Troubleshooting 101: AD Synchronization to Office 365

Rick Vanover steps through setting up a user account mailbox in Office 365.

For those of you who have moved or are considering moving to Microsoft Office 365, there's one area that will take some understanding and preparation: Directory Synchronization. Many organizations have set up a lab environment with an Active Directory domain to get a good handle on how accounts are made and services added. This is a good idea before making the change in a production domain. I've gone through a few steps related to new account provisioning and had to troubleshoot a few issues that I learned along the way -- chances are, you may encounter some of these situations, as well.

Make an Account and a Mailbox (Now!)
Probably my biggest learning curve in leveraging Microsoft Office 365 services is that not everything is instant. I'm used to making AD accounts on-premises (many times with PowerShell scripts that also create Exchange mailboxes) -- and it's effectively an instant process. But when it comes to leveraging Office 365, a few things need to be checked to get the account working right away.

For most use cases (on-premises AD and Office 365 services), an AD account would be created on-premises first and then the Office 365 service added. This is a rather traditional step that most administrators can do quite easily. The interesting part comes when Office 365 services are to be added. Before the new account can be added, a synchronization has to occur to the on-premises AD, which you can see with DirSync Status. This can be seen on the main panel where Office 365 is administered at (Figure 1).

[Click on image for larger view.] Figure 1. The last synchronization needs to have happened before a new account can have services added.

After the synchronization has occurred, services can be added to accounts that are visible in the Admin center of Office365. The services can be added as shown in Figure 2.

[Click on image for larger view.] Figure 2. You can assign a user a mailbox and other services in this area.

At this point, I had a few things not go as expected. The account was fully functional on-premises, and was visible with Office 365 services assigned. However, the account wasn't able to receive e-mail and use the services. As it turns out, the Office 365 services are working to prepare them for the account, but it is not instantaneous. While it is quick (just a few minutes), it's a bit different than the pure on-premises experience. The user will not be able to log into Office 365 e-mail services just yet (though on-premises would work fine). To quickly check that the services are ready, go to the user account Mail Settings, as shown in Figure 3.

[Click on image for larger view.] Figure 3. The account Mail Settings shows the status of the services being activated.

While everything was working, it just wasn't instantaneous. The user will likely be able to log in and select his country and language, but will not be able to access the actual mailbox. After the user's status for the Mail Settings is done preparing, the user can log in as normal.

Similar logic applies for removing an account. The removal has to happen in the on-premises AD and then synchronization must occur. At that point, the account can be removed from the Office 365 services. Having AD extended to Microsoft Office 365 introduces a few differences than a complete on-premises experience. What have you learned about account synchronization with Microsoft Office 365? Share your comments below.

About the Author

Rick Vanover (Cisco Champion, Microsoft MVP, VMware vExpert) is based in Columbus, Ohio. Vanover's experience includes systems administration and IT management, with virtualization, cloud and storage technologies being the central theme of his career recently. Follow him on Twitter @RickVanover.


Subscribe on YouTube