How to allow DirSync to synchronize a .local domain

DirSync = the magic tool that synchronizes your local Active Directory -users, groups & contacts- with Windows Azure Active Directory -the identity system of Office 365.

We know that DirSync has some requirements to make the installation a success. But DirSync is more than a Synchronization Tool, it’s an enabler for a kind of single/same sign in experience. It will sync the user’s User Principle Name and a double hash of his or her’s password which allows the user the work with the credentials that he’s familiar with.

But there is a catch. The user’s UPN consists of 2 parts divided by the magic @ sign. The first part represents the user, the second part is the domain where the user resides (often referred to as the DNS Suffix). In case of .local domain this means that this could be doctor.who@littlebluebox.local . Now here comes the catch:

attention DirSync will only sync DNS suffix that are available on your WAAD as a verified domain. When we look at the verification process, it shows us that in either case -with TXT or MX- we need to add a record to the public available DNS for that domain. Back to our .local – this means that we cannot do this for a .local domain or any other non public routable domain, since they don’t have a public DNS. DirSync will replace the unknown dns suffix and replace it by the primary domain of your WAAD. By default this is set to your tenant domain e.g. This can be changed through the Azure Management Portal.

So Solution 1 to deal with .local … Change your primary domain to e.g., so every user that has littlebluebox.local as a upn suffix will get a There is no possibility to differentiate between domains.

Solution 2 is to register one -or more if needed- new DNS suffixes on your Active Directory. This can be done through Server Manager > Tool > Active Directory Domains and Trusts


Right click on Active Directory Domains and Trust and chose Properties


Enter your Alternative UPN Suffixes and click on Add


Click on Apply if you want to add more or on OK when you are done.

When we look at the Account Tab of a test user we’ll see that we have a new UPN suffix available to chose from.


We change every UPN that has .local suffix to our new suffix.

If we need to alter a lot of users, we might chose to do this through Powershell. First thing of the PS command is to get our users who have an invalid UPN:

Get-ADUser -Filter {userprincipalname -like ‘*tardis.local’} -Properties userPrincipalName

The second part is to set the new UPN .. the 2 parts combined makes:

Get-ADUser -Filter {userprincipalname -like ‘*tardis.local’} -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName (“{0}@{1}” -f $,””)}

Check out if you want to get more details about the PowerShell line.

Leave a Reply