AAD Connect configuration documenter is a tool to generate documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration.
The goal of this project is to:
- To enable quick understanding of the synchronization configuration and "how it happens"!
- To build confidence in getting things right when making changes to the default configuration!!
- To know what was changed when you applied a new build / configuration of Azure AD Connect or added/updated custom sync rules!!!
The current capabilities of the tool include:
- Documentation of the complete configuration of Azure AD Connect sync.
- Documentation of any changes in the configuration of two Azure AD Connect sync servers or changes from a given configuration baseline.
- Generation of the PowerShell deployment script to migrate the sync rule differences or customisations from one server to another.
Prerequisites:
- .NET Framework 4.5 to be able to run the tool.
- A modern browser (e.g. Microsoft Edge) to view the report.
- A fair understanding of MIIS 2003 / ILM 2007 / FIM 2010 / MIM 2016 / AAD Sync sync engine technical concepts to be able to understand the report. A sample report generated by the tool can be found listed in the Wiki section.
- Download the latest release AzureADConnectSyncDocumenter.zip from the releases tab under the Code tab tab, UNBLOCK the downloaded zip file and extract the zip file to an empty local folder on a machine which has .NET Framework 4.5 installed.
- This will extract the Documenter application binaries along with the sample data files for "Contoso".
- Make sure that the tool runs by double-clicking on the cmd file AzureADConnectSyncDocumenter.cmd.
- Upon successful execution, the generated report for "Contoso" will be found in the Documenter "Report" folder.
- Export the Server Configuration of your Azure AD Connect sync server (named "AADC-SERVER01" in the example below) by running Get-ADSyncServerConfiguration cmdlet defined in ADSync module shipped with Azure AD Connect as in the example below.
Import-Module ADSync
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER01-06JUN2022"
- Copy the configuration export files folder produced in the previous step ("AADC-SERVER01-06JUN2022") to the "Data" directory of the Documenter tool.
- Open a command prompt and change directory to AzureADConnectSyncDocumenter which should have AzureADConnectSyncDocumenterCmd.exe executable of the tool. Run the tool as follows to generate the report
AzureADConnectSyncDocumenterCmd.exe "AADC-SERVER01-06JUN2022" "AADC-SERVER01-06JUN2022"
- Upon successful execution, the generated report will be found in the Documenter "Report" folder.
- Download the latest release AzureADConnectSyncDocumenter.zip from the releases tab under the Code tab tab, UNBLOCK the downloaded zip file and extract the zip file to an empty local folder on a machine which has .NET Framework 4.5 installed.
- This will extract the Documenter application binaries along with the sample data files for "Contoso".
- Make sure that the tool runs by double-clicking on the cmd file AzureADConnectSyncDocumenter.cmd.
- Upon successful execution, the generated report for "Contoso" will be found in the Documenter "Report" folder.
- Export the Server Configuration of your old and new Azure AD Connect sync server (named "AADC-SERVER-OLD" and "AADC-SERVER-NEW" respectively in the example below) by running Get-ADSyncServerConfiguration cmdlet defined in ADSync module shipped with Azure AD Connect as in the example below.
Import-Module ADSync
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER-OLD-06JUN2022" # run this on the old server
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER-NEW-06JUN2022" # run this on the new server
- Copy the configuration export files folder produced in the previous step ("AADC-SERVER-OLD-06JUN2022" and "AADC-SERVER-NEW-06JUN2022") to the "Data" directory of the Documenter tool.
- Open a command prompt and change directory to AzureADConnectSyncDocumenter which should have AzureADConnectSyncDocumenterCmd.exe executable of the tool. Run the tool as follows to generate the report
AzureADConnectSyncDocumenterCmd.exe "AADC-SERVER-OLD-06JUN2022" "AADC-SERVER-NEW-06JUN2022"
- Upon successful execution, the generated report will be found in the Documenter "Report" folder.
- Download the latest release AzureADConnectSyncDocumenter.zip from the releases tab under the Code tab tab, UNBLOCK the downloaded zip file and extract the zip file to an empty local folder on a machine which has .NET Framework 4.5 installed.
