Setup BPOS Active Directory synchronization

Posted on by

To synchronize your AD Domain with your BPOS environment, follow the steps below.

  • Log in on your Microsoft Online Services Administration Center, Click the [Migration] tab and then click the [Configure] button in the “Directory Synchronization” Section.
    BPOS Directory Synchronization
  • Read the  “Plan for Directory Synchronization” and check the checkbox, confirming that you read it.
  • Press the [Enable] button in step 2, to enable BPOS for the synchronization.
  • Press the [download] button in step 3. This will open a where you can download the synchronization tool.
  • Now you should install the synchronization tool, but mind the following restrictions:
    – Supported OS: Windows Server 2003 Service Pack 2; Windows Server 2008
    – Can’t be installed on a domain controller
    – Can’t be installed on x64
    Powershell v1.0 has to be installed
  • Execute the file you downloaded in the previous step (dirsync.exe).
    – do not interrupt the installer
  • The installation is a Next, Next, Finish installation. You will be staring at a progress bar for quite a long timeinstallatie_ADSyncTool
  • After the initial install you can start the Configuration Wizard.
    Before you proceed be sure, you have the following things:
    – An user account who is an BPOS Administrator (probably the one you used to login with in step 1)
    – An Enterprise Administrator Account
    If you have these then the configuration is again almost, Next, Next, Finish.
  • At the end of the configuration, choose “”Synchronize directories now”
    – do not create any user object in your BPOS environment during this sync.
  • Within a few minutes, you can then view your imported users in your BPOS environment, they are all imported under the “Disabled User“ view (Tab [Users] > [User List], under view select “Disabled Users”).

From here you can now enable the users. A bit annoying is the fact that the list doesn’t use paging, you can only go 1 step through the list or to the end (or is that because I only had 2 pages?)

So now some things that are interesting to know:

  • The tool creates a service account named MSOL_AD_Sync. This will be a domain account with directory replication permissions on your AD.
  • A service will be installed on your ”sync station”.
  • The time needed for a synchronization depends on how many objects you have.
    500 objects will take about 5 min. to sync the first time, after the about 30 sec.
    1000 objects will take 10 min, after that 1 min.
    500o objects will take 45 min, after that 5 min.
    15000 objects will take 2.5h, after that 10 min.
    All depending on your bandwidth of course, for more than 20.000 objects contact Microsoft.
  • An uninstall of the tool, will not delete the MSOL_AS_Sync account, you have to do this manually.
  • The tool will sync every user in your complete forest, so whenever you must delete a domain in your forest this will impact your BPOS environment. To delete the domain, you must complete some “in-between” steps.
  • Every 3 hours there will be a scheduled sync.

This error will appear “049: LDAP injection characters were found in the user alias” if you have used invalid characters like & and !

Feel free to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.