DirSync – Filtering down to a single tree-domain

DirSync in general is a great tool but sometimes there may be a requirement to separate the replication to different Azure/Office365 tenants.  This might be a the case when you have a single forest with tree-domains in different regions or need separate security/segregation.

In this scenario we have a single forest with two tree domains configured.

Dirsync - AD forest view

The requirement is to synchronise only the users within DomainA to a separate Azure Active Directory.

Now there is a gotcha here, you need to create a service account in DomainA that is also a member of the “Enterprise Admins” at the root forest level.  Without this permission you’re on a hiding to nowhere.

In my testing I also added the same service account to the Domain Admins within DomainA.  At this time I’ve not had a chance to test if DirSync will work ok without this permission set, common sense says it shouldn’t need it because you’ve added the user to the “Enterprise Admins” which is by default a member of tree domain “Domain Admins” but we all know how quirky Windows permissions can be sometimes.  So belt and braces I’ve added the user to this security group.

You also need to create a Global administrator account in the Azure Active Directory

Armed with these two service accounts you can now install DirSync.  Nice and easy and it’s “Next, Next, OK” affair.

Configuration stage of Dirsync, this is when you will hit an error.  If you see any access denied messages the likelihood is that one of the service accounts you’ve used hasn’t got the right permissions set.

Because we are doing this from a tree-domain level you will also get a “constraint violation”.  This is because the account that is created by the DirSync installation within AD hasn’t got the right permissions on the AD objects.  Open up “Users and Computers” MMC and look for the service account created by DirSync, it is usually in the format “MSOL_xxxx” and found in the Users container.  Once you have located the user, make a note of the name.  You now need to give this account “Replication Permissions” on DomainA.

Run the DirSync configuration again and this time it should go through without any problem.

At this point you’ll be prompted to perform a full sync, if you do this you will populate the AAD with every user from the forest, not what you want to do.

So we now need to fire up DirSync FIM Synchronization service.  This can be found in “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”

In here open the “Active Directory Connector” within the Management Agents.  Select “Configure Connector Filter” -> “User”

Add two new filters based on “UserPrincipalName” with an “Contains” operator for the two domain I don’t need (DomainB and Forest).

Dirsync - DirSync FIM Synchronization

Now perform a full sync, a handy bit of PowerShell to do this is:

Import-Module -Name Dirsync
Start-OnlineCoexistenceSync -FullSync

Once the full sync has completed, check the Event viewer for confirmation of this, go into your AAD and if you’ve got it right you’ll only see the users for DomainA (and the DirSync service accounts)

Dirsync - Syncroisation successful

Cool eh!

Leave a Reply

Your email address will not be published. Required fields are marked *