- This will extract the Documenter application binaries along with the sample data files for "Contoso".
- Make sure that the tool runs by double-clicking on the cmd file AzureADConnectSyncDocumenter.cmd.
- Upon successful execution, the generated report for "Contoso" will be found in the Documenter "Report" folder.
- Export the Server Configuration of your Azure AD Connect sync server (named "AADC-SERVER01" in the example below) before and after upgrade by running Get-ADSyncServerConfiguration cmdlet defined in ADSync module shipped with Azure AD Connect as in the example below.
Import-Module ADSync
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER01-BEFORE-06JUN2022" # run this before upgrade
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER01-AFTER-06JUN2022" # run this after upgrade
- Copy the configuration export files folder produced in the previous step ("AADC-SERVER01-BEFORE-06JUN2022" and "AADC-SERVER01-AFTER-06JUN2022") to the "Data" directory of the Documenter tool.
- Open a command prompt and change directory to AzureADConnectSyncDocumenter which should have AzureADConnectSyncDocumenterCmd.exe executable of the tool. Run the tool as follows to generate the report
AzureADConnectSyncDocumenterCmd.exe "AADC-SERVER01-AFTER-06JUN2022" "AADC-SERVER01-BEFORE-06JUN2022"
- Upon successful execution, the generated report will be found in the Documenter "Report" folder.
How to use the tool (if you want to generate report a comparison report for DEV Environment and PROD Environment):
- Download the latest release AzureADConnectSyncDocumenter.zip from the releases tab under the Code tab tab, UNBLOCK the downloaded zip file and extract the zip file to an empty local folder on a machine which has .NET Framework 4.5 installed.
- This will extract the Documenter application binaries along with the sample data files for "Contoso".
- Make sure that the tool runs by double-clicking on the cmd file AzureADConnectSyncDocumenter.cmd.
- Upon successful execution, the generated report for "Contoso" will be found in the Documenter "Report" folder.
- Export the Server Configuration of your DEV and PROD Azure AD Connect sync server (named "AADC-SERVER-DEV" and "AADC-SERVER-PROD" respectively in the example below) by running Get-ADSyncServerConfiguration cmdlet defined in ADSync module shipped with Azure AD Connect as in the example below.
Import-Module ADSync
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER-DEV-06JUN2022" # run this on the DEV Environment server
Get-ADSyncServerConfiguration -Path "C:\Temp\AADC-SERVER-PROD-06JUN2022" # run this on the PROD Environment server
-
Copy the configuration export files folder produced in the previous step ("AADC-SERVER-DEV-06JUN2022" and "AADC-SERVER-PROD-06JUN2022") to the "Data" directory of the Documenter tool.
-
!!NOTE!! If the names of the connector(s) do(es) not exactly match between the supplied "DEV" and "PROD" configuration files, then before running the tool, "prep" the exported config files by manually editing the xml files located in the "Connectors" folder so that the name of the connector(s) match. The name of the connector is located inside the "name" element at the start of the content.
-
Open a command prompt and change directory to AzureADConnectSyncDocumenter which should have AzureADConnectSyncDocumenterCmd.exe executable of the tool. Run the tool as follows to generate the report
AzureADConnectSyncDocumenterCmd.exe "AADC-SERVER-DEV-06JUN2022" "AADC-SERVER-PROD-06JUN2022" # If you want to move the changes in the DEV to PROD
AzureADConnectSyncDocumenterCmd.exe "AADC-SERVER-PROD-06JUN2022" "AADC-SERVER-DEV-06JUN2022" # If you want to move the changes in the PROD to DEV
- Upon successful execution, the generated report will be found in the Documenter "Report" folder.
