AADConnect Configuration Tips

 

The new AADConnect V1.1 has some significant changes this time around

– OVERVIEW

 

I performed a “from scratch” install which was guided by the wizard driven interface in Office 365.

Installation of the actual AADConnect software was fairly easy and if you have read any MS KB’s or blog posts most will suggest to use the “Express Installation” method as it is suitable for most installs.

If you choose the “Express Installation” method and do not opt to configure your own service accounts when prompted be aware that these are the accounts that will be created on your behalf: INFO

• An account in Azure AD will be created for the sync service’s use
• A local account prefixed AAD_ and used for the actual sync service to run as
• An account used for synchronization will be created and located in the forest root domain in the Users container and will have its name prefixed with MSOL_

One issue I did have with this install which I had never experienced before was that the Office 365 user account I was using for install needed to be a member of Azure AD co-administrators. Only after I made it a co-administrator and selected “re-try” on the installation did the install actually complete.

Once the install had completed I went about the process of creating my usual shortcuts and command line cheat sheets that I use for management purposes.

 

What I found was that a couple things don’t exist any longer:

1) “C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe” NO longer exists

2) Scheduled tasks for Sync operations no longer configured or exist

Managing Synchronization options are now performed via PowerShell using the ADSyncScheduler cmdlet. Information on these commands and syntax can be found here – INFO

 

Here are a few tasks and notes I have compiled to be performed POST AADConnect install

1) Open PowerShell and review the new default SyncSheduler settings – Get-AdSyncScheduler

Note the new default Sync interval is now 30mins as opposed to previous 3 hours as seen by the AllowedSyncCycleInterval. This value can be changed but cannot be less than 30mins.

 

2) Change default sync cycle using CustomizedSyncCycleInterval – Set-AdSyncScheduler -customizedsycncecleinterval 03:00:00 (will change default sync time to every 3 hours)

 

3) If SyncCycleEnabled is set to False you will need to enable it when you are ready to launch production Sync – Set-ADSyncScheduler -SyncCycleEnabled $True

 

4) If StagingModeEnabled is set to True you will need to re-run the AADConnect setup and disable it – INFO

 

5) DirectorySyncClientCmd.exe is GONE. To launch a sync use PowerShell – Start-ADSyncSyncCycle -PolicyType Delta or Initial

 

6) Password synchronization can still be manually launched via PowerShell with the latest script – INFO

 

$adConnector = “<CASE SENSITIVE AD CONNECTOR NAME>”
$aadConnector = “<CASE SENSITIVE AAD CONNECTOR NAME>”
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

 

Hopefully some of these tips will help and ease the transition to yet another Sync management mechanism!