Troubleshooting synchronization with Windows Azure Active Directory (WAAD) (Part 1)

If you would like to read the other parts in this article series please go to:

Introduction

The Microsoft Azure solution allows synchronization of on-premises Active Directory with the Windows Azure Active Directory (WAAD), and that enables organizations to authenticate several services using WAAD, such as Office365, Exchange Online Protection (EOP), Lync Online, SharePoint online and so forth.

The tool responsible for this synchronization process is the Directory Sync Configuration and the installation process is well-documented in the Office365 documentation, however we will work on some hints to guarantee that the installation is completed properly.

The goal of this article series is to list some hints and tools to help exchange administrators troubleshoot Active Directory replication with WAAD. Most of the hints that we will show here are scattered on the Internet (a bunch of great tips here at MSExchange.org).

The article series will start with hints during the installation of the directory synchronization tool, and some tools available for the exchange administrators.

Installation process

The goal of this article is not to provide a step by step guide of the tool, however there are a few steps worth mentioning to get things working and that will be our focus in this section.

The first step is to get your trial account (go here) and as part of the process you will be assigned the first user name which will use the following format <Name>@<String-Related-to-yourDomain>.onmicrosoft.com and after logging on to Office365 your first step is to activate the domain.

After validating and activating the domain, the next step is to create an account to be the synchronization account in the cloud. Here are the steps that can be used to create such account:

  1. Logon on Office365 page (http://office365.com)
  2. Click on users and groups
  3. Click on +
  4. On the first page (Figure 01), make sure to fill out first name and second names for our future synchronization account. Let’s use the domain that we validated in the previous step (in our Article will be Apatricio.info).

Image
Figure 01

  1. On the Settings page, assign the role Global Administrator to the account (Figure 02) and as part of the process we must fill out the Alternate email address field, and then the Country.

Image
Figure 02

  1. On the assign licenses page, do not assign any license and continue with the wizard to complete the creation of the new account using default values when appropriate.

The last page will provide the temporary password. Log off the current session and log on using the new service account that we have just created. The first task will be resetting of the password. Make sure to use a strong password for this account.

The next logical step is to enable the synchronization and download the tool (Figure 03). Both steps can be done by clicking users and groups, and then Set up located on the Active Directory Synchronization line. On the new page, click Activate at step 3, and download the Directory Sync Tool to the server that will be the responsible for synchronization.

Image
Figure 03

Before installing the tool, make sure that you install the .Net Framework 3.5 (includes .NET 2.0 and 3.0) which by the way will require the Windows Server media to be installed and .Net Framework 4.5. Both of them can be installed either from the Server Manager or PowerShell on Windows Server 2012 R2 server.

It is not a requirement but during the troubleshooting process, we will need to check Active Directory users’ object attributes and for that reason my recommendation is to install the Active Directory tools in the same server running the Synchronization Tool. You can add them by running Add-WindowsFeature RSAT-ADDS from Windows PowerShell.

Install the tool using the default values (we will have to provide our svc.sync credentials, administrator credentials and decide if we are going to use Hybrid Configuration and/or password synchronization).

Important Note:
As soon as the tool is installed, a logoff is necessary to guarantee that all group membership is in place. The logoff is required otherwise the tools covered in the next section will not work.

Getting to know the Tools available

After installing the tool and running the Configuration Wizard, the next step is to make sure that everything is working properly and we have a couple of built-in tools to validate the replication process.

Our first stop will be on the root folder of the tool which by default is located at C:\Program Files\Windows Azure Active Directory Sync (Figure 04). We have 2 (two) tools – the first one is ConfigWizard which can be used to reconfigure the synchronization settings using the same wizard when we ran the tool for the first time.

Note:
In the same location, we have the dirsyncSetup.log file in case something goes South during the installation, using that file we can always check the log of the installation process.

Image
Figure 04

The second one is DirSyncConfigShell which will open a Windows PowerShell and from there we can run the Start-OnlineCoexistenceSync cmdlet which will trigger a synchronization with WAAD, as shown in Figure 05.

Image
Figure 05

It is pretty cool to force synchronization and we can always check on the Application of the Event Viewer what happened but from a troubleshooting perspective the most important thing is to see what is going on. If there are any issues then we should be able to pin point the issue, right?

We can do that using the FIM (Forefront Identity Manager 2010 R2) client which is the piece of software responsible for the synchronization process. The tool is installed by default in the following location: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell. To run it double click miisclient (Figure 06).

Image
Figure 06

For starters the main page of the tool will have the Operations area where all the tasks used during the synchronization cycles are listed (Figure 07) with their status. When selecting any given operation from that list we will have the details at the bottom (statistics and export errors) which will help the troubleshooting process.

Image
Figure 07

Another set of tools that helps in some tasks is the Windows Azure Active Directory Module for Windows PowerShell that allows administrators more flexibility to perform some activities that are not supported using the Office365 web console. In order to install these tools, Microsoft Online Services Sign-in Assistant must be installed and both utilities can be found at Microsoft/Office 365 website. The following website has links for the latest tools and supported cmdlets.

Conclusion

In this first article of our series we covered some hints related to the installation of the Directory Synchronization tools and the tools available to troubleshoot the integration between the on-premises Active Directory and Windows Azure Active Directory.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top