Body:

The Windows Azure Active Directory Sync tool (DirSync) is used to provision user accounts from Windows Active Directory on-premises to Azure Active Directory in the cloud. DirSync will synchronize changes to user accounts made on-premises to the cloud so that cloud users have access to directory information and can sign-in. This document describes how to backup and later restore the database and encryption keys required for a DirSync install. This will reduce the time to resynchronize user accounts from your on-premises Active Directory to Windows Azure Active Directory when there has been a failure of the previous DirSync installation. This document is specifically written for the 64-bit version the of DirSync. It outlines backup and restore steps required for when you need to reinstall DirSync on a new server after a failure condition. Specifically it will help you where the SQL Database used by DirSync is available either from a SQL high availability configuration or from backup and you are planning to use that with a new DirSync installation. The steps in this document assume that the DirSync application will be installed on a new or rebuilt machine. Some steps will not be needed if simply restoring the DirSync database to an existing DirSync server.

Installing DirSync to support backup and restore

The synchronization engine that’s used in the DirSync Tool uses self-generated encryption keys for encrypting certain data in the database. In order to successfully backup and restore the database, it’s essential to be able to back up and restore these encryption keys. In order to make a backup of the encryption keys, we must know the username and password for the service account that is being used for the FIMSynchronizationService.

Overview

If you have already installed DirSync using the default install with SQL Express then you would need to uninstall prior to installing with a full SQL database as is described here.

After running the DirSync.exe /FULLSQL command to begin the install of DirSync, a PowerShell cmdlet is used to complete the installation. Here are examples of the Install-OnlineCoexistenceTool cmdlet that include the minimum information needed to complete the steps in this document.

Command for SQL Server with default SQL instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” -ServiceCredential (Get-Credential) –Verbose

Command for SQL Server with Named SQL Instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” –SQLServerInstance “SQLInstanceName” -ServiceCredential (Get-Credential) –Verbose

Additional arguments are documented here.

Note: When choosing an account for the –ServiceCredential argument value, we should remember that this will be a service account and it also needs to be a domain account from a domain in the forest where the DirSync service is installed.

DirSync Database Backup

There are two different things that we will need to back up in order to successfully restore the database.

The FIMSynchronizationService Database
The FIM Synchronization Service encryption keys

The FIMSynchronizationService database backup should be done using the Backup Type of Full.

Backup Steps

1. Shut down the Windows Azure Active Directory Sync Service (MSOnlineSyncScheduler) service.

This will ensure no automated synchronization runs are started during the backup

2. Use the MIISClient.exe to check for an active synchronization run.

3. Wait until no synchronization runs are active then shut down the “Forefront Identity Manager Synchronization Service” service.

4. Using SQL Server Management Studio, make a backup of the FIMSynchronizationService database. Backup type should be set to “Full.”

Steps documented here.

5. Using the MIISKmu.exe, make a backup of the encryption key.

Run the executable and follow the instructions in the user interface

When asked for credentials, specify the DirSync service account

Automation steps and usage information here.
The path to the miiskmu.exe file is different than in the TechNet documentation. For the Directory Synchronization Tool, it is located in:

%programfiles%Windows Azure Active Directory SyncSyncBusSynchronization ServiceBin

6. Re-start the Forefront Identity Manager Synchronization Service and the Windows Azure Active Directory Sync Service service.

DirSync Database Restore

Restoring and Installing Directory Synchronization on a new or rebuilt machine

If you have a backup of the FIMSynchronizationService database and a backup of the FIM Synchronization Service encryption keys then this process can be used to restore a DirSync implementation.

This process should be used in all of the following cases:

The DirSync database is hosted on a SQL Server machine remote from the DirSync application, and the DirSync application will be installed on a new or rebuilt machine
The DirSync database is hosted on a SQL Server instance on the same machine as the DirSync application and will be installed on a new or rebuilt machine

Restore Steps

Follow these steps to restore the database and encryption keys for DirSync.

