Month: July 2012

Office 365 DirSync Database Running Out of Space? Automate Cleanup of Run History

Posted on Updated on

As you start using the Office 365 Directory Synchronization application, providing administrators the ability to manage users, contacts, groups and Active Directory attributes and values, all from your local Active Directory.  These updates/changes will be synchronized into your Office 365 tenant, keeping the two Active Directories synchronized.

Directory Synchronization runs, by default, every 3 hours, synchronizing all changes found within the local Active Directory.  Each run saves a history of the runs and over time your DirSync database will run out of space, due to saving these run histories.

Manage your Directory Synchronization

PROBLEM STATEMENT

You are running the Office 365 / Directory Synchronization tool with a SQL Server Express backend.  You have less than 50,000 users.  Now, you are seeing information in the Application Event Log indicating that the database is full.

CAUSE

The reason this happens, is because each run is logged on the Operations tab of the MIISCLIENT.EXE console.  This is commonly referred to as the Run History.  If there is no process to clean up the run history, then it will continue to grow, and the MDF file of the SQL Server Express database will grow as well until you reach the 10GB limit.

RESOLUTION

To resolve the issue, you will need to clear the run history.  To prevent the issue from happening, you may need to build a script that can be called from Task Scheduler to clear the run history.

Clear Run History

Use the following steps outlined in this TechNet article to clear your Directory Synchronization Run History and keep your DB at a manageable size:  http://social.technet.microsoft.com/wiki/contents/articles/7034.how-to-clear-the-run-history.aspx

GOAL

The goal of this article is to provide information on a good and common question, “How do I clear the run history?” to be able to reduce the size of my MDF / LDF files.

As many of us already know, if we do not clear the run history, then we run into issues such as

  • Performance of Synchronizations
  • Performance of moving between Management Agents and Operations tabs in the Synchronization Server Console.
  • Size of the MDF file has grown to extreme

This article has been compiled to help provide information on how to clear the run history.  We do provide several ways to clear the run history.  Let’s talk about them now.

MANUALLY

In the MIISClient.exe GUI, found in c:\Program Files\Microsoft Online Directory Sync\SyncBus\Synchronization Service\UIShell\MIISClilent.exe, while viewing the run history on the Operations Tab, you can select from the Actions menu, “Clear Runs”.

In doing so, you will receive a dialog with a few choices.

  1. Clear All Runs: This will clear everything you see on the operations tab, essentially the run history.
  2. Clear Runs Before: This allows you to pick a date and time to remove that date and time and previous to that date and time.  It allows you to be able to keep some of the run history.
  3. Save runs before clearing them:  This box is checked by default.  It allows you to dump the run history to an XML file.

Once you configured how you want to clear the run history, you simply click Ok and then wait for it to finish clearing the run history.

 SCRIPT

The Synchronization Service engine has a WMI Provider that allows you to interface with the Synchronization Service Engine via WMI.

MSDN provides a great resource using the WMI Provider to build a script using VBSCRIPT and/or PowerShell.

MIIS_SERVER is the WMI Class that you will start with when building your script.

ClearRuns Method is the method that you will utilize to clear the runs.

Example Script to Clear Runs
Clear Run History Script
Dim Service

Dim ManagementAgent

Dim DeleteDate

Set Service = GetObject(“winmgmts:\root\MicrosoftIdentityIntegrationServer”)

Set Server = Service.Get(“MIIS_Server.Name=’MIIS_Server1′”)

‘// DeleteDate the date to use for the deletion of runs

DeleteDate = GETDELETEDATE( Date() – 1 )

WScript.Echo “Deleting Run Histories from ” & DeleteDate

WScript.Echo “Result: ” & Server.ClearRuns(DeleteDate)

‘// ======================================================================

‘// FUNCTION IIF

‘// PURPOSE: To be able to execute an If…Then…Else statement on a single line

‘// — conditionalString: is the conditional statement to check via the IF

‘// — TrueString: if the condition is true, the statement to execute

‘// — FalseString: if the condition is false, the statement to execute

‘// ======================================================================

FUNCTION IIF(conditionalString, TrueString, FalseString)

IF conditionalString THEN

IIF = TrueString

ELSE

IIF = FalseString

END IF

END FUNCTION

‘// ====================================================================

‘// FUNCTION GETDELETEDATE

‘// PURPOSE: The date has to be formatted in a special way to work with the sync engine.

‘//     using this function to help format the date.

