locked
Directory Synchronization: V1 versus V2 and How Identities are Managed RRS feed

  • General discussion

  •   Directory Synchronization V1 leverages an on-premise users Primary SMTP to create the online user's Login User Principal Name (UPN) during activation by an Online Administrator within the Microsoft Online Admin Center (MOAC). Directory Synchronization V2 with Office 365 uses a different process when crafting an online user's login UPN by using the on-premises users UPN, providing a 1:1 mapping between the on-premises and online attribute value. The below attempts to explain the high level differences and the reasons why an Online Admin will need to understand these differences and how a post-Transition Directory Synchronization operation could change an online users login UPN:

    Directory Synchronization V1

    DirSync queries on-premises users' attributes in the following order to determine what attribute and value to use when synchronizing into the cloud and is used during Activation:

    1. proxyAddresses – If found, the Primary (i.e. SMTP) email address is used to stamp the online users login UPN and Primary email address.
      1. Notes:
        1. The users Primary Email address domain MUST be created and verified, otherwise the users online login UPN will use the default online domain, such as contoso.microsoftonline.com
        2. Additional email addresses that are associated with on-premises users will also be synchronized into the cloud, however ONLY the email address domain namespaces which match online domains that have been created and verified will be displayed and available for use. Any email addresses using a domain namespace that is not created and/or verified will not be displayed and cannot be used until the domain is created and verified!
    2. MAIL – If users do not have a proxyAddresses attribute and value, DirSync determines if users have a MAIL attribute and if YES, it follows the above methodology for stamping the online users login UPN.
    3. samAccountName – If neither email attribute(s)/values are not populated, DirSync will fall back to the users samAccountName (alias) and use the online tenants default domain, such as contoso.microsoftonline.com as the users login UPN

       

    Directory Synchronization V2

    Directory Synchronization V2 has made some changes in how online user's Login UPN is calculated and set during Activation, using the following methodology:

    1. UPN – An on-premises users UPN is synchronized instead of Primary SMTP address, as was used in DirSync V1, using the same logic as V1
      1. Does the on-premises users UPN domain namespace match an online domain namespace which has been created and verified?
    2. samAccountName – If an on-premises users UPN is not populated, as some companies populate First/Last/Display Name and down-level login information (Redmond\ryanph) and do not set the UPN. Note that you can DirSync without a UPN, however if you ever want to use ADFS for Single Sign-On (SSO), users MUST have a UPN value, as ADFS keys off this AD attribute and value

     

    With all of this in play, you may find yourself in a scenario where your BPOS tenant is moved into Office 365 and users find they are not able to login as they did in BPOS-S. This may be due to the fact that an on-premises user's UPN and Primary Email Address are DIFFERENT, so as DirSync V2 runs, the Office 365 user's login has changed from Primary Email Address to on-premises UPN, without anyone ever understanding what has happened.

    To address this issue, administrator should perform the following review of their Active Directory BEFORE moving forward with their Transition and Directory Synchronization V2 in a post-Transition scenario:

    1. Review all users Primary Email Address (i.e. SMTP:ryanph@microsoft.com) and determine if this aligns with the AD users Login UPN value
      1. If not, the administrator should work communicate with this user, explaining that their domain login will now be the same as their Primary Email Address

     

    Note – By performing the above step, when the administrator runs DirSync V2, the online user's login UPN may change from email to their on-premises login UPN and now be consistent!


    Transitions Community Lead ...Ryan J. Phillips
    Wednesday, February 1, 2012 11:44 PM

All replies

  • This is concerning to me as I was told just the opposite from the MS transition team.   I have a situation with a customer that is using Dirsync V1 for BPOS-S right now but their UPN prefix is not the same as the primary SMTP address and neither is the suffix.

    The transition team has stated that I should not worry about this as users will still be able to log on with their primary email addresses once they are migrated.

    Can someone clarify this?

    Wednesday, March 14, 2012 7:35 PM
  • Hi Sean!  So BPOS has a Directory Synchronization Management Agent (MA) that is synchronizing your BPOS tenant's users, contacts, groups and custom domains into Office 365.  This means that all your BPOS objects are in 365, as a pre-transition process to make sure 365 can support the movement of mailboxes, SharePoint sites, etc.  This also means that you will access your O365 environment after Transition using your BPOS credentials as they are the same (BPOS & O365) by way of synchronizing the users and passwords from BPOS to 365!

    Now, with all this being said, if you are running BPOS DirSync V1 into BPOS, DirSync V1 DOES use an on-premises user's Primary SMTP address to stamp the BPOS users UPN login and primary SMTP address.  So whatever is being synchronized into BPOS will get synchronized into Office365.  This means that after Transition users will login to Office 365 with the SAME credentials they used for Office 365, nothing will change.

