Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Connector/MA’ Category

(2019-10-06) Examining Pending Export Deletions In Azure AD Connect

Posted by Jorge on 2019-10-06


If you know FIM/MIM, you also know that Azure AD Connect is based upon that under the hood. As described in Azure AD Connect sync: Prevent accidental deletes, Azure AD Connect allows you to configure a specific threshold that represents a normal/accepted amount of deletions towards Azure AD. Now, if you have a low amount of objects that you need to investigate you can easily click through the Sync Service Manager. But what happens if you need to investigate hundreds or thousands of pending deletions? Try to do that in the Sync Service Manager and you’ll through a loooooot of pain! Are there easier ways to do that? Fortunately, YES! Therefore keep reading.

Now please aware that if the number of deletions is equal to or higher than the deletion threshold it will stop the complete export operation to Azure AD, meaning no adds, updates and deletes to Azure AD! This prevents unintended deletion due to mistakes, bad configurations, etc.

To analyze those deletions, use the next steps.

  1. Logon to the ACTIVE (NON-Staging!) AAD Connect server (To determine the ACTIVE AAD Connect Server, see below!)
  2. Open a PowerShell Command Prompt Window and export the pending exports from the connector space that needs further analysis (see below)
  3. Parse the CS Export file to make it readable (see below) (PowerShell GridView Is Opened AND A CSV File Generated!)
  4. Either use the PowerShell GridView or the CSV to analyze the data being exported!
  5. For objects being deleted check if those still exist in AD and what the state is (see below)

[ad.1] Determine The Active AAD Connect Server

Open a PowerShell Command Prompt Window, and execute:

Import-Module ADSYNC

Get-ADSyncGlobalSettingsParameter | ?{$_.Name -eq "Microsoft.Synchronize.StagingMode"} | Select Name,Value

REMARK: If the VALUE mentions TRUE, then it is the Passive (staging) Server, if the VALUE mentions FALSE or is empty, then it is the Active (Non-Staging) Server

[ad.2] Export The Pending Exports From The Connector Space That Needs Analysis

On The Active AAD Connect Server, open a PowerShell Command Prompt Window, and execute:

CD "C:\Program Files\Microsoft Azure AD Sync\Bin"
$connectorHT = New-Object system.collections.hashtable
Write-Host ""
Write-Host "+++ Available Connectors +++" -ForegroundColor Cyan
$connectorNr = 0
Get-ADSyncConnector | %{
    $connectorNr++
    $connectorName = $null
    $connectorName = $_.Name
    $connectorHT[$connectorNr.ToString()] = $connectorName
    Write-Host "[$connectorNr] – $connectorName" -ForegroundColor Magenta
    Write-Host ""
}
$chosenConnectorNr = $null
$chosenConnectorNr = Read-host "Please Choose The Connector By Typing Its Number"

$chosenConnectorName = $null
$chosenConnectorName = $connectorHT[$chosenConnectorNr]
$datetime = Get-Date -Format "yyyy-MM-dd_HH.mm.ss"
$csExportXMLFilepath = Join-Path "C:\TEMP" $($datetime + "_CS-" + $chosenConnectorName + "_PendingExports.xml")
$csExportCMD = ".\CSEXPORT.EXE `"$chosenConnectorname`" `"$csExportXMLFilepath`" /f:x"
Invoke-Expression $csExportCMD
Write-Host ""
Write-Host "Export File…….: $csExportXMLFilepath" -ForegroundColor Cyan
Write-Host ""

[ad.3] Parse The CS Export XML File

On The Active AAD Connect Server, open a PowerShell Command Prompt Window, and execute:

CD "<Folder With Script>"

$csExportCSVFilepath = $csExportXMLFilepath.TrimEnd(".xml")

.\Parse-CS-Export-XML-To-CSV.ps1 -outToAll -sourceXMLfilePaths $csExportXMLFilepath -targetFilePath $csExportCSVFilepath

REMARK: the GridView will be opened automatically!

image

Figure 1: Results After Parsing The XML File(s) To A CSV

In the GridView or Excel, any value added or deleted, will be specified as such. Unchanged values are not listed

image

Figure 2: GridView Sample Output

image

Figure 3: GridView Sample Output

image

Figure 4: GridView Sample Output

 image

Figure 5: GridView Sample Output

REMARK: To reopen the GridView using the CSV file use the following command:

Import-CSV $($csExportCSVFilepath + ".csv") | Out-Gridview

or

Import-CSV "<CSV File Path>" | Out-Gridview

[ad.5a] Check Deleted USERS Against AD

$csExportCSV = Import-CSV $($csExportCSVFilepath + ".csv")
$objectListUsers = @()
$csExportCSV | ?{$_."Object-Type" -eq "user" -And $_."Ops-Type" -eq "delete"} | %{
    $immutableID = $null
    $immutableID = $_."Source-ID"
     $userPrincipalName = $null
    $userPrincipalName = $_."AD-ID"

    $ldapFilter = $null
    $ldapFilter = "(|(raboADImmutableID=$immutableID)(userPrincipalName=$userPrincipalName))"

    $adObject = $null
    $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server :3268 -Properties *

    $displayName = $null
    $status = $null
    $canonicalName = $null

    If ($adObject) {
        $displayName = $adObject.DisplayName
        $status = If (($adObject.userAccountControl -band 2) -eq "2") {"Disabled"} Else {"Enabled"}
        $canonicalName = $adObject.CanonicalName
    } Else {
        $displayName = "Unavailable"
        $status = "Unavailable"
        $canonicalName = "Unavailable"
    }

    $object = New-Object -TypeName System.Object
    $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
    $object | Add-Member -MemberType NoteProperty -Name "userPrincipalName" -Value $userPrincipalName
    $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
    $object | Add-Member -MemberType NoteProperty -Name "status" -Value $status
    $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
    $objectListUsers += $object
}
$objectListUsers | Out-GridView

REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

[ad.5b] Check Deleted GROUPS Against AD

$objectListGroups = @()
$csExportCSV | ?{$_."Object-Type" -eq "group" -And $_."Ops-Type" -eq "delete"} | %{
    $immutableID = $null
    $immutableID = $_."Source-ID"
    $domain = $null
     $domain = $($_."AD-ID").SubString(0, $($_."AD-ID").IndexOf("\"))
    $sAMAccountName = $null
    $sAMAccountName = $($_."AD-ID").SubString($($_."AD-ID").IndexOf("\") + 1)
    $ldapFilter = $null
    $ldapFilter = "(|(raboADImmutableID=$immutableID)(sAMAccountName=$sAMAccountName))"
    $adObject = $null
    $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server $domain`:389 -Properties *
    $displayName = $null
    $canonicalName = $null
    If ($adObject) {
        $displayName = $adObject.DisplayName
        $canonicalName = $adObject.CanonicalName
    } Else {
        $displayName = "Unavailable"
        $canonicalName = "Unavailable"
    }
    $object = New-Object -TypeName System.Object
    $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
    $object | Add-Member -MemberType NoteProperty -Name "sAMAccountName" -Value $sAMAccountName
    $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
    $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
    $objectListGroups += $object
}
$objectListGroups | Out-GridView

REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

[ad.5c] Check Deleted CONTACTS Against AD

Function GuidToEscapedByte($guid) {
    $guidParts = $guid.Split("-")
     $reverse = $guidParts[0].ToCharArray()[($guidParts[0].Length – 1)..0] + $guidParts[1].ToCharArray()[($guidParts[1].Length – 1)..0] + $guidParts[2].ToCharArray()[($guidParts[2].Length – 1)..0]
    $rest = $guidParts[3].ToCharArray() + $guidParts[4].ToCharArray()
    for ($inc =0; $inc -lt $reverse.Length; $inc+=2) {
        $escapedGUID = $escapedGUID + "\" + $reverse[$inc+1] + $reverse[$inc]
    }
    for ($inc =0; $inc -lt $rest.Length; $inc+=2) {
        $escapedGUID = $escapedGUID + "\" + $rest[$inc] + $rest[$inc+1]
    }
    return $escapedGUID
}
$csExportCSV = Import-CSV $($csExportCSVFilepath + ".csv")
$objectListContacts = @()
$csExportCSV | ?{$_."Object-Type" -eq "contact" -And $_."Ops-Type" -eq "delete"} | %{
    $immutableID = $null
    $immutableID = $_."Source-ID"
    $objectGUID = $null
    $objectGUID = (New-Object -TypeName System.Guid -ArgumentList(,(([System.Convert]::FromBase64String($immutableID))))).Guid
    $objectGUIDEscaped = $null
    $objectGUIDEscaped = GuidToEscapedByte $objectGUID
    $mail = $null
    $mail = $_."AD-ID"
     $ldapFilter = $null
    $ldapFilter = "(|(objectGUID=$objectGUIDEscaped)(mail=$mail))"
    $adObject = $null
    $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server :3268 -Properties *
    $displayName = $null
    $canonicalName = $null
    If ($adObject) {
        $displayName = $adObject.DisplayName
         $canonicalName = $adObject.CanonicalName
    } Else {
         $displayName = "Unavailable"
        $canonicalName = "Unavailable"
    }
    $object = New-Object -TypeName System.Object
     $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
    $object | Add-Member -MemberType NoteProperty -Name "mail" -Value $mail
    $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
    $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
    $objectListContacts += $object
}
$objectListContacts | Out-GridView

REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

Now assuming you have confirmed all deletions are expected, you can lift the threshold or increase its value (temporarily) to allow the sync cycle to succeed! You need an Azure AD Admin Account with the Global Administrator role

  • If needed elevate your account through https://portal.azure.com/ → Privileged Identity Management \ Azure AD Roles \ Global Administrator – Activate
  • On the active AAD Connect server, open a PowerShell Command prompt Window and execute:

$aadAdminCreds=Get-Credential

Get-ADSyncExportDeletionThreshold -AADCredential $aadAdminCreds

Disable-ADSyncExportDeletionThreshold -AADCredential $aadAdminCreds

REMARK: The sync engine maybe synching as you do that and you may receive an error. Just wait until the sync engine finishes.

  • As soon as the sync engine is not executing a sync cycle, execute:

Start-ADSyncCycle -PolicyType Delta

  • As soon as that sync cycle has finished enable the threshold again using the previous value

Enable-ADSyncExportDeletionThreshold -DeletionThreshold <value> -AADCredential $aadAdminCreds

PS: this script also works for Pending Export Deletes in FIM/MIM and the script supports multiple source XML files (each for a different CS) as input files!

Ohhh, and I almost forgot! You can download the script from here! Smile

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisement

Posted in Azure AD Connect, Connector/MA, CSExport, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM), PowerShell, Tooling/Scripting, Tools, Windows Azure Active Directory | 1 Comment »

(2015-11-12) Third-Party Generic SQL Management Agent (Connector) Released For FIM/MIM

Posted by Jorge on 2015-11-12


Søren Granfeldt has released a generic SQL MA/Connector that can be used with both FIM and MIM, instead of the default available SQL MA/Connector.

Main features are:

  • Synchronize almost any type of information with SQL Server tables
  • Flexible schema
  • Run stored procedures against the tables as part of the sync import and export schedules
  • Full and delta imports
  • Delta and full exports
  • Can keep and revive deleted information / rows

More information: Generic SQL Management agent released

Download this SQL MA/Connector from Codeplex: SQL Management Agent

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync | Leave a Comment »

(2015-10-20) FIM 2010 R2 And MIM 2016: Sharepoint Services Connector (Updated)

Posted by Jorge on 2015-10-20


This new Sharepoint Services connector (v4.3.1935.0) was released by Microsoft on 20-10-2015 (dd-MM-yyyy)

The SharePoint User Profile Store helps you synchronize identity information to the User Profile Store in SharePoint. You can download it from here. More detailed information can be found through the SharePoint Services Connector for FIM 2010 R2 Technical Reference and through MS-KBQ3100358

From a high level perspective, the following features are supported by the current release of the connector:

Requirement Support
Operating System Support Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Other Required Software Microsoft .NET 4.5 Framework
FIM/MIM Version FIM 2010 R2 SP1 (build 4.1.3114.0 and higher) ((2013-01-12) Service Pack 1 For Forefront Identity Manager 2010 R2 And BHold Has Been Released)
MIM 2016
Data Source

SharePoint Server 2013 with User Profile service application (UPA)

Supported Scenarios Object Lifecycle Management
User Management
Supported Operations Against Data Source Full Import
Delta Import
Export
Schema

User
Group
Contact

Table 1: Requirements And Supports Features

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync | Leave a Comment »

(2014-11-17) FIM 2010 R2: Hotfix Rollup Build 1.0.419.911 For The PowerShell Connector

Posted by Jorge on 2014-11-17


Microsoft released a new hotfix for the PowerShell Connector with build 1.0.419.911. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3008179

Download link

PowerShell Connector for FIM 2010 R2 Technical Reference

Issues that are fixed

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

Creating a PowerShell connector without using an LDAP DN style fails because of an issue in the default template.