A sample report generated by the tool can be found listed in the Wiki section.
https://aka.ms/aadConnectConfigDocumenter
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
aadconnectconfigdocumenter's People
Forkers
erdinckorpeoglu lodexinc ksagala marameomaralli damokles2k shashishailaj fullstackenviormentss hassoon1986 jide-jimoh atomlee1 umalog olgavlpetrova phoenixflyinghigh jazuntee faizhalkhan guomaoding kamil333 dev-platformaxcloud narayankumargupta mm-mikem awilliamson-msft bhaskers-blu-org2 taffywrinkle claudiusgonzo aimmhc msnandokun nickcatteague kennyb7322 dmueller4 odiwankenobi invenco-information-systems-iit-legacy sweetasnz ronoc2020 arvindmits michaelalexis justingaravel johnnie88 kingjay66 kaydaskalakis tgrosvenor pnoble-integrityts wing5wong panochristakopoulos fimtooler erichkarch wai12 sathishcyberintelsys digitalarcheaadconnectconfigdocumenter's Issues
Please consider rewriting these instructions...
Please consider rewriting these instructions. I found them quite hard to follow.
Options
The HTML output file suggests that there are three (possibly four) options that can be configured:
- Only show Changes
- Download Sync Rule Changes Script
- Hide Default Sync Rules
- Hide End-to-end Summary Flows
But I can find nothing in the documentation regarding how to turn any of them on or off.
What am I missing??
Unhandled Exception: System.IO.PathTooLongException
Hello,
I'm running the latest version of the tool as described and receive this error right when it appears the report is being generated:
Unhandled Exception: System.IO.PathTooLongException: The specified path, file name, or both are too long.
The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.
This is running on the latest version of Windows 10 Enterprise which has .NET 462 built-in. Tried to install .NET 4.5 but the installation won't complete since 462 is present. .NET 462 is supposed to be backwards compatible.
Any advice or workarounds for this issue? Please advise, thanks!
Possible issue with End to End attribute Flows Summary tables
There appears to be a problem with the End to End Attribute Flows Summary tables. I'm not seeing that the table handles Outbound flows where a Metaverse attribute contributes to multiple Outbound flows within a single sync rule.
Using the provided Contoso data to generate a report and looking at the Contact Import Flows as an example, the Metaverse attribute sourceAnchor provides 2 outbound attribute flows within the 'Out to AAD - User Join' sync rule.
- Metaverse sourceAnchor flows out to dn with expression "CN={" & ConvertToUTF8Hex([sourceAnchor]) & "}"
- Metaverse sourceAnchor (and cloudSourceAnchor) flows out to sourceAnchor with expression IIF(IsPresent([cloudSourceAnchor]), IIF(Word([cloudAnchor],1,"_")=[sourceObjectType],IIF([cloudSourceAnchor] = [sourceAnchor],[sourceAnchor],Error("SourceAnchor attribute has changed.")),[sourceAnchor]),[sourceAnchor])
The same 2 attribute flows happen with the 'Out to AAD - Contact Join' sync rule.
This would lead me to believe there should be a total of 4 outbound flows from Metaverse sourceAnchor attribute. However each are represented only once in the table generated. I do understand that essentially the unique transformation and flows are displayed, however this isn't a true representation of every outbound flow used by Metaverse sourceAnchor.
System.IO.PathTooLongException - Error 40000
Hi,
we've a lot of connector connected inside our AADSync, and we wanted to use your application to allow us to create a staging mode server of our production, but we encounter that kind of problem : AADConnectSyncDocumenterConsole Information: 20000 : AADConnectSyncDocumenter (1.17.0703.0): 07/26/2017 10:14:46.6333:
Sync Rule Name: 'In from AD - CGUID does not exist (Create CGUID in metaverse + CloudFilter object until persisted in AD
)'. Connector Category: 'AD'. Connector Name: 'CAAMI-HZIV.INT'. Connector Guid: '9330C63B-B4F2-4094-8A96-6AF0E4C79072
'. Connector SubType: ''. Sync Rule Report Type: 'ConditionalJoinSection'. Sync Rule Guid: '0ec1c63e-8eea-48df-8733-8
baf20e1f559'. Processing changes. This may take a few minutes...