    I would HIGHLY RECOMMEND that users have the same UPN/IM/Email address, as this will minimize confusion of end-users and makes it easier to manage.  I understand that this is not always possible though.

    DirSync V2

    Directory Synchronization V2 running against Office 365 works a little differently than DirSync V1 against BPOS.  DirSync V2 no longer uses the on-premises proxyAddress, then Mail and finally samAccountName as AD attributes to check and use when stamping online user UPNs.  DirSync V2 uses the on-premises AD user's UPN as the online user's UPN.  DirSync V2 uses the on-premises proxyAddress as the online users Primary SMTP address, and if there are other email addresses list in proxyAddress (i.e. smtp:user.lastName@contoso.com; smtp:lastName.firstName@contoso.com), as long as contoso.com is a created and verified domain in O365, these additional email addresses are synchronized and able for use.

    Net-Net:  If the company is looking to run DirSync V2 against Office 365 then need to review the AD user's UPN settings and MAKE SURE that it is using an Internet Routable namespace, such as contoso.com, contoso.net, contoso.info, etc.  UPN namespaces using .tld, .whatever that are NOT Internet routable will NOT work when going through the domain verification process.  Because you cannot verify the domain, running DirSync against this O365 online company will NOT stamp the correct online user UPN settings and the users will end us with user@contoso.onmicrosoft.com as a UPN and Email address.  So again, very important that whatever UPN namespace is being used in the on-premises AD, that domain must be created and verified BEFORE running DirSync V2.  if you are using different email namespaces from the UPN namespace, such as (UPN=contoso.com | SMTP=Fabrikam.com) BOTH of these domains MUST be created and verified in the O365 company, otherwise the user will end up with an @contoso.onmicrosoft.com namespace!

    HTH


    Transitions Community Lead ...Ryan J. Phillips

    Monday, March 19, 2012 9:39 PM
  • Thank you for the reply, that is useful information.

    Before you had sent the reply, I contacted the transition team and they intructed me that dirsync V1 will break during the migration.  OK..that makes sense.

    They then told me that when I fire up Dirsync V2 that the matching of the current AD objects and the O365 objects will be done by the Primary SMTP address.  They then told me I do not need to make any changes to my current UPNs if I didn't want to.  This would be a big undetaking to complete in less than two weeks.

    They pointed me to the following document...

    http://support.microsoft.com/kb/2641663

    I'm getting conflicting answers here.   I need to know what I need to do ASAP as the migration is in a week and a half.  The current UPN prefix is different than the primary SMTP prefix and the current UPN suffix is domain.local.  Changing the suffix will be easy.  Its the changing of the prefix that will require a lot of work. The customer would prefer not to change this if they don't have to.

    Tuesday, March 20, 2012 5:42 PM
  • First thing NEVER hit the backspace button unless you are absolutely certain you are inside the dialog box typing a message.  I lost 30 minutes worth of response by hitting backspace and going backwards out of this post.....ARRRGH!

    OK, so you need to change your UPN Suffix to something routable, .com, .net, etc.  You get that and will be done!  Next it does NOT matter that your UPN and Email Address are different, such as UPN=ryanph@contoso.com | SMTP=Ryan.Phillips@contoso.com.  When DirSync V2 first runs, it will query the AD Forest and also query the online environment and it will look for an SMTP match between the two environments in the Metaverse.  If you have not made any SMTP changes between the Transition then it WILL find a soft-match based on email and take over management of the online object.  Next it will look at the users on-premises UPN setting and update the online user's UPN, so if the users BPOS had a different UPN and Email address, in O365 your users on-premises UPN will NOW be their online UPN, their on-premises SMTP address is now their Online SMTP Address.  So there will be a difference in how users will login using their UPN, as O365 DirSync now uses on-premises UPN for online UPN.

    Note:  Lync Online users UPN to stamp the Lync Online Instant Messaging address.  So your users could end up with:

    User:  UPN=ryanph@contoso.com | SMTP=ryan.phillips@contoso.com | SIP=ryanph@contoso.com

    This is why aligning UPN, SMTP and SIP as the same makes it easier to manage and easier for end users, although I know this is not always possible!