1. Restore the FIMSynchronizationService database to the SQL Server instance, and to the name FIMSynchronizationService.

2. On the DirSync machine, run the DirSync install using the following command from an Administrative cmd.exe prompt:

DirSync /FULLSQL

3. Run the following file to open a PowerShell command prompt loading the needed modules

“C:Program FilesMicrosoft Online Directory SyncDirSyncInstallShell.psc1”

4. From the cmd.exe prompt opened in step 3, use the following command to install the DirSync services:

Forefront Identity Manager Synchronization Service
Windows Azure Active Directory Sync Service

Command for SQL Server with default SQL instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” -ServiceCredential (Get-Credential) –Verbose

Command for SQL Server with Named SQL Instance

Install-OnlineCoexistenceTool -UseSQLServer -SQLServer “sqlServerName” –SQLServerInstance “SQLInstanceName” -ServiceCredential (Get-Credential) –Verbose

Additional arguments documented here.

Important:

sqlServerName is the machine name of the SQL Server where the FIMSynchronizationService database was restored.
SQLInstanceName is the name of the SQL Server instance, if not the default.
ServiceCredential should be the user ID and password for the service account you wish the DirSync services to run under.
This command will end with an error message indicating that the Directory Synchronization service was not installed properly. This error is due to the FIM Synchronization Service not having the encryption keys available to read the database. The next step will correct that issue.

Log Name: Application

Source: FIMSynchronizationService

Date: 2/15/2012 5:57:26 PM

Event ID: 6206

Task Category: Database

Level: Error

Keywords: Classic

User: N/A

Computer: myDirSyncComputer.MyDomain.com

Description:

The service encryption keys could not be found.

User Action

Verify that the service account has permissions to the following registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftForefront Identity Manager2010Synchronization Service

If the problem persists, run setup and restore the encryption keys from backup.

5. Run the miisactivate.exe command line utility to activate the current Directory Synchronization server with the database, specifying the encryption key backup.

Information on running this tool can be found in Appendix 1 – Running the MIISActivate.exe command line tool.

Appendix 1 – Running the MIISActivate.exe command line tool

As described in the steps above, the MIISActivate.exe command line tool is needed to re-associate the encryption keys exported from the original DirSync install using the MIISKMU.exe utility.

If the Forefront Identity Manager Synchronization Service starts without issue after the restore, then this step may not be needed.

Steps to run MIISActivate.exe

From an Administrative cmd.exe prompt, navigate to the “%programfiles%Windows Azure Active Directory SyncSYNCBUSSynchronization Servicebin” folder
At the command prompt, type the following command

miisactivate “miiskeys-1.bin” “myDomainmyUser” *

Where:

miiskeys-1.bin is the file that was created when you ran the MIISKMU.exe in database backup step 5 earlier in this document.
myDomainmyUser is the service account that DirSync is running under that was specified in the Install-OnlineCoexistenceTool cmdlet used to install DirSync.
* is a placeholder telling the utility to prompt for the password

MIISActivate Usage Information

Usage: MIISACTIVATE [filename] [username {password | *}] [/q]

filename Filename of the key

username [domain]username

[domain.com]username

username@domain.com

password Password (specify ‘*’ to prompt for password)

/q Quiet mode (no pop up dialog boxes)

Source: http://www.microsoft.com/en-us/download/details.aspx?id=42524

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser''s Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user''s pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site''s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website''s performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
ai_session	1 hour	This is a unique anonymous session identifier cookie set by Microsoft Application Insights software to gather statistical usage and telemetry data for apps built on the Azure cloud platform.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ai_user	1 year	Microsoft Azure sets this cookie as a unique user identifier cookie, enabling counting of the number of users accessing the application over time.
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user''s session ID and verify ads'' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

Backup and Restore Instructions for the DirSync Database

Installing DirSync to support backup and restore

Overview

Command for SQL Server with default SQL instance

Command for SQL Server with Named SQL Instance

DirSync Database Backup

Backup Steps

DirSync Database Restore

Restoring and Installing Directory Synchronization on a new or rebuilt machine

Restore Steps

Command for SQL Server with default SQL instance

Command for SQL Server with Named SQL Instance

Important:

Appendix 1 – Running the MIISActivate.exe command line tool

MIISActivate Usage Information

Leave a Comment Cancel reply

Office 365 Essentials Book

Nuno Árias Silva Website

Categories

Office 365 Essentials Book

Facebook