AADConnectSyncDocumenterConsole Error: 40000 : AADConnectSyncDocumenter (1.17.0703.0): 07/26/2017 10:14:46.6487: Connec
tor SubType: ''. Exception in 'AzureADConnectSyncDocumenter : GetReport'. Details: System.IO.PathTooLongException: The s
pecified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the
directory name must be less than 248 characters.
at System.IO.PathHelper.GetFullPathName()
at System.IO.Path.NormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
at System.IO.Path.NormalizePath(String path, Boolean fullCheck, Int32 maxPathLength)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShar
e share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolea
n useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileO
ptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost)
at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
at System.IO.StreamWriter..ctor(String path)
at AzureADConnectConfigDocumenter.SyncRuleDocumenter.WriteSyncRuleReportHeader()
at AzureADConnectConfigDocumenter.SyncRuleDocumenter.GetReport(SyncRuleReportType reportType)
at AzureADConnectConfigDocumenter.ConnectorDocumenter.ProcessConnectorSyncRules(SyncRuleDirection direction, SyncRule
ReportType reportType)
at AzureADConnectConfigDocumenter.ConnectorDocumenter.ProcessConnectorNormalJoinSyncRules()
at AzureADConnectConfigDocumenter.ActiveDirectoryConnectorDocumenter.GetReport()
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.ProcessConnectorConfiguration(XElement connector, Conf
igEnvironment configEnvironment)
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.ProcessConnectorConfigurations()
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.GetReport().
Unhandled Exception: System.IO.PathTooLongException: The specified path, file name, or both are too long. The fully qual
ified file name must be less than 260 characters, and the directory name must be less than 248 characters.
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.GetReport()
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.GenerateReport()
at AzureADConnectConfigDocumenter.Program.Main(String[] args)
This repo is missing important files
There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.
Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.
AzureADConnectSyncDocumenterCmd.exe is missing
Hi,
The .cmd file calls up AzureADConnectSyncDocumenterCmd.exe. This is missing from your download, not showing in source files. Line for the cmd:
AzureADConnectSyncDocumenterCmd.exe "Contoso\Pilot" "Contoso\Production"
ECHO OFF
ECHO ****************************************************************************************************
ECHO Execution complete. Please check any errors or warnings in the AADConnectSyncDocumenter-Error.log...
@Pause
wrong (old) ExportDeletionThresholdValue value
Hi,
when running
"Get-MsolDirSyncConfiguration" or "Get-ADSyncExportDeletionThreshold"
I get 500
while when running the Documenter tool, I get
"Microsoft.OptionalFeature.ExportDeletionThresholdValue in the report returns 4500"
(an old value we've replaced back with 500)
Has someone encountered this ?
Thanks.
Unsupported changes detected in Sync Rule Change script
I'm currently performing a swing migration to a newer version of AAD Connect. I have the latest version of AAD Connect installed and in staging mode on the new server at the moment. I used the AADConnectConfigDocumenter tool, and the report shows a lot of red changes and a few green changes between my Target/Pilot configuration on my current server and the Reference/Production configuration on the new server. Many of the red changes are in the Transformations/Target (MV) Attributes section of the built-in synchronization rules.
I downloaded the Sync Rule Changes script from the top of the report, and the script shows all of the synchronization rules with changes have a warning message that "unsupported changes have been detected". This warning message appears on inbound and outbound rules for both on-prem AD and Azure AD. I've included two of the rules below with our domains changed to contoso.com and contoso.onmicrosoft.com for security purposes.
My question is what could have caused these unsupported changes to be made to the out-of-box default rules, and is there any guidance for what to do in this scenario? Should I manually make the 200+ changes detected in the report to the Reference config since the Sync Rule Change script cannot make the changes, or should I leave the changes alone? Are the changes due to different versions of AAD Connect being compared?
#############################################################################################################################################
#### 'contoso.com' - 'Out to AD - User Exchange Hybrid'
#############################################################################################################################################
$connectorName = 'contoso.com'
$syncRuleName = 'Out to AD - User Exchange Hybrid'
Write-Warning("The sync rule '{0}' for the connector '{1}' has unsupported chanages detected." -f $syncRuleName, $connectorName)
Write-Warning ("Only supported change to an out-of-box default rule is to make it `"Disabled`".")
Write-Warning ("If only the precedence number is different for this out-of-box rule, this warning may be safely ignored.")
