How To Manage Scheduler in new Azure AD Connect

As I mentioned last week the new version of Azure AD Connect has been released and now includes a built in scheduler. This means that it no longer relies on the Windows Task Scheduler to run synchronization jobs. While this is defiantly an improvement it does mean that you can no longer use the Windows task scheduler to manually run a job. That is now all down to PowerShell, so after tinkering around a bit I decided to list some of the most required commands for running jobs.

Fist of all after initial installation there is a Check box to start the initial sync after installation. If you do not check this box the sync will never run until a correct command is issued.Start Sync

To check if Sync is enabled or not we need to run the following command Get-ADSyncScheduler

Check Sync

In my case you can see that SyncCycleEnabled is set to true. However if it set to false then the client is not performing any syncs.
To enable the Sync cycle you will need to issue the following command Set-ADSyncScheduler -SyncCycleEnabled $True
The sync will be run automatically once every 30 minutes.

To manually kick off a sync cycle we will need to issue one of the following commands.

Start-ADSyncSyncCycle -PolicyType Delta

A delta sync cycle will:

  • Delta import on all connectors
  • Delta sync on all connectors
  • Export on all connectors

This is the command that you will usally use to run a manuall sync.

You could also run a full cycle by issuing the following command
Start-ADSyncSyncCycle -PolicyType Initial

An initial sync cycle will

  • Full import on all connectors
  • Full sync on all connectors
  • Export on all connectors

You mainly want to issue this command if you have made one of the following changes:

  • Added more objects or attributes to be imported from a source directory
  • Made changes to the Synchronization rules
  • Changed filtering so a different number of objects should be included

If for some reason you need to stop the Sync Scheduler then you can issue the following command Stop-ADSyncSyncCycle

So now that you know the commands you can go ahead and update to the latest version of Azure AD Connect.






Azure AD Connect Now Available

If you remember I blogged a few months ago that Microsoft would be releasing Azure AD Connect, the final replacement for Dirsync.

Well, the product is now out of review and has been released. Along with the release of Azure AD connect Microsoft also released Connect Health.

Azure AD Connect Health is a cloud based service that helps administrators monitor and secure their cloud and on-premises identity infrastructure. In this first release, Azure AD Connect Health provides customers who use ADFS with detailed monitoring, reporting and alerts for their ADFS servers.

As I previously blogged Azure AD Connect replaces both Dirsync and Azure Active Directory Sync. If you our using either of the previous versions, you can perform a simple upgrade to the new Azure AD Connect.

Azure AD Connect has new features that allow you too:

  • Enable your users to perform self-service password reset in the cloud with write-back to on premises AD
  • Enable provisioning from the cloud with user write back to on premises AD
  • Enable write back of “Groups in Office 365” to on premises distribution groups in a forest with Exchange
  • Enable device write back so that your on-premises access control policies enforced by ADFS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
  • Sync custom directory attributes to your Azure Active Directory tenant and consume it from your cloud applications

All this allows easy transition of your services to the cloud. and easy integration of remote work force into you organization.

Azure AD Connect to replace Dirsync and simplify Cloud identity managment

Recently I’ve been performing quite a few projects based on Microsoft Azure & Office 365. Now most of these projects are hybrid configurations. This means that they include both cloud and on premises solutions that are connected to each other.

Now the foundation of these projects is DirSync (Not to be confused with DirSync Pro – A file synchronisation tool). DirSync is the tool that synchronizes your Active Directory with both Office365/Azure directory services. In its first release DirSync would only sync Users and group names and attributes, it did not synchronise passwords or provide a single sign on experience (meaning that even if your computer was domain joined you would still be required to type in a password when using Outlook to connect to office 365 for example). To Achieve these capabilities you were required to set up an Active Directory Federation between you on premises AD and Azure/Office 365 Cloud. To do this in both a secure and resilient manner would require 4 servers, 2 in the lan and 2 in the DMZ. This number would also be multiplied by the number of Active Directory sites your organization has.  Using Active Directory Federation would also allow you to sync passwords back to your on premises Active Directory basically allowing password changes to be performed in the cloud.

Another major drawback was that it was only possible to synchronise a single AD domain with your cloud tenant. So if you had a multiple domain environment you would require multiple tenants in the cloud.

In its current version DirSync also synchronizes passwords to the cloud. Although neither password write back or SSO are supported. This for most companies is sufficient and most companies do not feel the need to implement ADFS for cloud services.

Now over the last few months a few additional tools have been released to beta including Azure AD connect & Azure AD Sync. These tools added password sync back and automatic set up of ADFS. but thing got a bit confusing. Now Microsoft has just released (beta at the moment) Azure AD connect. A single tool that when released to GA will replace all former tools with all features rolled up into a single package. The new tool includes support for Password Sync, Password Write back, multiple domain support and all with 4 simple clicks. You can also use Azure AD Connect to perform SSO with other external services such as Salesforce, Box & more

Small note – Azure AD is a cloud service based in Azure. The service is free of charge with limited capabilities there is an option of purchasing basic & premium plans. You can find the feature comparison list here.