Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Infraestrutura do Active Directory.

Similar presentations


Presentation on theme: "Active Directory Infraestrutura do Active Directory."— Presentation transcript:

1

2

3

4 Active Directory

5

6 Infraestrutura do Active Directory

7

8 Objetos & Atributos

9

10 CharacterName space character `apostrophe (opening parenthesis )closing sign 'single quotation mark &ersand \pipe =equal sign ?question mark /forward slash %percent Objetos & Atributos

11

12

13

14

15

16 Ferramenta s

17

18 DirSync

19

20 Error 016: Synchronization has been stopped. This company has exceeded the number of objects that can be synchronized. Contact Microsoft Online Services Support.

21 DirSync A Directory Service quota is implemented by using Office 365 as a method to limit the maximum number of objects that can be created and owned by a single security principal. If an online company has a legitimate need to synchronize more than the Directory Service quota limit, the company must submit an Service Request with the Office 365 Technical Support. Q. Do objects that were manually added through the Office 365 portal or the Office 365 API such as Exchange Online PowerShell count against my online company quota? A. Yes. Q. Do deleted objects count against my online company quota? A. Yes. When an Office 365 customer deletes an object from his or her online company, the deleted object is put into a deleted objects container in the Office 365 Directory Service. The object remains in the deleted objects container until the tombstone lifetime expires. The expiration is currently set to 30 days for Microsoft Online Services. All objects in the deleted objects container continue to consume up to 25 percent of the AD DS quota for an online company. For example, consider the following scenario. An online company is evaluating Office 365 by using a nonproduction on-premises AD DS environment. The company performs a bulk synchronization of 8,000 group objects and contact objects by using the Directory Synchronization Tool. Later, the online company decides to do the following: 1. Delete those group objects and contact objects from the company's on-premises nonproduction AD DS environment 2. Add 8,000 user objects to its on-premises nonproduction AD DS environment 3. Synchronize the updates to its online company The 8,000 group objects and contact objects are moved to the deleted objects container in the Office 365 Directory Service (DS). And, these objects continue to consume up to 25 percent of the online company quota (This percentage is equal to 2,000 objects, or 8,000 × 25 percent) until they are permanently removed after the 30-day tombstone period. Therefore, after synchronizing the 5,000 new user objects, the online company will consume 10,000 objects of its available AD DS quota, 2,000 from deleted objects plus 8,000 from new user objects. During the 30-day tombstone period (and this period may coincide with the online company evaluation period), the online company may be unable to add any additional objects by using the Directory Synchronization. This condition occurs because the online company's Directory Service quota has been reached. In this scenario, the online company that is performing the evaluation of Office 365 must reduce the number of objects in its non-production on-premises AD DS environment to complete the product evaluation. However, if the online company cannot reduce the number of objects, the company must request an increase in its Office 365 Directory Service quota.

22 DirSync

23

24

25

26

27

28

29

30 Número de objetos no Active DirectoryCPUMemóriaHard disk Menos que GHz4 GB70 GB – GHz4 GB70 GB – GHz16 GB100 GB – GHz32 GB300 GB – GHz32 GB450 GB Mais que GHz32 GB500 GB

31 DirSync

32

33

34

35 35 | Microsoft Confidential Resultado da sincronização. Nos mostrará exatamente quantos objetos foram sincronizados. Intervalo de cada ação. Útil para identificar possíveis gargalos na operação de sincronização Resultado de cada atividade. No evento de uma falha, podemos saber exatamente onde ela ocorreu.

36 DirSync Após a sincronização completa, o valor desta chave voltará para 0, que é o valor padrão.

37 DirSync O valor 3:0:0 quer dizer: Três horas, zero minutos, e zero segundos. Se quisermos alterar para, por exemplo, 1 hora e 30 minutos o arquivo ficaria com o valor 1:30:0 Use intervalos coerentes

38 DirSync Selecione a opção Metaverse Search Na opção “Scope by Object Type”, selecione, por exemplo “person” e selecione “Add Clause”. Com esta opção já podemos fazer uma pesquisa, e verificar quais são as contas sincronizadas. Mas é possível fazer um filtro ainda maior. Podemos por exemplo, filtrar as contas que são do departamento “Contabilidade”, o filtro mostrará apenas um usuário. Dezenas de outras condições podem ser feitas, dando-nos diversas opções de pesquisa através desta ferramenta.