#############################################################################################################################################
#### 'contoso.onmicrosoft.com - AAD' - 'Out to AAD - User Join'
#############################################################################################################################################
$connectorName = 'contoso.onmicrosoft.com - AAD'
$syncRuleName = 'Out to AAD - User Join'
Write-Warning("The sync rule '{0}' for the connector '{1}' has unsupported chanages detected." -f $syncRuleName, $connectorName)
Write-Warning ("Only supported change to an out-of-box default rule is to make it `"Disabled`".")
Write-Warning ("If only the precedence number is different for this out-of-box rule, this warning may be safely ignored.")
I am not able to find the .cmd file to edit the only one I get is the conteso file. tried several. I agree that there are confusing instructions or something.
Add
Minor point of confusion : Naming of cmd files
The naming of the AzureADConnectSyncDocumenterCmd.exe file can cause minor confusion when following the instructions, as the .exe extension is hidden by default in Windows Explorer.
It's therefore easy to incorrectly assume the AzureADConnectSyncDocumenterCmd file is the one you want to be editing the paths in, and get greeted by a bunch of gibberish when opened in Notepad.
Possibly rename the .exe or .cmd file to something more distinguished?
Group filter group
Hi,
I created a test AADC instance with group filtering on, but I see this not listed in the report as a configured option on the AD connector. I would like to request this as a feature.
parameter name="Connector.GroupFilteringGroupDn"
The only other way for a admin is to use powershell to get the value.
Does this tool captures changes in the OU scope ?
Does this tool captures changes in the OU scope ?
I changed the OU filtering in my AADconnect config (added an extra OU), but the HTML-output does not show any differences (except from some timestamps).
Single quotes in AADConnect Rule Names lead to System.Xml.XPath.XPathException
When you have a rule name that contains single quotes, example:
Custom: In from AD - Only sync Users with msDS-cloudExtensionAttribute = 'exampleexample'
this leads to
Connector SubType: ''. Exception in 'AzureADConnectSyncDocumenter : GetReport'. Details: System.Xml.XPath.XPathException: '/Pilot/Synchronizat
ionRules/synchronizationRule[translate(connector, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ') = '{32C88088-A808-45FA-9995-2C497023971A}' and name = 'Custom: In from AD - Only sync Users with msDS-cloudExtensionAttribute = 'exampleexample'' and link
Type = 'Join' and (count(disabled) = 0 or (disabled != 'True' and disabled != 'true' and disabled != '1')) ]' ist ein ungültiger Token.
bei MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t)
bei MS.Internal.Xml.XPath.XPathParser.ParsePredicate(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseLocationPath(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseUnionExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseUnaryExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseMultiplicativeExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseAdditiveExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseRelationalExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseEqualityExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseAndExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseOrExpr(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseExpresion(AstNode qyInput)
bei MS.Internal.Xml.XPath.XPathParser.ParseXPathExpresion(String xpathExpresion)
bei System.Xml.XPath.XPathExpression.Compile(String xpath, IXmlNamespaceResolver nsResolver)
bei System.Xml.XPath.XPathNavigator.Evaluate(String xpath, IXmlNamespaceResolver resolver)
bei System.Xml.XPath.XPathEvaluator.Evaluate[T](XNode node, String expression, IXmlNamespaceResolver resolver)
bei System.Xml.XPath.Extensions.XPathSelectElements(XNode node, String expression, IXmlNamespaceResolver resolver)
bei AzureADConnectConfigDocumenter.SyncRuleDocumenter.FillConnectorSyncRuleDescriptionDataSet(Boolean pilotConfig)
bei AzureADConnectConfigDocumenter.SyncRuleDocumenter.ProcessConnectorSyncRuleDescription()
bei AzureADConnectConfigDocumenter.SyncRuleDocumenter.GetReport(SyncRuleReportType reportType)
bei AzureADConnectConfigDocumenter.ConnectorDocumenter.ProcessConnectorSyncRules(SyncRuleDirection direction, SyncRuleReportType reportType)
bei AzureADConnectConfigDocumenter.ConnectorDocumenter.ProcessConnectorNormalJoinSyncRules()
bei AzureADConnectConfigDocumenter.ActiveDirectoryConnectorDocumenter.GetReport()
bei AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.ProcessConnectorConfiguration(XElement connector, ConfigEnvironment configEnvironment)
bei AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.ProcessConnectorConfigurations()
bei AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.GetReport().
