Pages

Tuesday, March 8, 2016

How to Schedule and Force Sync Updates with AAD Connect 1.1.x

Microsoft has made some significant changes to AAD Connect in version 1.1.x. New features include:
  • Automatic upgrade feature for Express settings customers
  • Support for the global admin using MFA and PIM in the installation wizard
  • Allow changing the user's sign-in method after initial install
  • Allow Domain and OU filtering in the installation wizard. This also allows connecting to forests where not all domains are available.
  • Scheduler is built-in to the sync engine and the default schedule is now 30 minutes
  • Plus there's MOAR!

You can download the latest version of AAD Connect here.

Note that the new Automatic Upgrade feature is not enabled unless you install AAD Connect with Express settings. Customized settings require more configuration, so automatic upgrade is not possible in these scenarios (yet).

They also changed the way you manage AAD Connect synchronization schedules and manual syncs (again). I swear sometimes these guys are psychotic.

Scheduling Synchronization

In previous versions, the synchronization schedule was implemented as a scheduled task in Windows. Now it's part of the sync engine and is configured via a PowerShell cmdlet. Previous versions synchronized every 3 hours, now it's every 30 minutes! Run the new Get-ADSyncScheduler cmdlet to view the current synchronization schedule:

Default synchronization schedule in AAD Connect 1.1.105

If you want to adjust the default schedule run the Set-ADSyncScheduler cmdlet. Note that you cannot set the scheduler less than the AllowedSyncCycleInterval of 30 minutes, but you can set it higher. If you try to use a value less than 30 minutes, you will get an error:

Cannot change AAD Connect sync frequency less than 30 minutes

If you DO find a way to adjust the schedule lower, understand that this is not supported by Microsoft.

Set-ADSyncScheduler accepts the following parameters:
  • CustomizedSyncCycleInterval <timespan> -- Used to set the custom sync cycle interval. Must be higher that the Allowed Sync Cycle Interval.
  • SyncCycleEnabled <bool> -- Enables or disables scheduled synchronization.
  • NextSyncCyclePolicyType <SynchronizationPolicyType> {Unspecified | Delta | Initial} -- Specifies how the next synchronization will work. Delta only syncs changes since the last sync. Initial will perform a full resynchronization.
  • PurgeRunHistoryInterval] <timespan> -- The interval when AAD Connect will purge the operation logs for past sync jobs. The default is keep them for 7 days.
  • MaintenanceEnabled] <bool> -- Enables maintenance mode to enable you to update the certificates/keys and purge the operations log.
  • Force -- Makes the setting changes without warnings or confirmation. It does NOT force AAD Connect to accept a custom sync schedule that it is lower than the Allowed Sync Cycle Interval.

Forcing Synchronization

If you want to run a sync sooner than the next scheduled run, you can do it manually using the new Start-ADSyncSyncCycle cmdlet. For example:
Start-ADSyncSyncCycle -PolicyType Delta
This will force a delta sync immediately, as long as a scheduled sync is not running. Use PolicyType Initial to force a full sync.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.