To synchronize your AD Domain with your BPOS environment, follow the steps below.

• Log in on your Microsoft Online Services Administration Center, Click the [Migration] tab and then click the [Configure] button in the “Directory Synchronization” Section.
   
• Read the  “Plan for Directory Synchronization” and check the checkbox, confirming that you read it.
• Press the [Enable] button in step 2, to enable BPOS for the synchronization.
• Press the [download] button in step 3. This will open a page where you can download the synchronization tool.
• Now you should install the synchronization tool, but mind the following restrictions:
  - Supported OS: Windows Server 2003 Service Pack 2; Windows Server 2008
  - Can’t be installed on a domain controller
  - Can’t be installed on x64
  - Powershell v1.0 has to be installed
• Execute the file you downloaded in the previous step (dirsync.exe).
  - do not interrupt the installer
• The installation is a Next, Next, Finish installation. You will be staring at a progress bar for quite a long time
• After the initial install you can start the Configuration Wizard.
  Before you proceed be sure, you have the following things:
  - An user account who is an BPOS Administrator (probably the one you used to login with in step 1)
  - An Enterprise Administrator Account
  If you have these then the configuration is again almost, Next, Next, Finish.
• At the end of the configuration, choose “”Synchronize directories now”
  - do not create any user object in your BPOS environment during this sync.
• Within a few minutes, you can then view your imported users in your BPOS environment, they are all imported under the “Disabled User“ view (Tab [Users] > [User List], under view select “Disabled Users”).

From here you can now enable the users. A bit annoying is the fact that the list doesn’t use paging, you can only go 1 step through the list or to the end (or is that because I only had 2 pages?)

So now some things that are interesting to know:

• The tool creates a service account named MSOL_AD_Sync. This will be a domain account with directory replication permissions on your AD.
• A service will be installed on your ”sync station”.
• The time needed for a synchronization depends on how many objects you have.
  500 objects will take about 5 min. to sync the first time, after the about 30 sec.
  1000 objects will take 10 min, after that 1 min.
  500o objects will take 45 min, after that 5 min.
  15000 objects will take 2.5h, after that 10 min.
  All depending on your bandwidth of course, for more than 20.000 objects contact Microsoft.
• An uninstall of the tool, will not delete the MSOL_AS_Sync account, you have to do this manually.
• The tool will sync every user in your complete forest, so whenever you must delete a domain in your forest this will impact your BPOS environment. To delete the domain, you must complete some “in-between” steps.
• Every 3 hours there will be a scheduled sync.

Edit: I later received a few error messages, on my admin account mail address.
Apparently, a ‘&’ sign in a user name will generate a “049: LDAP injection characters were found in the user alias” error.