Success Story: Arraya & Microsoft Save Client from DirSync Disaster

Office 365 and Active Directory are made for each other. Through Directory Synchronization (DirSync or Azure AD Connect), Active Directory can be extended out into the cloud, allowing for Businessman hand draws success words on whiteboardeasier management of identities across platforms. Customer impressions differ from reality though. Even with a good partner message, some customers forget about the benefits and begin to ignore DirSync entirely. This can lead to two things. First, DirSync becomes mismanaged and account issues are not remediated. This often leads to the second thing, which is that the customer turns off DirSync and develops a hodgepodge of processes to manage accounts in the cloud.

As more time passes though, the pains of not having DirSync become evident – account provisioning and de-provisioning times become longer and more complex leading to broken SLAs, identities and group membership become inconsistent, and worst of all, licenses are not accurately tracked. These companies eventually realize that if they want to take full advantage of the soft and hard savings Office 365 offers, they need to have DirSync up and running.

The challenge is re-activing DirSync can be dangerous. It sounds simple, but it is really complex. You are shifting authority for Active Directory attributes in Office 365 from the Cloud identities to back to your Active Directory on-premises. You must consider all the changes that have been made to both the on-premises directory and the cloud while DirSync was disabled. If it hasn’t been running for a long time, DirSync could end up overwriting a lot of valuable user objects and properties stored in the Cloud.

Arraya Solutions recently worked with a client which found itself in that exact situation. The client is a global leader in the supply chain services industry which has helped customers transport products more efficiently for almost seven decades.

The Business Situation

A few years back, the client migrated from Exchange 2003 to Office 365. During this process, they leveraged DirSync to create the necessary Office 365 user accounts and Exchange Online mailboxes. Once the user and mailbox data was migrated, the client decommissioned the on-premises Exchange Organization, but went further and removed DirSync server as well. The internal messaging was to go 100% Cloud. DirSync was a victim of this message.

By removing DirSync, the client created a situation where IT lost the efficiencies it once had, even when they were on Exchange 2003! They were now managing identities separately across two directories across the entire user’s lifecycle – provisioning, management and de-provisioning. The client’s low turnover rate and relatively small number of users masked the real scope of the problem.

When the client became interested in the Enterprise Mobility Suite, the issue surfaced. IT turned DirSync back on to support identity synchronization for Azure Active Directory Premium. The reactivated DirSync overwrote the client’s Cloud-based identities, a lot of which only existed there, resulting in deleted mailboxes and lost productivity.

The Solution

The client engaged Microsoft support to recover the lost data to the tenant. Even after the data was restored, the client wasn’t yet at the point where it could safely turn DirSync back on. That’s where Arraya Solutions came in. Arraya faced the challenge of trying to normalize the different directories so that the client could restore efficiencies back to their identity lifecycle management and roll out the Enterprise Mobility Suite.

Since IT had been performing dual management for so many years, it meant there were three categories of users existing within its environment.

  1. Accounts which had existed in Active Directory on-premises and had been synchronized to Azure Active Directory during the Office 365 migration process, thereby becoming linked.
  2. Accounts which existed in both Active Directory on-premises and in Azure Active Directory, but weren’t linked.
  3. Accounts that existed in either Active Directory on-premises or in Azure Active Directory, but didn’t have a matching counterpart in the other.

In order to avoid data loss when we turned DirSync back on, all of the accounts needed to be created, remediated, or matched. We first made sure all the accounts existed where they needed to.

To get DirSync running safely, Arraya reverse engineered the way in which DirSync operates. When an on-premises user object is synchronized to Azure Active Directory, the object in Azure Active Directory has an attribute called the immutableID, which aligns to the objectID in Active Directory on-premises. This is how Azure Active Directory reconciles user objects with their on-premises equivalents.

Once we verified all accounts were in place, our team reconciled each account object’s immutableID attribute to their correct objectID. Writing a value to this attribute is a task that only DirSync performs, but Arraya updated it outside of DirSync via a script to correct the problem. This allowed us to forcibly link any accounts we wanted together.

The End Result

By performing the reverse DirSync manually, our team made sure all of the data in the Cloud corresponded to what was on-premises. When we turned DirSync on there was no data loss. DirSync still overwrote what was in the Cloud with what was on premises, only this time it was replacing one set of data with an exact copy.

Once DirSync was re-activated and validated, the client’s IT department could again manage the identities from a single location, knowing that their data was consistent across directories. We then helped them enable another workload in the cloud, namely the Enterprise Mobility Suite.

Keeping DirSync healthy and active is always the recommendation when spanning an on-premises Active Directory to Azure Active Directory. It runs so well that clients forget about it or turn it off on purpose or accidentally. Re-activating DirSync without careful consideration or validation of data can be very disastrous. In this case, Arraya was able to correct the issue manually through a deep understanding of how DirSync works.

The client in this case was able to bounce back and reach its desired end state, but it had to endure unnecessary headaches and invest additional time and resources to get there. More often than not, avoiding those consequences requires the help of a partner like Arraya. Our Microsoft Practice has the Office 365 knowledge and experience to put vetted processes in place which allow organizations to steer clear of issues en route to realizing the full benefit of their Office 365 solutions.

To learn more about Arraya’s Microsoft Practice or to schedule an appointment today, visit www.arrayasolutions.com.

Arraya Insights