‘// ====================================================================

FUNCTION GETDELETEDATE( TheDeleteDate )

GETDELETEDATE = YEAR(TheDeleteDate) & “-” & IIF(LEN(MONTH(TheDeleteDate))=1,”0″ & MONTH(TheDeleteDate), MONTH(TheDeleteDate)) & “-” & IIF(LEN(DAY(TheDeleteDate))=1,”0″ & DAY(TheDeleteDate), DAY(TheDeleteDate))

END FUNCTION

RESOURCE KIT FOR MICROSOFT IDENTITY INTEGRATION SERVER 2003

If you have a version of the Synchronization Service Engine prior to Microsoft Forefront Identity Manager 2010, then you can utilize the Resource Kit for Microsoft Identity Integration Server 2003 and the MIISCLEARRUNS.EXE utility.

Download the Resource Kit 2.0 for the Microsoft Identity Integration Server 2003

QUESTIONS

How can I automate the clearing of the run history?

This is actually a great question.  You will need to write a script that does the clearing of the run history.  Once you have the script compiled utilize Task Scheduler to have the script run at a specified time.

How often should I clear the run history?

The answer to this question is based on your business rules for your current identity solution.  Keep in mind, that every time a run profile is executed, a record is added to the run history.

An example, if you have 2 management agents.  You run Full Import (Stage Only) on both, Full Synchronization on both, Export on both, and Confirming Delta Import on both Management Agents.  You execute this cycle every 30 minutes.

2 Management Agents x 4 Run Profiles = 1 cycle = 8 Records in the Run History every 30 minutes

Being Prompted for Username/Password After Office 365 ADFS is Deployed?

Posted on Updated on

Problem

When your administrator deploys Active Directory Federation Services (ADFS) for use in Office 365, you were told that you would no longer need to provide separate username’s and passwords, as your Active Directory credentials (username/password) can be used instead.  However when you attempt to access OWA, SharePoint or other online services, you are prompted to enter your username and password, potentially multiple times, such as when accessing the Microsoft Online Portal (MOP) [enter UPN, get redirected to ADFS and enter username/password].

Reason

This is due to your Internet Explorer not having the ADFS endpoint, such as sts.contoso.com, added to the Intranet Security Zone setting.  IE sees sts.contoso.com as an Internet address, falling into the Internet security zone, which does not automatically release/send username/password or the logged on user.

Resolution

To resolve this issue you must add your ADFS endpoint into this IE Intranet Security Zone location.

Internet Explorer

  1. Tools
  2. Internet Options
  3. Security
  4. Local Intranet –> Sites
  5. Advanced
  6. Add this website to the listhttps://*.contoso.com
  7. OK all the way out of this IE setting

Test

  1. Close all Internet Explorer browsers
  2. Login to the Office 365 Online Portal (MOP): https://portal.microsoftonline.com
  3. Enter your login User Principal Name (UPN) and notice that you are not able to enter password, instead click the link to login using ADFS

At this point, your browser is redirected to your local ADFS endpoint for Active Directory authentication.  With the IE setting in place, your machine logged in credentials are passed to ADFS, you are authenticated and redirected back to the Online Portal (MOP) and granted access!

Missing User Pictures in Office 365 Online Services and/or Applications?

Posted on Updated on

Those who have moved into the Microsoft Online Office 365 Services, you may find that you are not seeing any user pictures when you IM or browse around SharePoint.  For those who want to have user pictures displayed in the Office 365 services, you can use a few approaches to get these user pictures into the service.

  • Active Directory and Directory Synchronization:  Use this and the example PowerShell script, which can be used to import user pictures into Active Directory under the thumbNailPhoto AD attribute.  With Directory Synchronization running, users are not able to upload/update their picture via the “Online Services” process listed below.

Note – When using Directory Synchronization, users are not able to use the Microsoft Online Portal (MOP) to edit their profile and upload a picture.  Please keep the usage of DirSync in mind when managing user pictures in Office 365

  • Online Services
    • Have each user upload their picture into the Microsoft Online Portal (MOP) by logging into the Portal (https://portal.microsoftonline.com) and editing their Profile, which is located in the top right corner of the Portal.  This will get your user picture into MSODS (Microsoft Online Directory Services), which will then be synchronized out to all the different services (SharePoint, Lync, Exchange, etc) and be displayed within the different applications and services.