39 DirSync Selecione a opção “Management Agents”. Existem dois “Management Agents” disponíveis, vamos selecionar o “SourceAD”. E com o botão direito selecione “Search Connector Space”. Podemos fazer vários filtros, desta forma vamos escolher “Imported Since” e escolher uma data. O resultado nos mostrará todos os objetos que foram sincronizados desde a data informada. No nosso exemplo, foram 141 objetos.

40

41 ADFS

42

43

44

45

46

47 Hybrid Deployment

48 Get-MoveRequest -Identity | Get-MoveRequestStatistics -IncludeReport | Select * 14/3/2012 3:09:39 [O365ServerName] Failed to convert the source mailbox 'Primary (19c8b8ef-aea3-48b4-a1ef-a8ed282e81d0)' to mail-enabled user after the move. Attempt 19/21. Error: UpdateMoved MailboxPermanentException. 14/3/2012 3:09:39 [O365ServerName] Post-move cleanup failed. The operation will try again in 30 seconds (19/21). 14/3/2012 3:10:56 [O365ServerName] Unable to update Active Directory information for the source mailbox at the end of the move. Error: UpdateMovedMailboxPermanentException. 14/3/2012 3:10:56 [O365ServerName] Request is complete.

49

50 Comece pelo Básico

51 Desafio para a comunidade!! SCRIPT PARA CORREÇÃO DE givenName e surName VAZIOS Diversos Active Directory possuem os atributos givenName e surName em branco, onde uma possibilidade de corrigir esta informação é a partir do displayName popular estes atributos. SCRIPT PARA DEFINIR O UPN IGUAL AO ENDEREÇO PRIMÁRIO DE SMTP (proxyAddresses) Grande parte dos clientes visam definir o UPN de acordo com o endereço primário de SMTP, que é o valor com “SMTP:” no atributo proxyAddresses. Esta alteração do UPN não gera efeito colateral no dia-a-dia dos usuários. MIGRAR MAILBOX Desenvolver um script para migração de mailbox em um ambiente Hybrid. Esse script já deve definir a localização do usuário, atribuir licença e efetivamente migrar. Caso o cliente não usar ADFS, também é uma opção já definir as senhas. PROVISIONAR UM MAILBOX PARA MIGRAÇÃO Ao invés de criar um new-moverequest, também é uma boa opção ter um script que apenas prepara o move rodando prepare-moverequest, onde posteriormente bastaria rodar um resume-moverequest LISTAR PERMISSÕES DOS MAILBOXES Criar um script para listar as permissões FullAccess, SendAs e SendOnBehaldOf do Exchange on- premises, isso facilitará a definição de lotes de migração evitando que acessos sejam “quebrados” na migração. “Delegates” são replicados pelo DirSync no O365, ao contrário do que acontecia com BPOS. REMOVER CARACTERES ACENTUADOS Bastante útil possuir um script para remover caracteres acentuados, substituindo estas incidências por caracteres normais, exemplo: á, à, ã, ä por a; ç por c; é, è, ë, ê por e; e assim sucessivamente. RECONEXÃO DE PST EM CASOS ONDE O PERFIL OUTLOOK NÃO É MANTIDO Em migrações sem Rich Coexistence (também conhecido como Hybrid Deployment) onde o perfil Outlook não é mantido, ajuda os usuários finais se um script puder ser executado para guardar os PST em uso e então reconecta-los posteriormente. Este pode ser um serviço “self servisse” onde o usuário pode rodar o utilitário antes e depois da migração.