System.Xml.XPath.XPathException: '/Pilot/SynchronizationRules/synchronizationRule[translate(connector, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ') = '{32C88088-A808-45FA-9995-2C497023971A}' and name = 'Custom: In from AD - Only sync Users w
ith msDS-cloudExtensionAttribute = 'exampleexample'' and linkType = 'Join' and (count(disabled) = 0 or (disabled != 'True' and disabled != 'true' and disabled != '1')) ]' ist ein ungültiger Token.
bei AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.GetReport()
bei AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.GenerateReport()
bei AzureADConnectConfigDocumenter.Program.Main(String[] args)
Target/Pilot and Reference/Production names are confusing and not consistently referenced in the tool
If I am doing a swing migration to migrate Azure AD Connect from $OldServer (the currently active server performing exports, staging mode disabled) to $NewServer (staging mode enabled), I would refer to $OldServer as Active/Reference Server since it's currently the production server performing exports whose configuration should be used as the reference configuration. I would refer to $NewServer as Staging/Target Server since it's the staging server and the end target of the migration.
The README.md file says $OldServer should be considered the Target/Pilot server, which isn't what you would expect. However, the name of the html report file that gets created is does make sense (Contoso_OldServer_AppliedTo_NewServer_AADConnectSync_report.html) because OldServer's configuration is being AppliedTo NewServer for comparison.
The README.md file is also confusing when it says to use Pilot twice "if you don't have a baseline / production config", which back to my point, sounds like it's telling you to compare $NewServer to itself. It would make more sense to say use Active Server twice to get a report of your active server's configuration before you create your new server. This makes sense because you're comparing $OldServer to itself.
Due to these two points of confusion, the first time I used this tool I had the servers backwards. The report that was generated told me to delete three custom rules on the $NewServer (which didn't exist because they were on $OldServer) rather than create three custom rules on $NewServer which is what I actually needed to do.
I would suggest changing the names to be more intuitive.
Typo in Sync Rule Change script
There is a typo in the SyncRuleChange.ps1 script I downloaded from my report. The first warning message says "chanages" instead of "changes".
#############################################################################################################################################
#### 'contoso.com' - 'Out to AD - User Exchange Hybrid'
#############################################################################################################################################
$connectorName = 'contoso.com'
$syncRuleName = 'Out to AD - User Exchange Hybrid'
Write-Warning("The sync rule '{0}' for the connector '{1}' has unsupported chanages detected." -f $syncRuleName, $connectorName)
Write-Warning ("Only supported change to an out-of-box default rule is to make it `"Disabled`".")
Write-Warning ("If only the precedence number is different for this out-of-box rule, this warning may be safely ignored.")
Does not support running on a machine with AADConnect v1.2.70.0 installed
If executed on a computer with AADConnect v1.2.70.0 installed, AzureADConnectSyncDocumenter v1.18.928.0 results in the 9009 error "It seems you may have downloaded the source code instead of a release package. Please download the latest release..."
It does seem to support configuration comparison between AADConnect v1.1.880.0 and v1.2.70.0, but needs to be run on the machine with AADConnect v1.1.880.0 installed.
LDAP
AzureADConnectSyncDocumenterCmd.exe Missing
AzureADConnectSyncDocumenter.cmd suggests running AzureADConnectSyncDocumenterCmd.exe
however there is no AzureADConnectSyncDocumenterCmd.exe within the zip.
Am I missing something?
No way to see included OU's?
I don't think this is a problem with the documenter, but instead with AAD Connect's design itself. In the exported XML for the on-premises connector, there are exclusions for OU's, but only one inclusion, and that is the root of the domain. Is there anyway to report on what OU's are currently included? I mean without using other tools.