Note – ThethumbNailPhoto Active Directory picture size is important.  Exchange Online supports pictures up to 10k while synchronization (DirSync) will not synchronize pictures over 100k.  At this time if you want to use a picture across all services or you have Exchange Online in the mix, keep the fix size to 10k or less.

Disabling/Re-Enabling DirSync Service in Office 365 will Force Full DirSync

Posted on

In Office 365, many administrators use Directory Synchronization, providing a centralized location to manage all users, contacts and groups (local Active Directory) and have those updates synchronized into Office 365.  Once Directory Synchronization has been enabled in Office 365, the DirSync application can start synchronizing Active Directory objects.  If at any point Directory Synchronization is disabled within the Office 365 service, via the Microsoft Online Portal (MOP), and then later enabled, the Directory Synchronization appliance will be instructed to perform a FULL SYNCHRONIZATION.

This is different from BPOS DirSync and administrators in large Active Directory environments show keep this in mind, as a Full Synchronization will wipe the DirSync database and start over.  This can take significant time to complete and should be taken into account when discussing whether to temporarily disable Directory Synchronization for your Office 365 online tenant/company.

Note – The above describes a scenario where you have been Directory Synchronizing, where Directory Synchronization is running in a Delta state, which means only changes to Active Directory object attributes and values are synchronized.  Disabling DirSync, even temporarily, and then enabling this service will force DirSync to perform a Full Sync, taking administrators by surprise and may find that updates for changed AD users, contacts and/or groups are not being seen as updated as quickly as before.  This would be due to a full Directory Synchronization taking place.

Exchange Online 365 Administration – Segmenting/Assigning User/Mailbox Management

Posted on Updated on

You can use Exchange Online Roles Based Access Control (RBAC) to accomplish segmenting out different Exchange Administrators to manage a specific set of users. For example, to grant the Recipient Management rights of each SMTP domain, use PowerShell commands like this, which creates a new Management Scope, a Role Group and then assigns an administrator for this group, which will have the rights to manage users assigned to a particular email domain:

Delegate Administration Permission Per Domain

http://outlookliveanswers.com/forums/p/7148/22420.aspx#22420

Setup a new Exchange Online Management Scope

New-ManagementScope -Name “DomainX.com Management Scope” -RecipientRestrictionFilter -RecipientRestrictionFilter {WindowsEmailAddress -like *@DomainX.com}

New Role Group

New-RoleGroup “DomainX.com Recipient Managers” -Roles “Recipient Policies”,”Mail Recipient Creation”,”Distribution Groups”,”Mail Recipients”,”Message Tracking”,”Reset Password” -CustomRecipientWriteScope “DomainX.com Management Scope”

Add Administrator to RoleGroupMember

Add-RoleGroupMember “DomainX.com Recipient Managers”  -Member “admin@DomainX.com

Note – You will need to massage some of the above parameters, such as the -Member parameter, in order to input your own Exchange Online Admin account that you want to add to the new RoleGroupMember, which is assigned to a newly created Exchange Online Management scope.

BPOS Transitions & DirSync Object Quota Limits

Posted on

The Microsoft Business Productivity Online Services (BPOS) has an object quota limit that restricts the ability to synchronize a certain number of users, contacts and groups into the BPOS Active Directory environment. 

Change in BPOS-S Transition Logic for Directory Synchronization Quota: The logic for how Microsoft will transition tenants regarding the “DirSync” setting is no longer a factor, which required (past tense) a call into Online Services support. Going forward BPOS transitioned tenants will be placed into one of the following quota sizes based on their existing BPOS object quota limit, in essence mirroring your BPOS object quota limit setting into Office 365:

  • 20k– For all tenants without any limit increase
  • 50k– Any tenant with a BPOS limit >20k but less than 50k
  • 100k– Any tenant with a BPOS limit > 50k but less than 100k
  • 250k– Any tenant with a BPOS limit > 150k but less than 250k
  • 500k– Anyone else

Office 365, ADFS & Client Access Policies – Restrict Office 365 User Authentication via ADFS

Posted on Updated on

As Office 365 tenants start to use Active Directory Federation Services (ADFS) with Office 365 to allow AD users to access online (Office 365) using their domain accounts.  ADFS is installed by default to allow all users with an active AD account to use it’s authentication services.  However many admins have found that they would like to restrict ADFS usability/access and limit who can use this particular service.  The ADFS Client Access Policy Builder in conjunction with an ADFS Hotfix Rollup provides just such functionality.  To learn more about how to download the .ps1 PowerShell script and information on what variables/options are available: