Body:

The Windows Azure Active Directory Sync tool (DirSync) is used to provision user accounts from Windows Active Directory on-premises to Azure Active Directory in the cloud. DirSync will synchronize changes to user accounts made on-premises to the cloud so that cloud users have access to directory information and can sign-in. This document describes how to backup and later restore the database and encryption keys required for a DirSync install. This will reduce the time to resynchronize user accounts from your on-premises Active Directory to Windows Azure Active Directory when there has been a failure of the previous DirSync installation. This document is specifically written for the 64-bit version the of DirSync. It outlines backup and restore steps required for when you need to reinstall DirSync on a new server after a failure condition. Specifically it will help you where the SQL Database used by DirSync is available either from a SQL high availability configuration or from backup and you are planning to use that with a new DirSync installation. The steps in this document assume that the DirSync application will be installed on a new or rebuilt machine. Some steps will not be needed if simply restoring the DirSync database to an existing DirSync server.

Installing DirSync to support backup and restore

The synchronization engine that’s used in the DirSync Tool uses self-generated encryption keys for encrypting certain data in the database. In order to successfully backup and restore the database, it’s essential to be able to back up and restore these encryption keys. In order to make a backup of the encryption keys, we must know the username and password for the service account that is being used for the FIMSynchronizationService. 

Overview

If you have already installed DirSync using the default install with SQL Express then you would need to uninstall prior to installing with a full SQL database as is described here.

After running the DirSync.exe /FULLSQL command to begin the install of DirSync, a PowerShell cmdlet is used to complete the installation. Here are examples of the Install-OnlineCoexistenceTool cmdlet that include the minimum information needed to complete the steps in this document.

Command for SQL Server with default SQL instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” -ServiceCredential (Get-Credential) –Verbose

Command for SQL Server with Named SQL Instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” –SQLServerInstance “SQLInstanceName” -ServiceCredential (Get-Credential) –Verbose

Additional arguments are documented here.

Note: When choosing an account for the –ServiceCredential argument value, we should remember that this will be a service account and it also needs to be a domain account from a domain in the forest where the DirSync service is installed.  

DirSync Database Backup

There are two different things that we will need to back up in order to successfully restore the database.

  1. The FIMSynchronizationService Database
  2. The FIM Synchronization Service encryption keys

The FIMSynchronizationService database backup should be done using the Backup Type of Full.

Backup Steps

1.       Shut down the Windows Azure Active Directory Sync Service (MSOnlineSyncScheduler) service.

    1. This will ensure no automated synchronization runs are started during the backup

2.       Use the MIISClient.exe to check for an active synchronization run.

3.       Wait until no synchronization runs are active then shut down the “Forefront Identity Manager Synchronization Service” service.

4.       Using SQL Server Management Studio, make a backup of the FIMSynchronizationService database. Backup type should be set to “Full.”

    1. Steps documented here.

5.       Using the MIISKmu.exe, make a backup of the encryption key.

    1. Run the executable and follow the instructions in the user interface
      1. When asked for credentials, specify the DirSync service account
    2. Automation steps and usage information here.
    3. The path to the miiskmu.exe file is different than in the TechNet documentation.  For the Directory Synchronization Tool, it is located in:

%programfiles%Windows Azure Active Directory SyncSyncBusSynchronization ServiceBin

6.       Re-start the Forefront Identity Manager Synchronization Service and the Windows Azure Active Directory Sync Service service.

DirSync Database Restore

Restoring and Installing Directory Synchronization on a new or rebuilt machine

 

If you have a backup of the FIMSynchronizationService database and a backup of the FIM Synchronization Service encryption keys then this process can be used to restore a DirSync implementation.

This process should be used in all of the following cases:

  • The DirSync database is hosted on a SQL Server machine remote from the DirSync application, and the DirSync application will be installed on a new or rebuilt machine
  • The DirSync database is hosted on a SQL Server instance on the same machine as the DirSync application and will be installed on a new or rebuilt machine

 

Restore Steps

Follow these steps to restore the database and encryption keys for DirSync.

1.       Restore the FIMSynchronizationService database to the SQL Server instance, and to the name FIMSynchronizationService.

2.       On the DirSync machine, run the DirSync install using the following command from an Administrative cmd.exe prompt:

    • DirSync /FULLSQL

3.       Run the following file to open a PowerShell command prompt loading the needed modules

    • “C:Program FilesMicrosoft Online Directory SyncDirSyncInstallShell.psc1”

4.       From the cmd.exe prompt opened in step 3, use the following command to install the DirSync services:

    • Forefront Identity Manager Synchronization Service
    • Windows Azure Active Directory Sync Service

Command for SQL Server with default SQL instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” -ServiceCredential (Get-Credential) –Verbose

Command for SQL Server with Named SQL Instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” –SQLServerInstance “SQLInstanceName” -ServiceCredential (Get-Credential) –Verbose

Additional arguments documented here.

Important:

  • sqlServerName is the machine name of the SQL Server where the FIMSynchronizationService database was restored.
  • SQLInstanceName is the name of the SQL Server instance, if not the default.
  • ServiceCredential should be the user ID and password for the service account you wish the DirSync services to run under.
  • This command will end with an error message indicating that the Directory Synchronization service was not installed properly.  This error is due to the FIM Synchronization Service not having the encryption keys available to read the database.  The next step will correct that issue.

Log Name:      Application

Source:        FIMSynchronizationService

Date:          2/15/2012 5:57:26 PM

Event ID:      6206

Task Category: Database

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      myDirSyncComputer.MyDomain.com

Description:

The service encryption keys could not be found.

 

 User Action

 Verify that the service account has permissions to the following registry key:

 HKEY_LOCAL_MACHINESOFTWAREMicrosoftForefront Identity Manager2010Synchronization Service

 

 If the problem persists, run setup and restore the encryption keys from backup.

 

5.       Run the miisactivate.exe command line utility to activate the current Directory Synchronization server with the database, specifying the encryption key backup.

    • Information on running this tool can be found in Appendix 1 – Running the MIISActivate.exe command line tool.

 

 

Appendix 1 – Running the MIISActivate.exe command line tool

As described in the steps above, the MIISActivate.exe command line tool is needed to re-associate the encryption keys exported from the original DirSync install using the MIISKMU.exe utility.

If the Forefront Identity Manager Synchronization Service starts without issue after the restore, then this step may not be needed. 

Steps to run MIISActivate.exe

  1. From an Administrative cmd.exe prompt, navigate to the “%programfiles%Windows Azure Active Directory SyncSYNCBUSSynchronization Servicebin” folder
  2. At the command prompt, type the following command

miisactivate “miiskeys-1.bin” “myDomainmyUser” *

Where:

  • miiskeys-1.bin is the file that was created when you ran the MIISKMU.exe in database backup step 5 earlier in this document.
  • myDomainmyUser is the service account that DirSync is running under that was specified in the Install-OnlineCoexistenceTool cmdlet used to install DirSync.
  • * is a placeholder telling the utility to prompt for the password

MIISActivate Usage Information

 

Usage: MIISACTIVATE [filename] [username {password | *}] [/q]

filename                  Filename of the key

username                [domain]username

                                  [domain.com]username

                                 username@domain.com

password                Password (specify ‘*’ to prompt for password)

/q                             Quiet mode (no pop up dialog boxes)

 

Source: http://www.microsoft.com/en-us/download/details.aspx?id=42524

Published: 5/6/2014 15:47
]]>

Uncategorized