Scribd Logo
Carica

Benvenuto in Scribd!

  • AZURE AD Connect Sync Scheduler

    Caricato da

    Kashif Hasnain
    79 visualizzazioni12 pagine
    The document discusses Azure AD Connect sync scheduling. The default synchronization frequency is every 30 minutes. The scheduler runs synchronization cycles to import, sync, and export changes, and maintenance tasks like renewing keys. The synchronization cycle interval, policy type, start time, and other settings can be modified using PowerShell commands. Delta sync replicates changes to existing objects, while full sync is used when objects or attributes are added.

    Descrizione originale:

    this is it

    Titolo originale

    AZURE AD Connect Sync Scheduler (1)

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document discusses Azure AD Connect sync scheduling. The default synchronization frequency is every 30 minutes. The scheduler runs synchronization cycles to import, sync, and export changes, and maintenance tasks like renewing keys. The synchronization cycle interval, policy type, start time, and other settings can be modified using PowerShell commands. Delta sync replicates changes to existing objects, while full sync is used when objects or attributes are added.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    79 visualizzazioni12 pagine

    AZURE AD Connect Sync Scheduler

    Caricato da

    Kashif Hasnain
    The document discusses Azure AD Connect sync scheduling. The default synchronization frequency is every 30 minutes. The scheduler runs synchronization cycles to import, sync, and export changes, and maintenance tasks like renewing keys. The synchronization cycle interval, policy type, start time, and other settings can be modified using PowerShell commands. Delta sync replicates changes to existing objects, while full sync is used when objects or attributes are added.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 12

    AZURE AD Connect Sync Scheduler

    Page | 1

    As we already know, Azure AD Connect tool will sync all changes from on premise directory to azure
    active directory, the synchronization process will use a scheduler to do this task, for example there is a
    scheduler for password sync different than the scheduler for object/Attribute sync and maintenance
    tasks.

    Note: the default synchronization frequency is 30 minutes.

    In AD Connect tool, the scheduler has two main functions:

     Synchronization cycle: this will be used to import, sync and export all changes.
     Maintenance tasks: Renew keys and certificates for Password reset and Device Registration
    Service (DRS) in addition to delete the old log files.

    To demonstrate more, let’s take a real example, open your AD Connect server and run the PowerShell
    with administrative privilege then execute below command:
    Get-ADSyncScheduler

    Note: if the command is not available, you may need to load the PowerShell module by running
    Import-Module ADsync first.

    After the command executed successfully, we can obtain and understand some of schedule information
    as below:

    AllowedSyncCycleInterval: This means that the Auto synchronization will be happens every 30 minutes,
    you can change this value by set the CustomizedSyncCycleInterval attribute which is empty in our
    example since we didn’t change yet. However, you cannot set this value to be less than 30 minutes even
    the command will accept a value less than 30 minutes but it will not take an effect.

    To change this value to be 3 hours instead of 30 minutes, execute below command:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Set-AdSyncScheduler -CustomizedSyncCycleInterval 03:00:00

    If we try to get the scheduler information again, we can have noticed than the customized value should
    be 3 hours as shown below:

    Page | 2

    Now, let’s try to set the value to be less than 30 minutes, if we run below command which will set the
    value to be 10 minutes, a warning will appear inform us that even if the command will be executed the
    value which will be used is 30 minutes not 10 minutes:

    Set-AdSyncScheduler -CustomizedSyncCycleInterval 00:10:00

    CurrentlyEffectiveSyncCycleInterval: if you set CustomizedSyncCycleInterval with an acceptable value


    more than 30 minutes, it will take the effect next synchronization cycle,
    CurrentlyEffectiveSyncCycleInterval value tell you the face what is the effective value of the sync
    interval, if you didn’t change CustomizedSyncCycleInterval then this value will be equal to
    AllowedSyncCycleInterval value, if you set CustomizedSyncCycleInterval then
    CurrentlyEffectiveSyncCycleInterval will equal to it in the next synchronization cycle.

    NextSyncCyclePolicyType: this field have two option, either Delta or initial, if the syncing didn’t happen
    at all then it’s value will be initial to do a full sync, otherwise it will be Delta to just sync the changes
    happened since last synchronization.

    NextSyncCycleStartTimeInUTC: this define when the next sync cycle will start.

    PurgeRunHistoryInterval: this value defines how many days the logs should remain before got purged,
    the default value is 7 days.

    SyncCycleEnabled: this is shows the status of auto syncing whether it’s enabled or not.

