If you administer DirSync for your organization, you likely have seen emails like this, indicating some of your users didn’t sync.
It can be a frustrating email, since the “error description” is for some reason blank and the “On-premises object ID” column is not something that’s easy to correlate to a user account within your Active Directory. There are also application event log entries (FIMSynchronizationService #6111 and Directory Synchronization #0), but again these aren’t exactly rich with detail.
Many of you know that DirSync is actually a customized installation FIM 2010 R2’s Synchronization Service. Within the miisclient.exe console, you can look at your most recent “Export” job and examine the errors one at a time.
(By the way, this is actually the place to go if you wanted to configure filtering for directory synchronization.)
Using this console certainly works, but it’s not an efficient way to resolve errors. Microsoft seems to acknowledge this, but falls short of a fix with that email, in my opinion. Instead of wearing out your mouse, I propose you use the PowerShell script I have written below. Within, I leverage the free FimSyncPowerShellModule which you’ll need to download and copy to:
…\System32\WindowsPowerShell\v1.0\Modules\FimSyncPowerShellModule\FimSyncPowerShellModule.psm1
Once you’ve copied the module, you’re ready to run the report, which can be downloaded here.
Here is a sample output, followed by the code itself.
<# Description: This script generates a list of users who are failing to export to Azure AD. This script makes use of the FimSyncPowerShellModule https://fimpowershellmodule.codeplex.com/ (Download and copy to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\FimSyncPowerShellModule\FimSyncPowerShellModule.psm1) October 18 2013 Mike Crowley http://mikecrowley.us #> #Import the FimSyncPowerShellModule Module ipmo FimSyncPowerShellModule #Get the last export run $LastExportRun = (Get-MIIS_RunHistory -MaName 'Windows Azure Active Directory Connector' -RunProfile 'Export')[0] #Get error objects from last export run (user errors only) $UserErrorObjects = $LastExportRun | Get-RunHistoryDetailErrors | ? {$_.dn -ne $null} $ErrorFile = @() #Build the custom Output Object $UserErrorObjects | % { $TmpCSObject = Get-MIIS_CSObject -ManagementAgent 'Windows Azure Active Directory Connector' -DN $_.DN [xml]$UserXML = $TmpCSObject.UnappliedExportHologram $MyObject = New-Object PSObject -Property @{ EmailAddress = (Select-Xml -Xml $UserXML -XPath "/entry/attr" | select -expand node | ? {$_.name -eq 'mail'}).value UPN = (Select-Xml -Xml $UserXML -XPath "/entry/attr" | select -expand node | ? {$_.name -eq 'userPrincipalName'}).value ErrorType = $_.ErrorType DN = $_.DN } $ErrorFile += $MyObject } $FileName = "$env:TMP\ErrorList-{0:yyyyMMdd-HHmm}" -f (Get-Date) + ".CSV" $ErrorFile | select UPN, EmailAddress, ErrorType, DN | epcsv $FileName -NoType #Output to the screen $ErrorFile | select UPN, EmailAddress, ErrorType, DN Write-Host Write-Host $ErrorFile.count "users with errors. See here for a list:" -F Yellow Write-Host $FileName -F Yellow Write-Host