52 obrigad o

53

54

55 DirSync

56  mikek.local\Administrator 

57 DirSync Office 365 Directory Synchronization by default comes with SQL Server Express Microsoft SQL Server Express editions have limitations and you should consider these limitations if you are going to use an Express Edition. SQL Express 2005 Limitations By default, SQL Server Express 2005 has a maximum file-size limitation of 4 gigabytes (GB). As a general guideline, the 4 GB file-size limitation may prevent you from synchronizing more than 50,000 objects to Office 365. However, this depends on the data consumption, therefore you may be able to synchronize more or less than the guideline of 50,000 objects. SQL Express 2008 Limitations By default, SQL Server Express 2008 has a maximum file-size limitation of 10 gigabytes (GB). As a general guideline, the 10 GB file-size limitation may prevent you from synchronizing more than 125,000 objects to Office 365. However, this depends on the data consumption, therefore you may be able to synchronize more or less than the guideline of 125,000 objects..

58 DirSync 1.Open a command prompt running as an administrator, and then move to the folder in which you saved the installation program. 2.At the command prompt, type dirsync /fullsql. 3.If you receive a User Account Control prompt, click Continue, or type the user name and password of an administrator account, and then click OK. 4.On the Welcome page, click Next. 5.On the Microsoft Software License Terms page, read the license terms, select I accept the Microsoft Software License Terms, and then click Next. 6.On the Select Installation Folder page, select an installation folder location, and then click Next. 7.On the Installation page, wait for the installation to complete, and then click Next. 8.On the Finished page, click Finish. 9.On the computer on which the Directory Synchronization was installed, open Windows PowerShell. 10.At the Windows PowerShell prompt, type Add-PSSnapin Coexistence-Install To install the Directory Synchronization onto the same system as the SQL Server type Install-OnlineCoexistenceTool –UseSQLServer –Verbose. - To install the Directory Synchronization by using a remote installation of SQL Server type Install- OnlineCoexistenceTool –UseSQLServer –SqlServer -ServiceCredential (Get-Credential) – Verbose.

59 DirSync 11.- To install the Directory Synchronization onto the same system as the SQL Server type Install-OnlineCoexistenceTool –UseSQLServer –Verbose. - To install the Directory Synchronization by using a remote installation of SQL Server type Install- OnlineCoexistenceTool –UseSQLServer –SqlServer -ServiceCredential (Get- Credential) –Verbose. - To install Directory Synchronization by specifying the SQL Instance you would add the "-SqlServerInstance" parameter. For example, you would run the following similar command: Install-OnlineCoexistenceTool -UseSQLServer -SqlServer -ServiceCredential (Get- Credential) -SqlServerInstance 12. At the Windows PowerShell Credential Request prompt, type the user name and password of the domain account that will be used to run the Microsoft Identity Integration Server service and the Office 365 Directory Synchronization service. 13. Run the Microsoft Online Services Directory Synchronization Configuration Wizard to complete the installation.

60 DirSync Important You must successfully complete the Microsoft Online Services Directory Synchronization Tool Configuration Wizard before synchronization can occur. Parameter options for Install-OnlineCoexistenceTool -ServiceCredential Credential to be assigned to the Microsoft Identity Integration Server service. When this parameter is not specified, an MIIS_Service account will be created on the local machine. The credential is also used by the Microsoft Online Services Directory Synchronization Service. -UseSQLServer This flag causes the install to skip installation of SQL Express. Use this flag with one or both of the following parameters: SqlServer, SqlServerInstance. -InstallPath Optional parameter to specify the path to the folder that contains the files to be installed. These files include the SQL Express Setup program, SQLEXPR32_x86_ENU.exe, and the Microsoft Identity Integration Server.msi and DirectorySync.msi files. -SqlServerInstance The name of the SQL Instance that MIIS will use. -SqlServer The name of the server that is hosting SQL for MIIS.

