This one has been long overdue and about time that the community realizes how easy it can make your daily life with FIM/MIM.
A wonderful tool which keeps our engine purring like a kitten and all the cogs moving – Autosync written by @RyanLNewington
Since the past two year or so, it has evolved and now it is becoming mainstream with him making it more user friendly, GUI enabled and with KISS strategy (Love the strategy – Keep It Simple Stupid!!!).. It has now culminated as AutoSync.
We’ve worked together and I’ve done a lot of testing (somehow I have the notorious name of bug finder – I find them or say they find me in every product I’ve touched – FIM / MIM / Google / Lithnet / Oracle MA / Generic LDAP MA <– don’t even get me started with that one)
It’s extremely simple to use and self explanatory. It installs as a service, and has a easy to read XML config (no need to dive into as GUI makes it easy) and an “Execution Monitor” to show you the status of all your runs.
Some of the features to list
- Auto detect all MA in the environment and list them for configuration.
- Automatically detect and prepopulate run profiles tab with best matching one.
- Advance trigger capability to detect changes in the MA source and run only when needed
- Ability to make changes to individual MA and restart only that component.
- Ability to mention a list of MA’s not to run if a particular MA is running (to give priority or avoid deadlock situations)
- One-Click button to create MPR / Set and service account in FIMService which helps in change detection in FIM/MIM Service.
- Easy to configure and send mail notification of errors and customize it according to the errors you want to see / or ignore
- Clear run history and store it as a maintenance task.
- Different execution modes according to your choice (Supported / Exclusive / Unsupported)
The above is definitely not an exhaustive list and there are many more hidden and advance features which I can cover if it makes it to the final cut.
Let’s take an example on how we can utilize it in real world very easily. No coding experience needed.
We have an environment with 9 Management Agents (not the biggest in the world out there by far). We have some business rules which bind us to set provisioning times and deprovisioning times. Which means we need to keep the wheel moving – always and in sync.
Lithnet Autosync has a very easy to understand GUI interface. We can set which profiles to run to confirm an export (Confirming Import) or say which profile to run if the MA hasn’t run for X amount of time – scheduled import (which you can set as well).
For AD / LDS / LDAP MA we have change detection capabilities which basically runs the delta import / Full Import (whatever you configure) only when it detects a change for the system.
In the above example you can see I have also configured a “scheduled interval” which runs a full import for the MA every day at 2am. We do this to make sure the system is clean and up-to-date with the source. I have configured it for all the MA to run daily at different time intervals during non business hours so that the system is “clean” when we come back the next day. You can also configure them run exclusively to each other so that no clash occur (if that is a concern in your system).
You can also do change detection by writing power shell scripts and then running import run profile. We use an SQL based MA (ACMA) where we use such and example where the script looks at the Object Delta table and makes runs the DI (Delta Import) profile only if a change is detected. It can be as little as every second check but I run it every 5 second.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
|
Add-Type -AssemblyName System.Data $global:lastRowVersion = 0 function Get-RunProfileToExecute { $table = Invoke-SQL "localhost" "DBNAME" "SELECT TOP 1 cast(rowversion AS BIGINT) AS RV FROM DBO.MA_OBJECTS_DELTA where rowversion >= $global:lastRowVersion order by rowversion asc"; if ($table.Rows.Count -gt 0) { $rv = $table.Rows[0].RV if($global:lastRowVersion -ne $rv) { $global:lastRowVersion = $rv; $p = New-Object Lithnet.Miiserver.Autosync.ExecutionParameters; $p.RunProfileName = "DI"; $p.Exclusive = $false; write-output $p } } } function Invoke-SQL { param( [string] $dataSource = "localhost", [string] $database = "DBNAME", [string] $sqlCommand = $(throw "Please specify a query.") ) $connectionString = "Data Source=$dataSource; " + "Integrated Security=SSPI; " + "Initial Catalog=$database" $connection = new-object system.data.SqlClient.SQLConnection($connectionString) $command = new-object system.data.sqlclient.sqlcommand($sqlCommand,$connection) $connection.Open() $adapter = New-Object System.Data.sqlclient.sqlDataAdapter $command $dataset = New-Object System.Data.DataSet $adapter.Fill($dataSet) | Out-Null $connection.Close() $dataSet.Tables } |
There are more such examples in “C:\Program Files\Lithnet\AutoSync\Examples” folder once you install it. We also have scripts to detect changes in a PostGres DB.
There is so much more we do with it. There are some MA which we use just for versioning purpose. So we simply have them as “unconfigured” so they are not used in the run.
Two most useful features I would like to show you are
Execution Mode
The text below are self explanatory but in a nutshell
- Supported (Recommended): What Microsoft dictates – Never run sync profiles while any other profile is running. Import and export profiles of different MA can still run in parallel. When a sync profile runs its take precedence lock and doesn’t allow other profiles to run (they queue up)
- Exclusive Mode (I call it the SloMo Mode): Every run profile in every MA are run exclusively. Slowest mode and possibly the safest mode if you are not concerned with timings and speed.
- Unsupported Mode (Against the Bible): I use this quite often as I am confident of our environment and what we need in terms of SLA to provision / deprovision users. The difference in this mode v/s supported is that in this mode a sync profile can run while other MA are running their import / export profile.
Execution Monitor
This is where you can keep an eye on things like what is MA is running, what profile is running, what has the lock and what others are waiting to run next.
You can see a lot of live and useful information there.
- You can see two MA are executing Full Import (FI) – A Play button indicates that
- You can see that an MA has a lock and its preparing to start a Delta Sync (DS) and then after that it has Delta Import (DI) and EALL (Export All) queued up.
- Another MA wants to run a delta sync (DS) and is waiting to take lock from the previous MA.
- You can click on the MA and see the run history and logs of what it has done (depicted in the windows below)
- As you would have guessed – my system is running in unsupported mode currently.
- You can stop all execution and/or stop and cancel all runs from the button on top.
- You can also uncheck the “Automatically start executors when service starts” so that when Autosync service starts it will not start any executions – handy when you want to check all config before you kick off the syncs.
There is so much you can do with the package that I haven’t even begin to list them here.
Hope this small post has given you some insight on the capabilities of Autosync and the potential it has to radicalize and make your environment more friendly and easy to use.
Let me know if you need a solution with AutoSync and I can probably help you with that….
Like this:
Like Loading...