Thanks.
Linebreaks missing in generated powershell script
When generating the powershell script to migrate the changes some line breakes are missing which causes powershell errors. It happens for the 3 custom rules we have created. For example the generated powershell migration code contains this piece:
Add-ADSyncRule -SynchronizationRule $syncRule[0] | Out-Null#############################################################################################################################################
#### mydomain - Out to AD - InetOrgPerson Exchange Hybrid
#############################################################################################################################################
Which gives the following error in the powershell console (because of the missing linebreak behind "Out-Null" in the generated code):
Processing Sync Rule 'In from AD - User Exchange - Usage Location' for Connector 'mydomain' Out-Null############################################################################# ################################################################ : The term 'Out-Null ##################################################################################### ########################################################' is not recognized as the na me of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I know this can be solved by adding the missing linebreaks myself to the generated powershell script but would be nice if that isn't necessary.
Configuration comparison issue
Hi there
we use the tool to compare 2 AADConnect configuration - production and staging, running the same version 1.1.557.0
Staging mode has been configured by checking side by side the production configuration
The tool is reporting incorrect updates like the password writeback feature being removed (?) or password sync the same while it was never enable or disable; there is other weird report like O365 rules being removed in staging while it is not obviously
Attached screenshot of the report section
Connectors and default rules from Pilot to Production
Hi Nilesh,
it's a really lovely tools that you've created. But now on, when we try to create automatically by your script new connectors and their default rules, the new connector are correctly created, but without these default rules. Isn't there any possibilities to create those rules automatically as when we use the wizard to create a new connector ?
Regards.
Error when running the report again
I'm getting an error when trying to run the report for second time:
AADConnectSyncDocumenterLog Error: 40000 : AADConnectSyncDocumenter (1.19.0130.0): 04/01/2020 08:20:13.5947: Exception in 'AzureADConnectSyncDocumenter : GetReport'. Details: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\adminuser\AppData\Local\Temp\2\Report.tmp.html_bcf85dc8d92d44639a837d1f5368c18a'.
Strangely, this now happens even when running the first, Contoso, script.
Very slow to process / unable to generate the report
Hi,
I have a configuration with 16 connectors and around 500 rules, when I run the tool it takes a day to complete, it seems it is running a very long time on the first part of Processing Metaverse "person" type just before the connectors are processed. See below log snip, it took 19 hours to process changes.
AADConnectSyncDocumenterLog Information: 20000 : AADConnectSyncDocumenter (1.17.0802.0): 10/20/2017 14:36:16.3061: Metaverse Object Type: 'person'. Processing changes. This may take a few minutes...
AADConnectSyncDocumenterLog Information: 20000 : AADConnectSyncDocumenter (1.17.0802.0): 10/21/2017 09:38:44.0727: Processing Metaverse Object Deletion Rules Summary
Is this a expected time to process at this stage ?
Then after processing for 23:45 the process ended with an error message that it was unable to access the report file, the Report directory was present but not the "contoso" subfolder.
Thanks,
Kristof
PowerShell Deployment Script
Its is mentioned in the documentation
"Generation of the PowerShell deployment script to migrate the sync rule differences or customisations from one server to another."
This is not documented anywhere.
Is it a switch to the AzureADConnectSyncDocumenterCmd.exe command?
Compare distinct AD and Azure tenant environments
We have separate DEV, QA and Production environments. Each environment is isolated and has two AD forests including 6 sub domains at various levels and an Azure tenant. I would like to use the tool to compare these to each other (i.e compare DEV to QA and then compare QA to Production). I have tried modifying the tenant, domain, DN and FQDNs in the config files and have had success but it’s rather time consuming and can be error prone doing that every time. I’m looking for an option that lets me compare distinct AD and tenant environments. Maybe something like a mapping file where I could list:
- DOMAIN1 = DOMAIN1DEV
- domain1.company.com = domain1dev.company.com
- dc=domain1,dc=company,dc=com = dc=domain1dev,dc=company,dc=com
- TenantA.onmicrosoft.com = TenantADEV.onmicrosoft.com
- etc.
