Generic LDAP MA Error on Upgrade to AADConnect v1.1.649.0

Hey Guys

Another day – another bug #bugmaster (although a very small one)

If you use Azure AD Connect and manually upgrading to v1.1.649.0 and have a Generic LDAP MA in your configuration, after the upgrade you will get a “no-start-ma” error on Delta / Full Import or an “extension-dll-exception” on an export or when syncs start automatically after the upgrade.

Fix: Easy one – open the MA and click through each config page to refresh the MA manually.

Microsoft has acknowledged the bug and will fix it in the next release.

I am surprised as there aren’t that many MA extensions in AADConnect so how this was missed in their internal testing..

Powershell Tip: Send quick Email when a service goes down [Update: And bring it back up]

Yes we have SCOM monitoring and stuff, but if some testing or debugging is going on and do don’t want to do down the hassle of setting up alerts and just simply want to get notified when a service goes down, here is a simple script


It’s pretty self explanatory.

You can also send it to multiple recipients


Voila!! It will check every 10 seconds and if the service is in any other state apart from “Running”, it will send you an email and stop execution.

Update: And easy to bring it back up when it goes down. Run the following in PS as Admin. It will send a mail when service is down and bring it back up.



Google API Bug: orgUnitPath not returning after modification via patch / update

Another day.. Another bug!!!

We use Google API to provision and manage users in GoogleApps via Google MA FIM/MIM.

I have recently found that when you make changes to a user’s orgUnitPath and send it as a patch / update to Google, the API does not confirm it by returning the value in the return. But the change is actually made and if you do a GET for the user you can see the modified orgUnitPath

It fails to do the same with Google API Explorer and OAUTH Playground


Response (no orgUnitPath is returned although change has been made)

Google has confirmed this as a high priority bug (b/65534998) but its been a week since reported.. Their current workaround suggested is to use GET after doing a PUT or a PATCH and not rely on the current return values of them. Doesn’t really solve the issue for us in an extremely large environment and also means changing the code etc..

Keep calm and wait!!!

KISS for MIM – Autosync

This one has been long overdue and about time that the community realizes how easy it can make your daily life with FIM/MIM.

A wonderful tool which keeps our engine purring like a kitten and all the cogs moving – Autosync written by @RyanLNewington

Since the past two year or so, it has evolved and now it is becoming mainstream with him making it more user friendly, GUI enabled and with KISS strategy (Love the strategy – Keep It Simple Stupid!!!).. It has now culminated as AutoSync.

We’ve worked together and I’ve done a lot of testing (somehow I have the notorious name of bug finder – I find them or say they find me in every product I’ve touched – FIM / MIM / Google / Lithnet / Oracle MA / Generic LDAP MA <– don’t even get me started with that one)

It’s extremely simple to use and self explanatory. It installs as a service, and has a easy to read XML config (no need to dive into as GUI makes it easy) and an “Execution Monitor” to show you the status of all  your runs.

Some of the features to list

  • Auto detect all MA in the environment and list them for configuration.
  • Automatically detect and prepopulate run profiles tab with best matching one.
  • Advance trigger capability to detect changes in the MA source and run only when needed
  • Ability to make changes to individual MA and restart only that component.
  • Ability to mention a list of MA’s not to run if a particular MA is running (to give priority or avoid deadlock situations)
  • One-Click button to create MPR / Set and service account in FIMService which helps in change detection in FIM/MIM Service.
  • Easy to configure and send mail notification of errors and customize it according to the errors you want to see / or ignore
  • Clear run history and store it as a maintenance task.
  • Different execution modes according to your choice (Supported / Exclusive / Unsupported)

The above is definitely not an exhaustive list and there are many more hidden and advance features which I can cover if it makes it to the final cut.

Let’s take an example on how we can utilize it in real world very easily. No coding experience needed.

We have an environment with 9 Management Agents (not the biggest in the world out there by far). We have some business rules which bind us to set provisioning times and deprovisioning times. Which means we need to keep the wheel moving – always and in sync.

Lithnet Autosync has a very easy to understand GUI interface. We can set which profiles to run to confirm an export (Confirming Import) or say which profile to run if the MA hasn’t run for X amount of time – scheduled import (which you can set as well).

For AD / LDS / LDAP MA we have change detection capabilities which basically runs the delta import / Full Import (whatever you configure) only when it detects a change for the system.

In the above example you can see I have also configured a “scheduled interval” which runs a full import for the MA every day at 2am. We do this to make sure the system is clean and up-to-date with the source. I have configured it for all the MA to run daily at different time intervals during non business hours so that the system is “clean” when we come back the next day. You can also configure them run exclusively to each other so that no clash occur (if that is a concern in your system).

You can also do change detection by writing power shell scripts and then running import run profile. We use an SQL based MA (ACMA) where we use such and example where the script looks at the Object Delta table and makes runs the DI (Delta Import) profile only if a change is detected. It can be as little as every second check but I run it every 5 second.

There are more such examples in “C:\Program Files\Lithnet\AutoSync\Examples” folder once you install it. We also have scripts to detect changes in a PostGres DB.

There is so much more we do with it. There are some MA which we use just for versioning purpose. So we simply have them as “unconfigured” so they are not used in the run.

Two most useful features I would like to show you are

Execution Mode

The text below are self explanatory but in a nutshell

  • Supported (Recommended): What Microsoft dictates – Never run sync profiles while any other profile is running. Import and export profiles of different MA can still run in parallel. When a sync profile runs its take precedence lock and doesn’t allow other profiles to run (they queue up)
  • Exclusive Mode (I call it the SloMo Mode): Every run profile in every MA are run exclusively. Slowest mode and possibly the safest mode if you are not concerned with timings and speed.
  • Unsupported Mode (Against the Bible): I use this quite often as I am confident of our environment and what we need in terms of SLA to provision / deprovision users. The difference in this mode v/s supported is that in this mode a sync profile can run while other MA are running their import / export profile.

Execution Monitor

This is where you can keep an eye on things like what is MA is running, what profile is running, what has the lock and what others are waiting to run next.

You can see a lot of live and useful information there.

  • You can see two MA are executing Full Import (FI) – A Play button indicates that
  • You can see that an MA has a lock and its preparing to start a Delta Sync (DS) and then after that it has Delta Import (DI) and EALL (Export All) queued up.
  • Another MA wants to run a delta sync (DS) and is waiting to take lock from the previous MA.
  • You can click on the MA and see the run history and logs of what it has done (depicted in the windows below)
  • As you would have guessed – my system is running in unsupported mode currently.
  • You can stop all execution and/or stop and cancel all runs from the button on top.
  • You can also uncheck the “Automatically start executors when service starts” so that when Autosync service starts it will not start any executions – handy when you want to check all config before you kick off the syncs.

There is so much you can do with the package that I haven’t even begin to list them here.

Hope this small post has given you some insight on the capabilities of Autosync and the potential it has to radicalize and make your environment more friendly and easy to use.

Let me know if you need a solution with AutoSync and I can probably help you with that….

AzureAD: Get List of all users with a particular license

You might have to do reporting and want a list of all users in Azure AD which have a particular license..

Following is an easy way to do so

Get-MsolAccountSku will give you a table of all the License Types you have and count

AccountSkuId ActiveUnits WarningUnits ConsumedUnits

You can then choose the AccountSkuId you want to report on and pass that in the “TENANTNAME:AAD_PREMIUM” of the Get-MSOLUser command

It took me about 20 min to run this report for about 155000 users