    Transitions Community Lead ...Ryan J. Phillips

    Wednesday, March 21, 2012 6:19 PM
  • Ryan's information is spot on and was a huge problem for one of my transitioning customers.  The outcome of not changing the UPN's will be that, when you create new users on-premises, they will be created with UPN's of domain.onmicrosoft.com and you will need to update them manually via the portal or powershell.


    www.insecurityinc.info


    Wednesday, March 21, 2012 11:36 PM
  • Ryan,

    Our UPN Suffix is example@corp.xxxxx.com, but the user logs in to AD with just "example" (Pre-Windows 2000 logon Name) versus example@corp.xxxxx.com. I guess from what you are saying we are going to have a major problem if we install DirSync2. Namely if a user now logs on with thier emaill adress it will only work with "corp" appended to it if we start using DirSync2.

    Is there any way to have Dirsyc 2 mimic Dirsync1 (My guess is no, but it cant hurt to ask :) )

    If we disable Dirsync in the portal does all our previous DirSync1 data remain in place. I have to assume yes, but I'd hate to be wrong.

    What if I add UPN suffix without the corp and go to DirSync2. Is there anyway to prevent it from changing existing objects? My thought is then when we create new users in AD we can specify the suffix that matches the email address.

    Jim

    Sunday, July 1, 2012 2:40 PM
  • So, good and bad news here, but at least it will clear some things up.

    A) UPN's are not changed by DirSync for existing users.  It is the UPN that matters to O365., not necessarily the login the users are utilizing on-premises.  Users only have to worry about the UPN when logging into O365 (local login only applies for local login and for ADFS, but not the O365 Live ID).

    B)  The answer is 'no' in that DirSync v2 behaves differently and the backend is a lot less forgiving.  Where v1 created the UPN based on the mail or SMTP address, v2 takes the UPN and sets it as the UPN and, if there is no proxyaddress or mail attribute, it will set the O365 primary SMTP as user@domain.onmicrosoft.com.

    C)  If you disable v2, the attributes will remain the same as the last v2 sync.  If you have not run the v2 DirSync, you will have whatever attributes were carried over from BPOS

    D)  In O365, once a UPN is set, it won't be changed by DirSync.  You would have to change it via PowerShell using set-msoluserprincipalname.  If the UPN has NOT been set (newly-created user via DirSync), it will create the UPN as whatever is on-premises IF the domain name associated with it is verified in O365.

    Have a great day,

    Dan


    www.insecurityinc.info

    Tuesday, July 3, 2012 7:23 PM
  • Dan,

    Thanks for your reply. I think I’m getting it based on your description. If you could entertain my example below and other questions I would greatly appreciate it.

    Example (New User)

    UPN = dude@corp.company.com

    Mail = dude@company.com

    Proxy Addresses = null

    Question

    1. On the above example what would be the user’s logon to Office 365?
    2. When we transitioned last week we didn’t turn off DirSync1 in the portal. We just disabled the process from locally running by disabling the two services on the internal server. Until we get a handle on this we were going to leave it this way. Problem is we can add or modify a user since we are technically still setup for DirSync1. Can we deactivate it in the portal with no ill effect so we can make a change if need be before we setup DirSync2 on the server internally
    3. We notice that of the 250 or so users we have that some since transition get pops for their password that checking “remember my password” simply does not work for – it continually asks each day. We have not figured out the common theme or a fix for these users. We end up redoing their Outlook profile which for some uses, ones who have 15 GB + mailboxes, is a real problem. What we notice is that when we re-do the profile the username\password prompt has the username in the format of user@CORP.company.com versus the email pre-populated. This makes me wonder if the answer to question 1 is the user’s logon to Office 365 would be their UPN if we were to turn on DirSync2 today versus their email address.

    Thanks for your time.

    Jim

    Thursday, July 5, 2012 10:14 AM
  • 1.  The UPN for existing users will remain the same (assuming they are user@company.com).  New users will be created as user@corp.company.com (if you DO NOT have corp.company.com verified in BPOS/O365, they will be created as user@company.onmicrosoft.com).  You can change these with set-msoluserprincipalname in powershell once they are created and DirSync will not revert them.

    2.  Since DirSync v1 is connected to BPOS, you can uninstall it without any problem.  Disabling DirSync in O365 will not affect your objects, but is not required.  It is, actually, waiting for you to install and run DirSync v2.  Part of the transition process is disassociating your objects from the BPOS to O365 DirSync which also removes any connection to the DirSync v1 that you had running.

    3.  You are correct and can refer to my response for Q1.  If you continue to have issues with credential prompts, I would recommend opening a case with the support teams to investigate further.

    Have a great day,

    Dan


    www.insecurityinc.info

    Monday, July 9, 2012 11:24 PM
  • Dan,

    Thak you you have been very helpful.

    jim

    Tuesday, July 10, 2012 6:56 PM