Microsoft

Celebrating my seventh consecutive year as a Microsoft MVP and reflecting on the great relationships built through the program.

DirSync’s PowerShell functionality can now be invoked through the Import-Module cmdlet rather than running a custom DirSyncConfigShell.psc1 file. The module contains approximately 92 DirSync-related cmdlets. Module Structure The DirSync module itself functions as a wrapper containing no cmdlets. Instead, it calls %programfiles%\Windows Azure Active Directory Sync\dirsync\DirSync.psd1. The actual cmdlets are housed in the Microsoft.Online.Coexistence.PS.Config module and PowerShellConfig. Documented Cmdlets (25 total) Notable documented cmdlets include: ...

Today, Microsoft released a 9 page guide on backing up and restoring the Microsoft Azure Active Directory Sync tool. You can get it here. Some things to keep in mind: This guide applies to DirSync when used with the full version of SQL only. This means it does not apply to most installations. You don’t need to backup or restore DirSync. If you simply install a new instance and configure it appropriately, the objects will re-sync. Doing a backup/restore can save time however, if you have a very large number of users (I wouldn’t bother with less than 100k). Ironically, this guide doesn’t actually tell you how to backup or restore the database. You need some SQL-aware backup product to do that. Instead, this guide helps you make use of a restored database in a DirSync environment (working with miisclient.exe, handling keys, etc).

Late Monday, Microsoft released another update to the DirSync software, this time with a build number of 6593.0012. You can download it in from the usual link. As with previous DirSync updates, there has been no official announcement of the release, however the “use at your own risk” Wiki does mention one of the new features: Version 6593.0012 Date Released 2/3/2014 Notable Changes New features: Additional Attributes are synchronized on User and Contact objects The new attributes referenced in the link are userCertificate and userSMIMECertificate. Interestingly pwdLastSet was also added, however there is no mention of that one in the article. These additions serve an unknown purpose for now, however one might speculate that they are in support of new capabilities soon to be available in the service?! ...

Microsoft released DirSync version 1.0.6567.0018 after quietly withdrawing a previous version last week. The prior iteration had encountered synchronization complications during the export phase, documented in KB 2906832. New Feature DirSync can now be installed on a Domain Controller. Important: You must log off and log on AFTER installation and BEFORE running the configuration wizard. Bug Fixes and Improvements This release addresses multiple technical issues: ...

I’ve published an update to the popular Exchange Proxy Address (EmailAddresses) Report script. The updated script includes improved output formatting for both on-screen display and Excel export. Check out the original post for download and usage details.

EDIT (Nov. 22, 2013): DirSync 1.0.6567.0018 Has Been Released EDIT (Nov. 11, 2013): DirSync 1.0.6553.2 has been removed from Microsoft’s download site and version history comment removed from the Wiki. Not sure why. Early this morning, Microsoft released an updated version of Windows Azure Active Directory Sync tool (DirSync to you and me). Version 1.0.6553.2 (or later) can be downloaded from the usual link. It comes with 4 known improvements: Fix to address Sync Engine memory leak Fix to address “staging-error” during full import from Azure Active Directory Fix to handle Read-Only Domain Controllers in Password Sync DirSync can be installed on a Domain Controller I am most excited about #4, as this enables me to build more interesting labs from my laptop, now that I don’t need a dedicated “DirSync Server”. You should note however, this is recommended only for “development” environments. After some further testing, I’d consider recommending this configuration for shops with multiple domain controllers and 50 or fewer users. ...

In this two-part article, I will describe a scenario in which DirSync sets the Azure BlockCredential attribute of disabled Active Directory users. In Part 1 (below) I explain how the Windows Azure Active Directory Sync tool (DirSync) causes this to happen. Part 2 discusses how to change this behavior. As I’ve been discussing, DirSync can be more complicated than it appears. Even if you are familiar with the miisclient.exe console, some of FIM’s logic is hidden in “Rules Extension” DLL files such as MSONLINE.RulesExt.dll. These files can be reverse-engineered to some degree, however it can be very difficult. ...

In this two-part article, I have laid out a scenario in which DirSync sets the Azure BlockCredential attribute of disabled Active Directory users. In Part 1, I explained how the Windows Azure Active Directory Sync tool (DirSync) causes this to happen. Part 2 (below) discusses how to change this behavior. Last time, we saw that magic a rules extension prevents a user from logging into Office 365 if their on-premises Active Directory account was disabled. Below, I’ll show you how to override this attribute flow, but first a note on Microsoft Support: ...

For those not interested in the complete DirSync Report published last week, you can now run just the Password Hash Sync portion using a script published here: Dirsync: Determine if Password Sync is Enabled. For deployments with remote SQL installations: As with the previous report, note that the script uses the SQL PowerShell Module, which must be present on the computer. If you like this post, you may like my others on DirSync: DirSync tag.