61 DirSync Error NameError DetailsSourceResolution AdminRequired Local Administrator permissions are required to install Directory Synchronization. Event Viewer/ Error Prompt DirSyncAlreadyInstalledThe Directory Synchronization tool is already installed. Version {0}Event Viewer Uninstall all previous versions of DirSync before attempting the install the latest version. DirSyncInstallKeyNotRemove d Windows Installer could not remove the uninstall registry key from the Microsoft Online Services Directory Synchronization MSI. Retry un-install or contact Microsoft Online Support. Event ViewerManually remove the registry keys to complete the installation. DirSyncNotInstalledError A complete installation of the Microsoft Online Services Directory Synchronization tool was not detected on this machine. Please uninstall any versions of this tool and then reinstall the most recent version. Event Viewer Uninstall all previous versions of DirSync before attempting the install the latest version. ErrorReRunConfigWizard Unable to start synchronization due to configuration issues. To fix the issues, try running the Configuration Wizard. If you continue to see this error please contact Microsoft Online Support. Event ViewerRun the DirSync configuration wizard. WindowsInstaller45Required Microsoft Windows Installer 4.5 is required for installation. Please install Microsoft Windows Installer 4.5 and try again. Event Viewer Ensure that the server DirSync is being installed on meets the minimum requirements. ErrorClearRunHistory Could not clear the run history on the MIIS Server. Error returned is '{0}'. Contact Microsoft Online support. Event Viewer InvalidUPNFormat User Principal Name (UPN) is your logon name. This error is displayed when the user enters credentials for Microsoft Online that do not contain an character. Event ViewerEnter a valid credentials for Microsoft Online Services and to continue. ADCredsNotValid The Enterprise Administrator credentials that you supplied are not valid. Supply valid credentials and try again. Event Viewer The installation wizard was unable to verify that the user account being used to install (No Suggestions) is an Enterprise Administrator. InternetSetOptionError Internet Explorer proxy settings were not set. Initial configuration using setup wizard may not be able to access online help. WinInet Error {0} Event Viewer Verify that they proxy settings entered into Internet Explorer are correctly formatted because the Installation Wizard was not able to read/modify these settings correctly. RichCoexistenceNotAllowed Current local directory does not have Exchange 2010 installed. Rich coexistence is not allowed. Event Viewer Install all of the required prerequisites for Rich Coexistence before attempting to install DirSync coexistence is not allowed

62 DirSync ErrorNoStartConnection Synchronization failed to start because of connection issues or domain controllers could not be contacted by the server. Verify that you are connected to the server and all the configured domain controllers are connected to the network. If you have recently deleted domain or naming context, please rerun the Configuration Wizard. Event Viewer Confirm that the local Active Directory Domain Controllers are accessible from the server running DirSync. ErrorNoStartCredentials Synchronization failed to start because of credential problems. Rerun Configuration Wizard to update credentials for Synchronization. Event Viewer Run the DirSync Configuration wizard and re-enter credentials. The customer should also confirm that the credentials have Admin access to MOAC. ErrorNoStartNoDomainController Synchronization failed to start because the domain controller could not be contacted by the server. Verify that the domain controller is connected to the network. Event Viewer Confirm that the local Active Directory Domain Controllers are accessible from the server running DirSync. ErrorStoppedConnectivity Synchronization stopped because of connectivity loss. Restore connectivity to the server. Event Viewer Confirm that the local workstation can access the Internet. Have the user attempt to ping provisioning.microsoftonline.com to verify that it can reach the DirSync Service on Microsoft Online. ErrorStoppedDatabaseDiskFull Synchronization stopped because the SQL Server database used by the Synchronization server is full. Create some space in the SQL Server database. Event Viewer Free up space on the storage used to hold the DirSync SQL Database. If the issue is not resolved DirSync will not be able to run successfully and the SQL database may be permanently damaged. InstallNotAllowedOnDomainController Microsoft Online Services Coexistence can not be installed on a domain controller. Event ViewerDirSync can only be installed on domain joined computers that do act as Domain Controllers InstallPathLengthTooLong The installation path is too long. Provide a path of 116 characters or fewer and then try again. Event ViewerFor the installation of DirSync that the total path length has to be less than 116 characters. InsufficentDiskSpace Event ViewerThere is not enough space to install DirSync on the local workstation. InvalidPlatform The Microsoft Online Services Directory Synchronization tool must be installed on a computer running Windows Server 2003 Service Pack 2 or later. Event ViewerEnsure that the server DirSync is being installed on meets the minimum requirements. MachineIsDomainJoinedUserIsNot The computer is joined to a domain, but the current user credentials do not have access permissions on the domain. Event Viewer Log in as a domain user with an account that meets the minimum requirements before attempting to install DirSync. MachineIsNotDomainJoinedThe computer is not joined to any domain.Event ViewerEnsure that the server DirSync is being installed on meets the minimum requirements.

