Setup is Directory Sync to Office 365 hybrid (ie write back some AD attributes from Office 365) with password sync.
On initial sync there were some problems not found with the Office 365 pre-check tool.
A few users had inadequate permissions to write-back AD attributes. This was caused by them not inheriting security in AD. Switching inheritance back on fixed the problem immediately. Why they had been set to not inherit many years ago remains a mystery.
Another user who had moved to a different role just would not sync due to a duplicate attribute. The sync tool 'helpfully' omitted which attribute was in conflict. The user in question had been copied from the original user and then changed and the original user left in place for business reasons. After some time including checking every (visible?) AD attribute no duplicates could be found. The (very useful) idfix tool did not spot any problems either with this record. Google/Bing for idfix.
I added the person to my Outlook to take a look what they had in their mailbox and 2 copies of the same mailbox appeared - very strange- never seen that before. I then removed the person from my Outlook only for 1 of the mailboxes to remain. It seemed obvious that the record had some major problem.The person in question no longer required the account and it was deleted in AD. 2 syncs later the problem had gone. It would have been useful to know exactly what was failing the unique constraint. I am sure it would be pretty easy for the programmers to report this information in the sync failure email you get sent.
I strongly recommend you pin the sync tool UI to the taskbar / desktop as you might be looking at it more than you had hoped at the start!
You can find it here (could change with future versions):
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
When you look at the on screen log of what it does automatically it is easy to run manual syncs by mimicking the steps it takes. There is a PowerShell command start-onlinecoexistencesync but you will be needing the GUI to track down problems. This GUI is actually a poor man's very crude AD auditing tool as you can see how many and the nature of changes to your AD and roughly when they happened but not who did it. It is certainly better than nothing, and is a good spin-off benefit of having installed the software.
It can save time when troubleshooting to change the default sync time from 3 hours to 5 minutes so the sync tool keeps attempting to sync whilst you are troubleshooting without you having to run anything:
To do this change the file:
C:\Program Files\Windows Azure Active Directory Sync\Microsoft.Online.DirSync.Scheduler.exe.Config
temporarily from this:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!--the interval in hours-->
<!--refer for valid values:http://msdn2.microsoft.com/en-us/library/system.timespan.parse.aspx-->
<add key="SyncTimeInterval" value="3:0:0" />
</appSettings>
</configuration>
to this:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!--the interval in hours-->
<!--refer for valid values:http://msdn2.microsoft.com/en-us/library/system.timespan.parse.aspx-->
<add key="SyncTimeInterval" value="0:5:0" />
</appSettings>
</configuration>
Set it back to your selected sync time afterwards - I would not recommend leaving it at 5 mins!
Happy syncing
No comments:
Post a Comment