This post will explain how to setup the DirSync tool that will synchronise your internal AD accounts across to the Windows Azure AD platform for usage by Intune and other online services such as Office 365. It's important to note that if you already have this setup for an O365 subscription you don't need to do this again just for Intune and vice versa for a new O365 if you already have Intune.
Just as a bit of background, you may want to read this link to see just what is Windows Azure AD Tenant?
This link will give you some idea around what preparing for AD Sync
This link will allow you to download the DirSync Prep Tool which will perform a series of checks across your domain to find any potential problems.
- Running the Prep Tool will start the analysis for Office 365, but 99% of the rules apply to Intune in terms of Directory Synchronisation.
- When it's complete, review the report and correct anything that might cause a problem.
- Once your happy that you're ready to go, Login to the Intune account portal at https://account.manage.microsoft.com and Click on the Users link on the left under the Management grouping.
- Look for the Active Directory synchronisation wording above the users and Click Setup
- A 6 step guide page will open, Click the Activate button at step 3
- On step 4, Choose the relevant OS platform, in this example I've chosen 64 bit as I'm installing it on Windows Server 2012
- Click Download to get the DirSync tool
- Back on the main users page, the Setup link next to the Active Directory synchronisation text should now say Deactivate. If not it may still be setting up in the background.
- To allow your users to logon to the Company Portal later on, they will need an account that matches the Universal Principal Name (UPN) of the accounts that ConfigMgr knows about.
This requires you to add a domain to the Intune portal and then verify it to ensure that you do indeed own the domain name.
- Click on the Domains link under the Management heading on the left hand side of the account management portal
- Click Add a domain
- Enter the name of your domain and Click Next
- You'll then be presented with some methods of verifying your domain, usually by adding a TXT entry to the DNS records or by changing your MX record.
- Walk through the instructions to complete this and when ready click verify next to your domain name back on the Domain page
- All things being good, you should then see your domain as verified.
- However, sometimes things never go smoothly. Certain domain registrars such as 1&1 don't accept the MX record method as it's not a registered TLD. They also don't allow you to add TXT records to your DNS.
Thankfully Todd Douglas across on the O365 forums posted an alternative method.
- Using this method you basically you create a subdomain within the 1&1 control panel using the ID ringed as shown in the screenshot as the subdomain name. You then add to this subdomain a CNAME that points to ps.microsoftonline.com and when done, you can verify your domain fine.
- Once your domain is verified, it's time to install the DirSync tool.
- This tool has some specific requirements for the account running it.
- The account installing it must be a local admin on the server (obviously)
- The account installing it must be in the Enterprise Admins group.
The Enterprise Admins group membership is temporary only and is just used during setup to create a service account in AD to be used by the sync tool going forwards to read AD.
- Another thing to watch out for is even if the account you are logged onto the server with has local admin rights, you may get told by the installer that it doesn't
- This is because you must right click the installer and choose Run as administrator.
- Step through the installer, there's nothing really in the way of configuration options to worry about.
- When the installer completes, either leave the option to Start Configuration Wizard now ticked or untick it and then find the Configuration Wizard on your Start Screen/Menu
- Review the Welcome screen and then Click Next.
- Supply the credentials for an account in Intune that has permissions to create accounts.N.B. I would advise manually creating a dedicated account for this in the Intune accounts management portal. Don't be tempted to use your account or the one created when you first setup the service.
- If at this point you get a Configuration error message, check in the account management portal that AD Synchronisation has finished setting up and then retry.
- Supply the credentials for the account in your AD that has admin rights. The documentation says it needs Enterprise admins rights, but you might get away with just domain admin rights.
- This step allows you to start setting up an Exchange hybrid deployment. I'm only interested in getting Intune working at the moment, so I'll skip this bit.
- Configuration doesn't take long, Click Next when it completes.
- Leave the option to Synchronise directories now ticked (unless you're aware of the advanced PowerShell options to scope the synchronisations down) and Click Next
- A message box will pop up with a link to some online information regarding verifying the sync is working. Click OK.
- To quickly check if the Sync Tool is working, browse in explorer to: C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
- Find the miisclient.exe file and right click and Run as Administrator
- This will open a console (look familiar?) and you can easily check the status of the sync.
- After a little while, depending on the size of your AD, spec of the sync server and speed of your Internet connection, you should see some accounts start to appear.
- That should complete the setup of users within Intune. Users that are allowed to enrol mobile devices is controlled within ConfigMgr by the properties of the Intune Subscription and selecting a collection.
Troubleshooting a lab environment scenario
One of the first problems I ran into when setting this up in a lab environment that I hadn't hit elsewhere, was the fact that my internal domain name didn't relate to anything externally verifiable.
So while I do own an external domain name, my lab is using trustlab.local as it's domain name which bears no relevance to my external name. This also mean my user accounts Universal Principal Names (UPNs) didn't match the accounts created in Windows Azure AD.
This meant that after setting up my Subscription and the DirSync, none of my test users could access the company portal on a mobile device (https://m.manage.microsoft.com), just getting a message than an error had occurred.
Checking the cloudusersync.log file in the ConfigMgr logs directory showed this:
That's because my UPN's for those accounts don't match with the accounts within Intune.
Consider the account for Mark.Harrison
- Without a verified domain in Intune, the DirSync tool will create this as email@example.com
- With a verified domain in intune, but no matching UPN, the dirsync tool will do the same as above.
This would then create the account as firstname.lastname@example.org
If you've already setup the sync tool, then you won't be able to delete the account from Intune and you will either need to deactivate the AD Sync and then manually remove the accounts from Intune and then re-activate the sync or delete the account in AD, let it sync and remove it, then re-add the account with the matching UPN.
In short, your domain UPN MUST match a verified domain that has been added to Intune.
Thanks must also go to Craig Morris at Microsoft for confirming my thought process on the UPN mismatch issue on this one. Keep an eye out for some blog posts from him also coming soon on this subject.