Telephone numbers that comply with the ITU Recommendation E.123.
thumbnailphoto Read Read Persons Photo – 10kb maximum size limit
title Read Read The title of a person (user or contact) in the person’s organizational context.
unauthOrig Read Read Read Relationship that indicates that the mailbox for the target object is not authorized to send mail to the source object.
url Read Read The list of alternative web pages.
userAccountControl Read Flag attribute to indicate settings.
userCertificate Read Read Contains certificates used as part of the Exchange SMIME feature set.
UserPrincipalName Read The user principal name (UPN) that is an Internet-style logon name for a user, as specified in RFC 822.
userSMIMECertificate Read Read Contains certificates used as part of the Exchange SMIME feature set.
wWWHomePage Read Read The primary web page.

Office 365 – Change the Alias attribute of an Exchange mailbox for a federated user

Scenario: A federated Office 365 user’s Alias is incorrect.  You wish to change it, but changing the proxyAddress or Mail attribute in Active Directory does not update the Alias.

Before this tutorial, you can see the Alias has a typo in it (the m and o are out of place)

Office 365 - User Mailbox - Alias - TypoAfter completing this tutorial, we will update the Alias to look correct

Office 365 - User Mailbox - Alias - Typo Fixed

Solution: Complete the following steps below to update the Alias

  1. Login to one of your Domain Controllers and open up Active Directory Users and Computers
    Server Manager - Active Directory Users and Computers
  2. Find the user that owns the mailbox, right click on them, and select Properties
    Active Directory Users and Computers - User - Properties
  3. Select the Attribute Editor Tab and find the mailNickname attribute
    Active Directory Users and Computers - User - Properties - Attribute Editor - mailNickname

    1. Note: You will need to Enable Advanced Features on Active Directory Users and Computers to see this tab
      Active Directory Users and Computers - View - Advanced Features
  4. Type in the desired value you wish to show up in the Alias field on the Office 365 Exchange Portal and click OK
    Active Directory Users and Computers - User - Properties - Attribute Editor - mailNickname - String Attribute Editor
  5. Click Apply on the Active Directory Users and Computers dialog
    Active Directory Users and Computers - User - Properties - Attribute Editor - mailNickname - Apply
  6. Wait for the Office 365 Directory Synchronization tool runs and updates the users online
    1. Note: Tutorial on how to do this can be found here: http://jackstromberg.com/2012/08/force-directory-synchronization-with-office-365/
  7. Ensure that the Alias field has updated in the Exchange Administrative portal
    Office 365 - User Mailbox - Alias - Typo Fixed

 

Office 365 – Call us overprotective, but we need to verify your account again before opening this document.

Symptom:

When trying to open a document in Office 2013 ProPlus from Office 365’s SharePoint environment, you are periodically prompted for credentials to SharePoint Online, OneDrive, and Lync Onlinet (using your email address and password).  Additionally, the affected users are those that have been synchronized from an on-premise Active Directory environment via ADFS.

Side Note: Not sure if this is relevent or not, but we noticed this started to happen after upgrading our ADFS Proxy Servers to Server 2012 R2 (ADFS v3).

You are prompted with the following Sign In box:

Call us overprotective, but we need to verify your account again before opening this document.
Sign In

Once you try signing in, you receive the following error:

We are unable to connect right now. Please check your network and try again later.

Sign In 2

Inside of the Lync 2013 client, you might see the following dialog as well:

Credentials are required

Lync needs your user name and password to connect for retrieving calendar data from Outlook

Sign In 3

Solution:

This error is caused by a variety of different issues.  Please try all of the following below.

