This is a quick guide how to set up Office 365 according to Microsoft best practice. This is what the setup looks like:
This is what you need:
- Windows Server 2008 R2 for DirSync.
- Windows Server 2008 R2 for ADFS federation. This can be a domain controller.
- Windows Server 2008 R2 for ADFS federation proxy in DMZ. This can be an IIS.
- Account to log into these machines. This account needs to be local admin to be able to install DirSync and ADFS.
- Account that is member of Enterprise Admins. This account is needed to configure DirSync. A service account, MSOL_AD_SYNC, is created in Users container.
- Active Directory service account for ADFS, e.g. ADFS2SVC.
- SSL certificate for ADFS, e.g. fs.powerkjell.com. This certificate needs to be added to IIS of both ADFS and ADFS proxy servers.
- External DNS record for fs.powerkjell.com to point at ADFS proxy. In internal DNS it should point at internal ADFS.
Information about setting up DirSync: http://technet.microsoft.com/en-us/library/hh967642.aspx
- Remember to check your environment using Microsoft Deployment Readiness Tool and to activate DirSync using https://portal.microsoftonline.com. This may take up to 24 hours to apply. Read more about preparations here: http://technet.microsoft.com/en-us/library/jj151831.aspx
- Create a sync account in Office 365 and set the alternative e-mail address to a monitored address for catching DirSync errors.
- Do not start DirSync immediately in case you need to configure DirSync: http://technet.microsoft.com/en-us/library/hh967629.aspx
- Make sure you understand mapped attributes: http://support.microsoft.com/kb/2256198/en-us
Read more about SSO with ADFS: http://technet.microsoft.com/en-us/library/hh967628.aspx
- Make sure you have the service account created.
- Make sure you have the SSL certificate available.
- You may need an account with higher priviledges when configuring ADFS on first server, since it creates a container in Active Directory.
- Make sure DNS records are correct. ADFS proxy needs to finns ADFS on fs.powerkjell.com.
- Run the Powershell commands to create a trust to Office 365 from ADFS (not ADFS proxy).
According to the recommendations from Microsoft you need load balanced ADFS and ADFS proxy servers, which means they should be at least two on each side.