63 DirSync MachineNotDomainJoinedThe computer must be joined to a domain.Event ViewerEnsure that the server DirSync is being installed on meets the minimum requirements. MIISSyncIsInProgressError The synchronization engine is busy. Retry this operation after this synchronization session is complete. Event Viewer This means there is an existing operations being completed by the MIIS and that any new operations for (No Suggestions) can only be completed once the current operation is completed. MIISUserAddRight_AccountNotFoundAccount name:'{0}' could not be found. Error Code:{1}Event Viewer DirSync was not able to add the local account being used to complete the installation to the MIIS Admin Group. The user should be manually added to the group to continue with the installation. MIISUserAddRight_AddFailed '{0}' could not be added to the account rights for '{1}'. Error code:{2} Event Viewer DirSync was not able to add the local account being used to complete the installation to the MIIS Admin Group. The user should be manually added to the group to continue with the installation. MIISUserAddRight_PolicyHandleNotF ound Failed to obtain the policy handle. Error Code:{0}Event Viewer DirSync was not able to add the local account being used to complete the installation to the MIIS Admin Group. The user should be manually added to the group to continue with the installation. PowerShellRequiredPowerShell must be installed.Event ViewerEnsure that the server DirSync is being installed on meets the minimum requirements. UnsupportedNameFormat The name format is not supported. Two examples of the supported user name formats are: or example\someone. Event ViewerEnter valid credentials for Microsoft Online Services and to continue. UserNotAMemberOfMIISAdmins The current user is not a member of the Microsoft Identity Integration Server (MIIS) Admin group. If you have recently installed the Microsoft Online Services Directory Synchronization tool, you may need to log off and then log on. Event Viewer Manually add the local Active Directory user account used to run DirSync to the MIIS Admin Group. UserNotAnEnterpriseAdminUser '{0}' is not a member of the Enterprise Admins group.Event Viewer Manually add the local Active Directory user account used to run DirSync to the Active Directory Enterprise Admin Group. UnsupportedClientVersion This version of the Directory Synchronization tool is no longer supported. Remove this version and then install the latest version from the Directory Synchronization page of the Migration tab in the Microsoft Online Services Administration Center. Event ViewerDownload the latest version of the DirSync Tool from the Office 365 portal. InternetQueryOptionErrorInternet Explorer proxy settings were not read. Initial configuration using setup wizard may not be able to access online help. WinInet Error {0} Event ViewerVerify that the proxy settings entered into Internet Explorer are correctly formatted because the Installation Wizard was not able to read/modify these settings correctly.

64 DirSync  : Error message in the Microsoft Online Services Directory Synchronization tool in Microsoft Office 365: "Your version of the Microsoft Online Services Directory Synchronization Configuration Wizard is outdated“  : Error message when you try to run the Microsoft Online Services Directory Synchronization Configuration wizard: "Your credentials could not be authenticated. Retype your credentials and try again"  : "LogonUser() Failed with error code: 1789" after you enter enterprise administrator credentials in the Directory Synchronization Configuration Wizard in Office  "An unknown error occurred with the Microsoft Online Services Sign-in Assistant" error occurs in the Microsoft Online Services Directory Synchronization Configuration Wizard when you try to sign in to Microsoft Online Services  Firewall prevents users from using Microsoft Online Services Directory Synchronization, rich clients, or the Microsoft Online Services Identity Federation Management tool in Office  "The computer must be joined to a domain" error message occurs when you try to install Microsoft Online Services Directory Synchronization Tool

