Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 1

AZURE AD Connect Sync Scheduler

As we already know, Azure AD Connect tool will sync all changes from on premise directory to azure

active directory, the synchronization process will use a scheduler to do this task, for example there is a

scheduler for password sync different than the scheduler for object/Attribute sync and maintenance

tasks.

Note: the default synchronization frequency is 30 minutes.

In AD Connect tool, the scheduler has two main functions:

Synchronization cycle: this will be used to import, sync and export all changes.

Maintenance tasks: Renew keys and certificates for Password reset and Device Registration

Service (DRS) in addition to delete the old log files.

To demonstrate more, let’s take a real example, open your AD Connect server and run the PowerShell

with administrative privilege then execute below command:

Get-ADSyncScheduler

Note: if the command is not available, you may need to load the PowerShell module by running

Import-Module ADsync first.

After the command executed successfully, we can obtain and understand some of schedule information

as below:

AllowedSyncCycleInterval: This means that the Auto synchronization will be happens every 30 minutes,

you can change this value by set the CustomizedSyncCycleInterval attribute which is empty in our

example since we didn’t change yet. However, you cannot set this value to be less than 30 minutes even

the command will accept a value less than 30 minutes but it will not take an effect.

To change this value to be 3 hours instead of 30 minutes, execute below command:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 2

Set-AdSyncScheduler -CustomizedSyncCycleInterval 03:00:00

If we try to get the scheduler information again, we can have noticed than the customized value should

be 3 hours as shown below:

Now, let’s try to set the value to be less than 30 minutes, if we run below command which will set the

value to be 10 minutes, a warning will appear inform us that even if the command will be executed the

value which will be used is 30 minutes not 10 minutes:

Set-AdSyncScheduler -CustomizedSyncCycleInterval 00:10:00

CurrentlyEffectiveSyncCycleInterval: if you set CustomizedSyncCycleInterval with an acceptable value

more than 30 minutes, it will take the effect next synchronization cycle,

CurrentlyEffectiveSyncCycleInterval value tell you the face what is the effective value of the sync

interval, if you didn’t change CustomizedSyncCycleInterval then this value will be equal to

AllowedSyncCycleInterval value, if you set CustomizedSyncCycleInterval then

CurrentlyEffectiveSyncCycleInterval will equal to it in the next synchronization cycle.

NextSyncCyclePolicyType: this field have two option, either Delta or initial, if the syncing didn’t happen

at all then it’s value will be initial to do a full sync, otherwise it will be Delta to just sync the changes

happened since last synchronization.

NextSyncCycleStartTimeInUTC: this define when the next sync cycle will start.

PurgeRunHistoryInterval: this value defines how many days the logs should remain before got purged,

the default value is 7 days.

SyncCycleEnabled: this is shows the status of auto syncing whether it’s enabled or not.

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 3

Note: You can change some of these settings with Set-ADSyncScheduler. The following parameters

can be modified:

CustomizedSyncCycleInterval

NextSyncCyclePolicyType

PurgeRunHistoryInterval

SyncCycleEnabled

MaintenanceEnabled

As we mentioned that the scheduler by default will run every 30 minutes, in some cases you may need

to force run the synchronization in between the interval cycle to speed up the process to replicate new

changes or added new objects.

For example, assume that the next sync cycle will be run after 15 minutes and you added a new object

and need to replicate it to Azure AD immediately, in such cases you should force the sync to be run

manually either by commands or GUI.

There are two types of Sync available in AD Connect tool, Delta Sync and Full Sync, each one of these

types have its own scenarios and it’s will replicate the changes to Azure Active Directory.

Delta synchronization is used to replicate the changes made in existing objects, in other word Delta sync

will affect only existing objects which was synced before if any changes made on it.

If you run Delta sync, below steps will be executed:

Delta import on all Connectors

Delta sync on all Connectors

Export on all Connectors

To force Delta sync to be run Immediately, open the PowerShell with administrative privilege and run

below command:

Start-ADSyncSyncCycle -PolicyType Delta

Now, let’s see what happened exactly when we run the Delta Synchronization, open MsiiClient.exe

console which located by default under C:\Program Files\Microsoft Azure AD Sync\UIShell.

From operation tab you will see a result similar to below:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 4

Form above screenshot we can noticed that three processes was run in each connector, the local AD

connector and the Azure AD one which result to six operations was done.

Now, since we didn’t make any changes before run the delta sync, we can notice that no changes

detected and nothing exported by local connector as below snapshots from the management console:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 5

Now I changed the Job title for a user called “Ali Saleh” which was already synced, the old value was

empty and the new one is “IT Manager”.

I ran the Delta Sync command again, we can have noticed that the result was changed, since this change

made in our local active directory all three operations Delta Import, Delta Synchronization and Export

should know that a new change was made and should be synced.

If we open the Delta Import operation for the local connector it should display that there is one object

has been changed as shown below:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 6

Click on the updates you will see which object(s) has been changed since last sync cycle which is in our

case “Ali Saleh” user as shown below:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 7

Let’s see the export operation for local connector, also it should show that there is an update as below:

If we click in the updates it will show CN for the object which changed since last sync cycle as shown

below, double click in the object:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 8

Now it’s clearly show the old and new values for the user attribute’s, in our case the old value of “title”

was empty and the new one is “IT Manager”.

Full Synchronization is used in the following scenario:

Added more objects or attributes to be imported from a source directory

Made changes to the Synchronization rules

Changed filtering so a different number of objects should be included

once you run a full sync, below operations will be executed:

Full Import on all Connectors

Full Sync on all Connectors

Export on all Connectors

To force Full sync to be run Immediately, open the PowerShell with administrative privilege and run

below command:

Start-ADSyncSyncCycle -PolicyType Initial

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 9

Before I ran the force full sync command I created a new user called “Ahmad Yasin”, just a quick

demonstration to see what happens in the connector operations, let see the status of Full Import

operation for the local connector, we can notice there is one object added as shown below:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 10

Double click on the Adds field, it will show the object which was added since last sync cycle which is

“Ahmad Yasin” in our case as shown below:

Also you can clearly see that a new object provisioned in the Full Synchronization operation for local

connector as appear below:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 11

If you use an outbound proxy to access internet then you may face an issues while running AD Connect

synchronization process, to avoid this and to force AD Connect use your proxy server, navigate to

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config and open

machine.config file using any editor like Notepad, you should add below section at the

end of the page before </configuration> tag and make the changes based in your proxy

Address and port:

<system.net> <defaultProxy> <proxy usesystemdefault="true" proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>" bypassonlocal="true" /> </defaultProxy> </system.net>

For example, my proxy address is 192.168.10.1 and listen to port 8080, so the edit should be similar like

below:

Visit us at: http://AzureDummies.com Ahmad Yasin Ahmed.n.Yasin@hotmail.com

Page | 12

About Blogger …

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies

blog. He also holds many certificates in office 365 and windows azure including Developing

Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA

office 365.

Find Ahmad at Facebook and LinkedIn.