I recently got an opportunity to setup directory sync with password sync for a big organization. During this setup I realised that alot changes when the scope increased from 200 users to 50000 users.
I faced multiple challenges and learnt alot, to make it simple for other, I am publishing my learning here. hope it helps
Office 365 Directory Sync with password Sync:
Are you considering password sync with directory sync for your big multi-domain environment, you may face following issues:
Issues with configuring Directory Sync:
Directory Sync tries to reach domain controllers of all the child domains in the environment to give permission to MSOl user, and if somehow DirSyn is not able to reach some domain controller or the domain controller it is reaching is not responding properly.
You may face any of the above error, then you need to find out which domain controller is creating problem, net mon can help you with that.
Start Netmon trace and then run DireSync, expend the configuration.exe section, the last entry in this section would tell, you DirSync could not proceed with which DC, if you expend it, you would get information about the reason.
The above example shows that the child Domain controller is not able to authenticate the Enterprise admin ID that is being used for configuring Directory Sync, it seems that the DC is not able to communicate with Root domain controller.
In this way you can find out, which domain controller has got problem, you can fix it.
If you have multiple domain controller in the domain, then DirSync can communicate with any domain controller of the domain. If there is problem with one Domain Controller then you can run the DirSyn again and again and it might so happen then it would communicate with the DC, that is working fine.
Once you managed to configure DirSync in your environment then, it might so happen that password is not synchronizing, (Ideally the password should sync between 3 to 5 minutes.)
- Password sync event is not generating at all.
Ideally you should see event 656 & 657 in application log, if password sync is working
If such event is not generating then you should check if password sync is configured or not.
Run the DirSync once again and make sure password sync check box is checked.
Or you can also Run “Enable-MSOnlinePasswordSync” from “DirSyncConfigShell.psc1” power shell.
- If still password sync event is not generating, try forcing password sync.
Force password sync:
- Using command
Open PowerShell, and then type Import-Module DirSync
Type Set-FullPasswordSync, and then press Enter
Restart the Forefront Identity Manager Synchronization Service Service.
- Using Registry
Go to below location
If Key FullSyncRequired is not available, create it
Change value for FullSyncRequired to 1
Restart service FIMSynchronizationService
event 657 should start comming.
You can also trouble shoot with enabling password sync log, for that run “Enable-PasswordSyncLog”,
How to force password Sync Logging
Create 32 bit Dword named “FeaturePwdSyncLogLevel”, set value as 3
Restart service FIMSynchronizationService
- If password sync log is generating but password is not synchronizing.
It might so happen that you do see event 567 event for some users that password got synced, but not for the user for which you are changing password.
There is no clear documentation from Microsoft that says how password is synchronizing, there is no customization available where in you can designate particular domain controller for password sync.
If your environment is big then password sync may take hour or more or it won’t sync password at all even though event 567 is generating, it clearly implies that there is issue with your AD environment, either with password replication or with the objects for which password is getting synced. DirSync synchronizes password in chunks.
You should be doing following thing:
- Identify AD replication issue specially password replication and fix it.
- Run Idfix utility and fix object related issues.
- Customize FIM so that remove unnecessary objects from replication scope. ( I’ll be publishing a separate document for this )
Hope the above information is helpful to other who are facing such issues.
Latest posts by Roushan Kumar (see all)
- Exchange:NDR due to X500 address change Error:The email address you entered couldn’t be found - December 10, 2014
- How to setup Office 365 Outlook Manually - November 15, 2014
- Outlook 2010/2007 authentication prompts with Office 365 - September 26, 2014