This request is similar to what you have addressed before but it would help my ability to compare differences in our complex environment where we take changes through our certification process all the time. What do you think?
No .exe
the AzureADConnectSyncDocumenter.cmd is calling an .exe file, AzureADConnectSyncDocumenterCmd.exe
Where is this file located or how do I get in, I read through the readme, hoping it was in there but it is now.
Thanks
Missing command-line arguments for pilot/production folders
Hi
However I configure the AzureADConnectSyncDocumenter-Contoso.cmd file, I get the same output:
Missing commnad-line arguments. Usage: AzureADConnectSyncDocumenterCmd {Pilot / Target Config Folder} {Production / Reference / Baseline Config Folder}.
Example:
AzureADConnectSyncDocumenterCmd "Contoso\Pilot" "Contoso\Production"
The contents of the .cmd file are:
AzureADConnectSyncDocumenterCmd.exe "ORG\New-Server" "ORG\Old-Server"
ECHO OFF
Should I rename the .cmd file AzureADConnectSyncDocumenter-[organistation].cmd?
Any suggestions?
Sync Rule Changes script issues
I was trying out this script and found the following issues / bugs in the SyncRuleChanges script.
What I have is a test environment where I've setup AADC with 4 custom Sync Rules, A bunch of disabled default rules and 2 connectors; one to a test instance of O365 and one to our test Active Directory (lets name that ourdomain-test.ourcompany.com)
In production I've installed AADC as well, which connects to our production O365 and our production Active Directory ourdomain.ourcompany.com.
After exporting both AADC configs using, putting our test environments export in the "Pilot" folder and our Production export in the "Production" folder I ran the tool and downloaded the powershell script so I could move my 4 custom rules and other customizations (the disabled rules) to production. That gave the following issues:
It's trying to create the 4 custom sync rules in production with the $connectorName parameter set to the ConnectorName of our test instance (ourdomain-test.ourcompany.com). Of course this connector doesn't exist in production since its named ourdomain-test.ourcompany.com over there and it fails to create the 4 rules.
Default rules which I have disabled are not detected and thus not migrated by the script because of 2 reasons:
- The connectorName is used in the matching process instead of the ruleName (Write-Warning("The sync rule '{0}' for the connector '{1}' only exists in the config supplied as the
"pilot
" config." -f $syncRuleName, $connectorName)) - Default rules are skipped for comparison (Write-Warning ("This sync rule is inferred as a part of the out-of-box default rule set and will be skipped.")
Error with Report
Hi,
I have downloaded the latest release, run the .CMD file on the sample Data from Contoso.
Issue i have.
- export config from AADConnect
- Copy config into separate folder under data
- customise cmd file to point to new location Pilot folder.
- run the command file
System.Xml.XmlException: '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String[] args)
at System.Xml.XmlTextReaderImpl.ThrowInvalidChar(Char[] data, Int32 length, Int32 invCharPos)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlReader.MoveToContent()
at System.Xml.Linq.XElement.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XElement.Load(String uri, LoadOptions options)
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.MergeConfigurationExports(Boolean pilotConfig)
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter.MergeSyncExports()
at AzureADConnectConfigDocumenter.AzureADConnectSyncDocumenter..ctor(String targetSystem, String referenceSystem)
at AzureADConnectConfigDocumenter.Program.Main(String[] args)
Documenter crashes when using Directory Extensions Attribute Sync
Hi
I'm having a problem running the Documenter against a configuration that has Directory Extension Attribute sync enabled.
In the protected void FillConnectorSelectedAttributesDataSet(bool pilotConfig) method - (line 951 of ConnectorDocumentor.cs) the following code is executed
var attributeInfo = connector.XPathSelectElement(".//dsml:attribute-type[dsml:name = '" + attributeName + "']", Documenter.NamespaceManager);
This return a NULL which causes an exception when trying to set the row value later in the method, causing the program to terminate without creating a report.
The attribute name causing an error in our configuration is extension_7b47cfcf830741a8a8f2c7c15d21a18d_adminDescription. I can forward a set of configuration files for the environment if required.
Kind regards
Chris
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.