Master Azure AD Connect: Sync Scheduling and Forcing

Published:23 August 2019 - 5 min. read

Jeff Christman Image

Jeff Christman

Read more tutorials by Jeff Christman!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Integrating your on-premises Active Directory Domain Services (AD) (and syncing) with Azure AD is done using the Synchronization Service Manager GUI or via PowerShell.

There are two ways to use Azure AD on-prem – pass through authentication (sends the authentication request directly to Azure AD) or directory synchronization that syncs password hashes between on-prem AD and Azure AD. In this blog post, we’re going to cover how to get the Azure Active Directory Connect software set up to sync password hashes.

We’ll cover how to get a recurring sync running and also how to use Azure AD Connect to force a password hash synchronization.

In a nutshell, to force Azure AD to sync with PowerShell requires the following steps:

  1. Install Azure Active Directory Connect
  2. Import the ADSync PowerShell module
  3. Run the Start-AdSyncSchedule cmdlet with reads a domain controller’s password hashes and syncs with Azure AD.

If you’re more into learning via video, be sure to check out this informative TechSnips video.

Install Azure AD Connect

To sync on-prem Active Directory to an Azure AD tenant, you’ll first need need to download and install the Azure AD connect software. To do that, you’ve got two options. You can either download it from the Azure Portal or by going directly to the software package.

Downloading from the Azure Portal

If you’ve chosen not to download the package from the Microsoft site, you’ll need to get the package from the Azure Portal.

Search for “Azure Active Directory” in the portal. In the Azure Active Directory section, click on Azure AD Connect. Here you will find a Sync Status section with a link to Download Azure AD Connect.

Azure Portal - Azure AD Connect
Azure Portal – Azure AD Connect

Sync Tools

When you install Azure AD Connect, it will install two primary tools you can use to schedule a sync or force a sync.

  • The ADSync PowerShell module
  • The Synchronization Service Manager

Using these two tools, you can setup a recurring (scheduled) sync to routinely perform an Azure AD sync. Or, you can use either to force a sync ad-hoc. Both tools perform the same behavior. The only difference is one is via the command-line (PowerShell) and one is a GUI application.

Setting up the ADSync PowerShell Module

When you install Azure AD Connect, it will install a PowerShell module called ADSync. This module contains that allow you to manage the sync process using PowerShell.

Note that in this article, I am using Windows PowerShell 5.1. Your mileage may vary if you’re using an older version.

As with all PowerShell modules, importing the module is straight forward. However, the module is not located in a known Windows PowerShell modules folder. The installation installs the PowerShell module in the C:\Program Files\Microsoft Azure AD Connect Sync\Bin folder.

To import the module, open a PowerShell console and enter the following:

PS51> Import-Module –Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Verbose

To verify that the module has imported, use Get-Module. You should see the ADSync module listed.

ADSync PowerShell Module
ADSync PowerShell Module

Default Azure AD Sync Schedule

By default, Azure AD Connect creates a scheduled task that runs a delta (syncing only differing objects) sync every 30 minutes. You can find the schedule by opening up Task Scheduler. You should notice a scheduled task under Microsoft –> Windows called Azure AD Sync Scheduler.

Azure AD Sync Scheduler scheduled task
Azure AD Sync Scheduler scheduled task

You can change this schedule, but, bear in mind that 30 minutes is the lowest interval supported.  The goal is to set the synchronization interval so that it happens often enough to pick up changes. If the synchronization is too short, you run the risk of saturating your network.

The scheduler handles two tasks:

  • Synchronization cycle – The process to import, sync, and export changes.
  • Maintenance tasks –  Renews keys and certificates for password resets and the Device Registration Service (DRS). It also purges old entries in the operations log.

The scheduler itself is always running but it can be configured to only run one or none of these tasks.

Forcing an Azure AD Connect Sync

There may be times where you would need to force synchronization of your objects. For example, if you need to have your own synchronization cycle process, you can disable this task in the scheduler but still run the maintenance task.

To use Azure Active Directory Connect to force a password sync and other information, you can either use the Synchronization Service Manager or PowerShell.

Forcing a Sync with the Synchronization Service Manager

On a server with Azure AD Connect installed, navigate to the Start menu and select AD Connect, then Synchronization Service.

At first glance it looks overwhelming, but you are only concerned with the Connectors tab and the right hand selection pane. Looking at the right hand pane, you can see options to stop (Stop) and start (Run) the sync.

Synchronization Service Manager
Synchronization Service Manager

Note that when a synchronization cycle is running, you cannot make configuration changes. Stopping the current cycle is not harmful and pending changes are processed with the next run.

Getting Sync Status with PowerShell

Before you force a sync, it is a good idea to get the status of the current sync cycle. If you force sync during a currently running sync, you could be setting yourself up for some issues later on.

To see the current settings, open up a PowerShell console on the server Azure Active Directory Connect is installed on and run Get-ADSyncScheduler. You’ll see a few properties each providing useful information.

Get-AdSyncScheduler
Get-AdSyncScheduler

There is quite a bit of information to parse through. Let us go through line by line:

  • AllowedSyncCycleInterval – This is the shortest time between synchronization. By default it is set at 30 minutes, the shortest time allowed.
  • CurrentlyEffectiveSyncCycleIntervalThe schedule currently in effect. It has the same value as CustomizedSyncInterval (if set) if it is not more frequent than AllowedSyncInterval. If you use a build before 1.1.281 and you change CustomizedSyncCycleInterval, this change takes effect after the next synchronization cycle. From build 1.1.281 the change takes effect immediately.
  • CustomizedSyncCycleIntervalThis is set if you want to run the scheduler to run at a frequency other than the default 30 minutes.
  • NextSyncCyclePolicyTypeThis parameter defines the next run what the next run should process.  If the next run is full synchronization, it will display initially.
  • NextSyncCycleStartTimeInUTCThis is the time the scheduler starts the next sync cycle.
  • PurgeRunHistoryIntervalSet how long the operation logs are kept.  The default is to keep the logs for 7 days.
  • SyncCycleEnabledIndicates if the scheduler is running the import, sync, and export processes as part of its operation.
  • MaintenanceEnabledMaintenance enabled updates the certificates/keys and purges the operations log.
  • StagingModeEnabled – If enabled, it suppresses the exports from running.  synchronization.
  • SchedulerSuspended – Set to temporarily block the scheduler from running.

Forcing an Sync with PowerShell

Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.

You have a couple of options when forcing a synchronization. You can either force a full sync or a delta sync. A full sync checks all objects across AD. A delta sync only checks and syncs changes since the last run.

To start a full sync, you can use the Start-AdSyncSyncCycle cmdlet. Use the PolicyType parameter to choose either Full or Delta depending on the sync you’d like to initiate. Either method will force an AD sync for Office 365, user identity accounts and all other attributes.

PS51> Start-ADSyncSyncCycle -PolicyType Full
PS51> Start-ADSyncSyncCycle -PolicyType Delta

Stopping a Sync

If you’d like to stop a sync in process, you can also use the Stop-ADSyncSyncCycle cmdlet.

PS51> Stop-ADSyncSyncCycle

Summary

Whether you choose to use the GUI or PowerShell, you should now know various ways to use the Azure Active Directory Connect tool to schedule or force a sync with your on-prem Active Directory environment with Azure AD.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!