We have loads of objects in our AD / Azure AD.. we believe doing regular Full Imports and Full Syncs for all the MA’s is a good way to make sure Sync engine is healthy.
Had recently visited #MSAUIGNITE 2017 in Gold Coast, Australia and SME’s there suggested Full Sync is not needed in environments unless there has been a connector change.. But I disagree and consider ADConnect as Microsoft Identity Manager (MIM / FIM) and by experience we have seen a good healthy sync engine we should do FI / FS for maintenance.
After doing some initial sync timings, found our FI from Azure took 9 hrs and FS took about 2 hrs. Likewise from AD FI took 1 hr and FS took 2 hrs.
Decided we wanted to schedule each FI and FS to make sure sync engine is all caught up out of business hours.
Assumptions
- The MA is called “AzureAD”
- Run Profile Name is called “Full Import”
Do the following on our ADConnect Sync Box
- Create a powershell script with the following code and save it as “AzureFI.ps1” at a location say D:\SyncScript
|
1 2 3 4 5 |
Import-Module ADSync Set-ADSyncScheduler -SyncCycleEnabled $False Stop-ADSyncSyncCycle Invoke-ADSyncRunProfile -ConnectorName "AzureAD" -RunProfileName "Full Import" Set-ADSyncScheduler -SyncCycleEnabled $true |
- Create a task scheduler and run as the same user which runs the sync engine.
- Schedule it once a week / month as per your requirement. As per your initial tests, you can schedule it out of business hours say 10pm and by morning it is finished.
- For action
- Action: Start a Program
- Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Argument: -ExecutionPolicy Bypass -File “D:\SyncScript\AzureFI.ps1”
That’s it!!! You can create similar scripts and change ConnectorName / RunProfileName and create tasks for each at particular times.
You will have a healthy sync engine for ADConnect.
0 Comments