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Note: You can change some of these settings with Set-ADSyncScheduler. The following parameters
    can be modified:

     CustomizedSyncCycleInterval
     NextSyncCyclePolicyType
     PurgeRunHistoryInterval Page | 3
     SyncCycleEnabled
     MaintenanceEnabled

    As we mentioned that the scheduler by default will run every 30 minutes, in some cases you may need
    to force run the synchronization in between the interval cycle to speed up the process to replicate new
    changes or added new objects.

    For example, assume that the next sync cycle will be run after 15 minutes and you added a new object
    and need to replicate it to Azure AD immediately, in such cases you should force the sync to be run
    manually either by commands or GUI.

    There are two types of Sync available in AD Connect tool, Delta Sync and Full Sync, each one of these
    types have its own scenarios and it’s will replicate the changes to Azure Active Directory.

    Delta synchronization is used to replicate the changes made in existing objects, in other word Delta sync
    will affect only existing objects which was synced before if any changes made on it.

    If you run Delta sync, below steps will be executed:

     Delta import on all Connectors


     Delta sync on all Connectors
     Export on all Connectors

    To force Delta sync to be run Immediately, open the PowerShell with administrative privilege and run
    below command:
    Start-ADSyncSyncCycle -PolicyType Delta

    Now, let’s see what happened exactly when we run the Delta Synchronization, open MsiiClient.exe
    console which located by default under C:\Program Files\Microsoft Azure AD Sync\UIShell.

    From operation tab you will see a result similar to below:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Page | 4

    Form above screenshot we can noticed that three processes was run in each connector, the local AD
    connector and the Azure AD one which result to six operations was done.

    Now, since we didn’t make any changes before run the delta sync, we can notice that no changes
    detected and nothing exported by local connector as below snapshots from the management console:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Page | 5

    Now I changed the Job title for a user called “Ali Saleh” which was already synced, the old value was
    empty and the new one is “IT Manager”.

    I ran the Delta Sync command again, we can have noticed that the result was changed, since this change
    made in our local active directory all three operations Delta Import, Delta Synchronization and Export
    should know that a new change was made and should be synced.

    If we open the Delta Import operation for the local connector it should display that there is one object
    has been changed as shown below:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Page | 6

    Click on the updates you will see which object(s) has been changed since last sync cycle which is in our
    case “Ali Saleh” user as shown below:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Let’s see the export operation for local connector, also it should show that there is an update as below:

    Page | 7

    If we click in the updates it will show CN for the object which changed since last sync cycle as shown
    below, double click in the object:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Now it’s clearly show the old and new values for the user attribute’s, in our case the old value of “title”
    was empty and the new one is “IT Manager”.

    Page | 8

    Full Synchronization is used in the following scenario:

     Added more objects or attributes to be imported from a source directory


     Made changes to the Synchronization rules
     Changed filtering so a different number of objects should be included

    once you run a full sync, below operations will be executed:

     Full Import on all Connectors


     Full Sync on all Connectors
     Export on all Connectors

    To force Full sync to be run Immediately, open the PowerShell with administrative privilege and run
    below command:
    Start-ADSyncSyncCycle -PolicyType Initial

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Page | 9

    Before I ran the force full sync command I created a new user called “Ahmad Yasin”, just a quick
    demonstration to see what happens in the connector operations, let see the status of Full Import
    operation for the local connector, we can notice there is one object added as shown below:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Double click on the Adds field, it will show the object which was added since last sync cycle which is
    “Ahmad Yasin” in our case as shown below:

    Page | 10

    Also you can clearly see that a new object provisioned in the Full Synchronization operation for local
    connector as appear below:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Page | 11

    If you use an outbound proxy to access internet then you may face an issues while running AD Connect
    synchronization process, to avoid this and to force AD Connect use your proxy server, navigate to
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config and open
    machine.config file using any editor like Notepad, you should add below section at the
    end of the page before </configuration> tag and make the changes based in your proxy
    Address and port:
    <system.net>
    <defaultProxy>
    <proxy
    usesystemdefault="true"
    proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
    bypassonlocal="true"
    />
    </defaultProxy>
    </system.net>

    For example, my proxy address is 192.168.10.1 and listen to port 8080, so the edit should be similar like
    below:

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com
    Page | 12

    About Blogger …

    Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies
    blog. He also holds many certificates in office 365 and windows azure including Developing
    Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA
    office 365.
    Find Ahmad at Facebook and LinkedIn.

    Visit us at: http://AzureDummies.com Ahmad Yasin


    Ahmed.n.Yasin@hotmail.com

    Potrebbero piacerti anche