Features that are added

Features that are added

Feature 1

This update adds support for Windows PowerShell 4.0.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2014-11-13) FIM 2010 R2: Hotfix Rollup Build 1.0.419.911 For The Web Services Connector

Posted by Jorge on 2014-11-13


Microsoft released a new hotfix for the Web Services Connector with build 1.0.419.911. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3008178

Download link

Issues that are fixed

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

The WebServices connector uses 100 percent CPU during password synchronization if many of the password operations fail with a password violation error.

Features that are added

Feature 1

This update adds support for REST-based web services. This includes support for XML and JSON data formats and for parsing these formats.

Feature 2

This update adds support for additional bindings for Transport and Message Level security. The new options are as follows:

  • BasicHTTPBinding
  • WSHttpBinding
  • NetTCPBinding

These bindings also support the following authentication methods:

  • Basic
  • Certificate
  • Digest
  • Windows

Feature 3

In new WebServices connectors, the capabilities page is visible. This makes it possible to configure the connectors’ behavior.

Feature 4

This update adds event tracing for Windows (ETW) logging to the WebServices connector and the configuration tool.

Feature 5

This update adds new templates for SAP to support the following object types:

  • User
  • Role
  • Group

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2014-11-09) FIM 2010 R2: Hotfix Rollup Build 1.0.419.911 For The Generic LDAP Connector

Posted by Jorge on 2014-11-09


Microsoft released a new hotfix for the Generic LDAP Connector with build 1.0.419.911. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3008177

Download link

Generic LDAP Connector for FIM 2010 R2 Technical Reference

Issues that are fixed

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

An attribute in the Lightweight Directory Access Protocol (LDAP) schema that is defined as ‘NumericString’ – 1.3.6.1.4.1.1466.115.121.1.36 is defined incorrectly as an integer in the connector. These attributes are now defined as strings instead.

Issue 2

Delta import on Open LDAP is not processing object moves between organizational units (OUs) and containers correctly.

Features that are added

Feature 1

You can now authenticate on an LDAP server by using only a certificate. A username and password are not required.

Feature 2

If the Generic LDAP connector cannot automatically detect the correct way to do a delta import, a drop-down menu is now available that includes the supported options, and the administrator can select the correct option.

Feature 3

This hotfix adds support for the RadiantOne Virtual Directory Server (VDS) version 7.1.1. This version or a later version must be used for the connector to function correctly.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2013-12-02) FIM 2010 R2: Sharepoint Services Connector

Posted by Jorge on 2013-12-02


This new Sharepoint Services connector (v4.3.836.0) was released by Microsoft on 20-11-2013 (dd-MM-yyyy)

The SharePoint User Profile Store helps you synchronize identity information to the User Profile Store in SharePoint. You can download it from here. More detailed information can be found through the SharePoint Services Connector for FIM 2010 R2 Technical Reference.

From a high level perspective, the following features are supported by the current release of the connector:

Requirement Support
Operating System Support Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Other Required Software Microsoft .NET 4.5 Framework
FIM Version FIM 2010 R2 SP1 (build 4.1.3114.0 and higher) ((2013-01-12) Service Pack 1 For Forefront Identity Manager 2010 R2 And BHold Has Been Released)
Data Source

SharePoint Server 2013 with User Profile service application (UPA)

Supported Scenarios Object Lifecycle Management
User Management
Supported Operations Against Data Source Full Import
Delta Import
Export
Schema

User
Group
Contact

Table 1: Requirements And Supports Features

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync | Leave a Comment »

(2013-12-01) FIM 2010 R2: Generic LDAP Connector

Posted by Jorge on 2013-12-01


This new Generic LDAP connector (v4.3.836.0) was released by Microsoft on 20-11-2013 (dd-MM-yyyy)

The Generic LDAP Connector helps you to connect to LDAP systems (supporting LDAP v3 server (RFC 4510 compliant))  and support provisioning of identities, deprovisioning of identities, management of identity related information and password management capabilities.  You can download it from here. More detailed information can be found through the Generic LDAP Connector for FIM 2010 R2 Technical Reference.