If you have a single client having issues

  • Clearing cache of Internet Explorer
  • Running an online repair of Office 365 ProPlus
  • Switching Accounts inside of Outlook (File->Office Account->Switch Account)
  • Deactiving office from Office 365 settings and reactivating

If this is a widespread issue on multiple machines in your environment

  • Verify all proxy servers are functioning
    • If you have multiple proxy servers, ensure your Network Load Balancer is functioning correctly
  • You might be hitting a known bug with the Office 2013 Suite.  See the following KB article on how to try a workaround (this was the fix for an environment I worked on using ADFS and Server 2012): http://support.microsoft.com/kb/2913639

Change Office 365 DirSync Synchronization Frequency/Schedule

By default, you have probably noticed it can take up to 3 hours for a change to be in your on-premise environment to be replicated to your Office 365 environment.  In organizations that have a smaller amount of users, you can change the frequency of the synchronization schedule to replicate the changes to Office 365 more quickly.

  1. Login to the server with the DirSync application (Windows Azure Active Directory Sync)
  2. Open up Notepad as an Administrator
    Notepad - Run as Administrator
  3. Open the folllowing file
    1. C:\Program Files\Windows Azure Active Directory Sync\Microsoft.Online.DirSync.Scheduler.exe.config
      Microsoft_Online_DirSync_Scheduler_exe_config
  4. Change the SyncTimeInterval to how often you want the tool to be run.  The time is in hh:mm:ss
    1. For example, to change a sync frequency to every 15 minutes
      1. Change <add key=”SyncTimeInterval” value=”3:0:0″ /> to <add key=”SyncTimeInterval” value=”0:15:0″ />
        Microsoft_Online_DirSync_Scheduler_exe_config - 15 minutes
  5. Save and Close Notepad
  6. Restart the Windows Azure Active Directory Sync Service
    Windows Azure Active Directory Sync Service - Restart

DirSync – Unable to establish a connection to the authentication service. Contact Technical Support.

Symptom: You receive the following errors when running the Windows Azure Active Directory Sync tool Configuration Wizard or the Microsoft Online Services Directory Synchronization Configuration Wizard.

Synchronization Service Manager shows stopped-server-down status.
stopped-server-down Synchronization Service Manager

You receive the following events inside of event viewer:

Log Name: Application
Source: Directory Synchronization
Date: %Date%
Event ID: 0
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: %ComputerName%
Description:
Unable to establish a connection to the authentication service. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support. (0x80048862)
Log Name: Application
Source: Directory Synchronization
Date: %Date%
Event ID: 102
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: %ComputerName%
Description:
Unable to establish a connection to the authentication service. Contact Technical Support.

Log Name: Application
Source: FIMSynchronizationService
Date: %Date%
Event ID: 6803
Task Category: Management Agent Run Profile
Level: Error
Keywords: Classic
User: N/A
Computer: %ComputerName%
Description:
The management agent “TargetWebService” failed on run profile “Delta Confirming Import” because the server encountered errors.

The Windows Azure Active Directory Sync tool Configuration Wizard presents you the following error message:
Unable to establish a connection to the authentication service. Contact Technical Support.
Unable to establish a connection to the authentication service. Contact Technical Support

Solution: This turns out to be an issue with the provided credentials entered in the Windows Azure Active Directory Credentials step.  Please make sure you verify the following.

  1. Do not use a federated Global Administrator service account.  Federated service accounts are not allowed to be used with the synchronization tool.  You should have a non-federated Global Administrator account with an @mydomain.onmicrosoft.com UPN.
  2. Ensure your Office 365 Global Administrator service account’s password has not expired.

Office 365 – The phone number you entered has already been registered by someone else.

Symptom: You receive the following error when trying to enable someone for a Unified Messaging mailbox on Office 365 (Office 365 Admin Portal -> Exchange -> User Account -> Enable Unified Messaging -> Browse for UM mailbox policy).

error
The phone number you entered has already been registered by someone else.
The phone number you entered has already been registered by someone else

Resolution: This was caused by having a duplicate UM Voicemail box number.  You can run the following powershell commands to identify which user has the duplicate number assigned to them.

Set-ExecutionPolicy unrestricted
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $session
Get-Recipient -ResultSize Unlimited | where{$_.emailaddresses -like “*EUM:*PHONENUMBER*”} | fl displayname,emailaddresses