65 DirSync SYMPTOMS Consider the following scenario. You want to manually manage or remove objects that were created through directory synchronization from the Microsoft Office 365 directory. For example, you want to remove an orphaned user account that was synchronized to Office 365 from your on-premises Active Directory Domain Services (AD DS). However, you cannot remove the orphaned user account by using the Office 365 portal or by using Windows PowerShell. CAUSE This issue may occur if one or more of the following conditions are true:  Cause 1:  Cause 1: The Microsoft Office Online Services Directory Synchronization tool is no longer running. Therefore, even if you update or delete the object from the on-premises AD DS, the deleted object does not synchronize to your Office 365 tenant.  Cause 2:  Cause 2: The on-premises AD DS is no longer available. Therefore, you cannot manage or delete the object from the on- premises environment.  Cause 3:  Cause 3: You deleted an object from the on-premises AD DS. However, the object was not deleted from your Office 365 tenant. This is unexpected behavior.

66 DirSync RESOLUTION For Cause 1 You want to delete an object in Microsoft Office 365. But you do not want to delete the object from the on-premises AD DS. Additionally, you want to continue using directory synchronization. Warning You can deactivate and reactivate directory synchronization. Deactivating and reactivating directory synchronization affects migration, identity management, and single sign-on functionality. In some scenarios, reactivating directory synchronization can overwrite objects that have been previously synchronized to the cloud. Therefore, before you toggle directory synchronization activation, make sure that you read Directory Synchronization and source of authority.Directory Synchronization and source of authority. 1.Install the local Windows PowerShell cmdlets (Use Windows PowerShell to manage Office 365)Use Windows PowerShell to manage Office Start the Microsoft Office Online Services Module for Windows PowerShell. 3.Disable directory synchronization. Type the following cmdlet, and then press Enter: Set-MsolDirSyncEnabled -EnableDirSync $false 4.Verify that directory synchronization is fully disabled by using Windows PowerShell. To do this, run the following cmdlet periodically: (Get- MSOLCompanyInformation).DirectorySynchronizationEnabled This command will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to step 5. Note It may take 72 hours for the deactivation to be completed. The actual time depends on the number of objects that are in your Office 365 subscription account. 5.Try to update an object to verify that you can delete the object. 6.Delete the object by using Windows PowerShell or by using the Office 365 portal (Windows PowerShell cmdlets for Office 365)Windows PowerShell cmdlets for Office To re-enable directory synchronization, run the following cmdlet: Set-MsolDirSyncEnabled -EnableDirSync $true

67 DirSync RESOLUTION For Cause 2 You want to manage objects in Office 365, and you no longer want to use directory synchronization. 1.Install the Local Windows PowerShell cmdlets. To do this, visit the following Microsoft website: Use Windows PowerShell to manage Office 365Use Windows PowerShell to manage Office Start Microsoft Office Online Services Module for Windows PowerShell. 3.Disable directory synchronization. To do this, type the following cmdlet, and then press Enter: Set- MsolDirSyncEnabled –EnableDirSync $false 4.Verify that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically: (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled This cmdlet will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to the next step. Note It may take 72 hours for deactivation to be completed. The time depends on the number of objects that are in your Office 365 subscription account. 5.Try to update an object by using Windows PowerShell or by using the Office 365 portal

68 DirSync RESOLUTION For Cause 3 You delete an object from an on-premises AD DS. However, the object is not deleted from your Office 365 subscription account. Force directory synchronization by using the steps on the following Microsoft website: Force directory synchronization If some updates and deletions are propagated, but some deletions are not synchronized to Office 365, perform typical directory synchronization troubleshooting procedures. If all updates and deletions are not synchronized to Office 365, contact Microsoft Office 365 technical support. MORE INFORMATION For more information about Windows PowerShell cmdlets, visit the following Microsoft website: Windows PowerShell cmdlets for Office 365Windows PowerShell cmdlets for Office 365


Download ppt "Active Directory Infraestrutura do Active Directory."

Similar presentations


Ads by Google