From a high level perspective, the following features are supported by the current release of the connector:

Requirement Support
Operating System Support Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Other Required Software Microsoft .NET 4.0 Framework
FIM Version FIM 2010 R2 (build 4.1.3461.0 and higher) (A Hotfix Rollup Package (Build 4.1.3461.0) Is Available for Forefront Identity Manager 2010 R2)
Data Source LDAP v3 server (RFC 4510 compliant)
Supported Scenarios Object Lifecycle Management
Group Management
Password Management
Supported Operations Against Data Source

Supported By ALL LDAP Directories:

  • Full Import
  • Export

Supported By SPECIFIED LDAP Directories:

  • Delta import
  • Set and change password

Supported Directories for Delta import and Password management:

  • IBM Tivoli DS
    • Supports all operations for delta import
    • Supports Set Password and Change Password
  • Novell eDirectory
    • Supports Add, Update, and Rename operations for delta import
    • Does not support Delete operations for delta import
    • Supports Set Password and Change Password
  • Open LDAP (openldap.org)
    • Supports all operations for delta import
    • Supports Set Password
      Does not support change password
  • Oracle (previously Sun) Directory Server Enterprise Edition
    • Supports all operations for delta import
    • Supports Set Password and Change Password

Schema

Schema is detected from the LDAP schema (RFC3673 and RFC4512/4.2)

Supports structural classes, aux classes, and extensibleObject object class (RFC4512/4.3)

Table 1: Requirements And Supports Features

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync | 1 Comment »

(2013-11-28) FIM 2010 R2: Windows Azure Active Directory Connector

Posted by Jorge on 2013-11-28


This new Windows Azure Active Directory connector (v1.0.6567.0002) was released by Microsoft on 21-11-2013 (dd-MM-yyyy)

When having just one Active Directory Forest on-premises, it is preferred/recommended to use the out-of-the-box Directory Synchronization too, which can be downloaded from the Office 365 Admin Portal by following this link (you must have an Office 365 subscription). More detailed information can be found through the DirSync/WAAD Sync Tool Wiki. Detailed release history can be found through this link.

When having multiple Active Directory Forests on-premises it is preferred/recommended to use the new version of the Windows Azure Active Directory Connector. You can download it from here. More detailed information can be found through the Windows Azure Active Directory Connector for FIM 2010 R2 Technical Reference. To understand how to configure the connector see the Windows Azure Active Directory Connector for FIM 2010 R2 Quick Start Guide.

Other means of connecting to Azure Active Directory or Office 365 is by using the PowerShell Connector which is made available by Soren Granfeldt. You can find more info and download it from here.

From a high level perspective, the following features are supported by the current release of the connector:

Requirement Support
Operating System Support Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Other Required Software Microsoft .NET 4.0 Framework
Microsoft Online Services Sign-In Assistant
FIM Version FIM 2010 R2 (build 4.1.3496.0 and higher) ((2013-11-23) A Hotfix Rollup Package (Build 4.1.3496.0) Is Available for Forefront Identity Manager 2010 R2)
Data Source Windows Azure Active Directory
Supported Scenarios Object Lifecycle Management
Group Management

PS: Password Hash Sync NOT SUPPORTED

Supported Operations Against Data Source Full Import
Delta Import
Export

PS: Any form of password management NOT SUPPORTED

Schema Fixed, not possible to add additional objects/attributes

Table 1: Requirements And Supports Features

And if you get this….

image

Figure 1: Possible Error When Configuring The Azure AD Connector And Still Using An Old Version Of The Sign-In Assistant

then, see: Troubleshooting Azure AD DirSync Tool Configuration Wizard: Failed to get address for method: CreateIdentityHandle2

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync | Leave a Comment »

 
%d bloggers like this: