I recently got an opportunity to setup directory sync with password sync for a big organization.  During this setup I realised that alot changes when the scope increased from 200 users to 50000 users.

I faced multiple challenges and learnt alot, to make it simple for other, I am publishing my learning here. hope it helps

 

Office 365 Directory Sync with password Sync:

Are you considering password sync with directory sync for your big multi-domain environment, you may face following issues:

Issues with configuring Directory Sync:

  1. The user name or password is incorrect
  2. Unknown error (0x80005000)SS1

SS2

Directory Sync tries to reach domain controllers of all the child domains in the environment to give permission to MSOl user, and if somehow DirSyn is not able to reach some domain controller or the domain controller it is reaching is not responding properly.

You may face any of the above error, then you need to find out which domain controller is creating problem, net mon can help you with that.

Start Netmon trace and then run DireSync, expend the configuration.exe section, the last entry in this section would tell, you DirSync could not proceed with which DC, if you expend it, you would get information about the reason.

SS3

SS4

 

The above example shows that the child Domain controller is  not able to authenticate the Enterprise admin ID that is being used for configuring Directory Sync, it seems that the DC is  not able to communicate with Root domain controller.

In this way you can find out, which domain controller has got problem, you can fix it.

If you have multiple domain controller in the domain, then DirSync can communicate with any domain controller of the domain. If there is problem with one Domain Controller then you can run the DirSyn again and again and it might so happen then it would communicate with the DC, that is working fine.

Once you managed to configure DirSync  in your environment then, it might so happen that password is not synchronizing, (Ideally the password should sync between 3 to 5 minutes.)

Possible scenarios:

  1. Password sync event is not generating at all.

Ideally you should see event 656 & 657 in application log, if password sync is working

http://support.microsoft.com/kb/2855271

If such event is not generating then you should check if password sync is configured or not.

 

Run the DirSync once again and make sure password sync check box is checked.

Or you can also Run “Enable-MSOnlinePasswordSync” from “DirSyncConfigShell.psc1” power shell.

  • If still password  sync event is not generating, try forcing password sync.

Force password sync:

  1. Using command

Open PowerShell, and then type Import-Module DirSync

Type Set-FullPasswordSync, and then press Enter

Load Services.msc

Restart the Forefront Identity Manager Synchronization Service Service.

  1. Using Registry

Go to below location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence\PasswordSync

If Key FullSyncRequired is not available, create it

Change value for FullSyncRequired to 1

Restart service FIMSynchronizationService

event 657 should  start comming.

You can also trouble shoot with enabling password sync log, for that run “Enable-PasswordSyncLog”,

Using Registry:

How to force password Sync Logging

Go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Logging

Create 32 bit Dword named “FeaturePwdSyncLogLevel”, set value as 3

Restart service FIMSynchronizationService

  • If password sync log is generating but password is not synchronizing.

It might so happen that you do see event 567 event for some users that password got synced, but not for the user for which you are changing password.

There is no clear documentation from Microsoft that says how password is synchronizing, there is no customization available where in you can designate particular domain controller for password sync.

If your environment is big then password sync may take hour or more or it won’t sync password at all even though event 567 is generating, it clearly implies that there is issue with your AD environment, either with password replication or with the objects for which password is getting synced. DirSync synchronizes password in chunks.

You should be doing following thing:

  1. Identify AD replication issue specially password replication and fix it.
  2. Run Idfix utility and fix object related issues.

http://www.microsoft.com/en-us/download/details.aspx?id=36832

  1. Customize FIM so that remove unnecessary objects from replication scope. ( I’ll be publishing a separate document for this )

Hope the above information is helpful to other who are facing such issues.

The following two tabs change content below.
%d bloggers like this: