Predica loves tech community!

Did you know about this? :) That’s true. Most of all people form Predica are engaged with technical community. We share knowledge on forums, conferences, blogs, etc. Instead of that, our Board support conferences organized by community. Below list where we speaking and support for the coming weeks:

  • Global Windows Azure Bootcamp 2014 Poland – 29th od Match, 2014 – Warsaw, Poland – Predica is main sponsor of the conference – pizzas, gadgets, first prize in the lottery, etc :) Tomek & Domnik will speaking about Windows Azure stuff! Darek is main organizer of the event and MC 😉
  • Cloud OS MVP Roadshow – 16th of April, 2014 – Warsaw, Poland – Predica is main sponsor of the conference – gadgets, first prize in the lottery, etc :) Darek is main organizer of the event and will be speaking about virtualization stuff in hybrid cloud context. Tomek, will speaking about how to federate identity between private and public cloud.
  • Cloud OS MVP Roadshow – 18th of April, 2014 – Gdańsk, Poland – Tomek, will be speaking about how to federate identity between private and public cloud.

See you on the conferences! Feel free to contact us :)

Directory Sync and Password Sync Cookbook – part 7 – Important FAQ

Hi, Andrzej (KAZM) again 😉 … with 7th part of Directory Sync and Password Sync – YES, that is the final! 😀

  1. Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions
  2. Directory Sync and Password Sync Cookbook – part 2 – Preparation
  3. Directory Sync and Password Sync Cookbook – part 3 – UPN Sync Scenarios
  4. Directory Sync and Password Sync Cookbook – part 4 – Installation
  5. Directory Sync and Password Sync Cookbook – part 5 – Configuration and Operations
  6. Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting
  7. Directory Sync and Password Sync Cookbook – part 7 – Important FAQ
  • In this article you use commands like “Set-MsolUserPrincipalName -UserPrincipalName oldUPN PrinciaplName newUPN” but it is not working for me. What is wrong?
    • To be able to run this and similar commands you need to connect to Windows Azure Active Directory through PowerShell:
      • Run PowerShell
      • Execute Import-Module MSOnline ,
      • $AdminCredentials = Get-Credential,
      • Type in your O365 Admininistrator credentials,
      • Run Connect-MsolService –Credential $cred,
      • And now you can run required command.
  • How can I add Alternative UPN Suffixes to my AD?
  • Is there any way I can install DirSync using my own SQL servers (I have high availability for databases, less SQL limitations and other cool features)?
  • Which users will be synchronized with DirSync?
    • DirSync does not synchronize accounts with User must change password at next logon option enabled,
    • DirSync will not sync passwords for users that are federated entities (have their UPN as public domain which is added and verified in O365 and converted to federated). Users can only be either SSO-enabled or Password Sync,
    • DirSync will sync all users from domain (unless OU/attribitues filtering is configured).
  • What is MSOL_AD_SYNC account?
    • This account has read and synchronization permissions to the Active Directory and is used for noticing password changes in your domain.
    • You should not change the password of that MSOL_AD_SYNC service account.
    • Important! If you force password changes (for example with a GPO) and MSOL_AD_SYNC account gets its password changed, you must run the Directory Sync Configuration Wizard again.
  • I have a different Password Complexity Policies in AD than in O365. Which one will be used?
    • Active Directory Password Complexity policy will override O365 password complexity policy.
  • After implementing DirSync what happens to current users that had been already created directly in the cloud?
    • Users created and managed in the cloud remain with cloud (not synchronized) password and are under subjected to cloud password complexity policy and will not be synchronized.
  • What is the default time of synchronization?
    • DirSync synchronizes users every 3 hours, Password Sync synchronizes password hashes every 3 minutes.
  • After 90 days users stopped synchronizing. What happened?
    • Your Office 365 Global Administrator account password, you used for configuring DirSync tool, has expired. Please refer to Preparation and then Troubleshooting part of this article on how to fix this.
  • Start-OnlineCoexistenceSync command doesn’t return anything in the Powershell session. Is that normal, is my synchronization working?
    • Yes, this is normal. If you see no errors, then probably everything is fine and miisclient starts running Management Agents.
  • What happens if the user is blocked or deleted in AD?
    • When the user is blocked or deleted in AD, after DirSync sync he/she is also blocked or deleted in O365.
  • Users with expired passwords in AD may be able to still login to O365 with old (expired) password. Why is this happening?
    • After account is synced to O365, its password is set to “never expire” and is synchronized only when the user changes password in AD. So if password expires in AD, but user doesn’t change it, it is still valid in O365.
  • Can I change passwords manually for users in Office 365? How?
    • If the user/administrator changes his/hers password in the cloud it will NOT get override after next Password Sync sync (3 minutes). Password will get changed only after you run manual full password sync (Set-FullPasswordSync command and FIM Synchronization Service restart) or after user changes password.
    • To change password in Office 365 manually run PowerShell command Set-MsolUserPassword -userPrincipalName user@yourdomain.onmicrosoft.com –ForceChangePassword $false -NewPassword “NewSecurePasswordHere”.
  • Is there any changelog or version realeas history for DirSync?
  • Is there any information on what attributes are synced by DirSync?

I hope you have enjoyed my cookbook :)

Best regards,

Andrzej (KAZM)

Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting

Hi, Andrzej (KAZM) again 😉 … with 6th part of Directory Sync and Password Sync.

  1. Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions
  2. Directory Sync and Password Sync Cookbook – part 2 – Preparation
  3. Directory Sync and Password Sync Cookbook – part 3 – UPN Sync Scenarios
  4. Directory Sync and Password Sync Cookbook – part 4 – Installation
  5. Directory Sync and Password Sync Cookbook – part 5 – Configuration and Operations
  6. Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting
  7. Directory Sync and Password Sync Cookbook – part 7 – Important FAQ
  • General advices
  • IDfIX
    • Wen you run the IdFix, “Format” is displayed in the Error column for many objects. Solution: This issue occurs if the email address of the object is not a valid, publicly routed email address. If you are not planning to change AD suffixes, you can ignore it.
  • DirSync/Password Sync
    • During installation
      • Exception has been thrown by the target of an invocation”. Solution: add indicated in Event Viewer MSOL_AD_SYNC domain account to the local Administrators group of DirSync server and retry.
    • During synchronization
      • Missing-partition-for-run-step” when used filtering OUs for DirSync. Solution: if you have many child domains in your forest and you don’t want to synchronize from some of them so you just uncheck those domains, you will get this error. At least one OU in each domain must be checked for sync, so to avoid this error just create empty OU in each domain and then in filtering options select this OU only (no users will be synced),
      • Stopped-extension-dll-exception” during Windows Azure Active Directory Connector, Delta Import Delta Sync step in miisclient.exe. Solution: You have to change password of Office365 account that was used to configure DirSync (it has expired). After changing that password in Office365, set this account to have never expiring password (please refer to Preparation part of my article), Run Directory Sync Configuration Wizard on the desktop of DirSync server and provide new credentials of Administrator account and then restart FIM Sync Service. Also with this error you can get following entries in Event Viewer:
        • Event ID 0. The user name or password is incorrect. Verify your user name, and then type your password again GetAuthState() failed with -214718668 state. HResult:0. C(0x80048821)
        • Event ID 109. Failure while importing entries from Windows Azure Active Directory. Exception: Microsoft.oOnline.Coexistence.ProvisionException: The user name or password is incorrect. Verify your user name, and then type your password again.
        • Event ID 6803. The management agent “Windows Azure Active Directory Connector” failed on run profile “Delta Import Delta Sync” because the server encountered errors.