Tuesday, October 27, 2015

Changing DirSync/AAD Sync/AAD Connect Synchronization Interval in Office 365 Hybrid deployment

Microsoft released few synchronization tools during last years: 
  • DirSync (which is being depreciated), 
  • AAD Sync (current in Office 365 portal)
  • AAD Connect (which actually includes AADSync and a future of Office 365 synchronization)
Default Sync period between On-premise Active Directory and Office 365 (Azure Active Directory) is 3 hours. This for many people is too long, especially if you are testing or you are small organization that can allow near "real-time" synchronization.

Before proceed keep in mind following considerations.

AAD Sync and AAD Connect current versions
AD to AAD synchronization process is executed by Azure AD Sync Scheduller task as shown here:


You can change the frequency by going to the Properties of Azure AD Sync Scheduller

When you save the changes the Task Scheduler will ask you for a password for the “AAD_xxxxxxxx” account.

This local server “AAD_xxxxxxxx” account was automatically created during AAD Sync installation process and obviously you don't know password for that account. Some guys recommend local account password reset at this point. I disagree with this approach (you will discover some broken things later that depend on that account/password) and recommend you to create new account like svc-aadsync-sa and add it to ADSyncAdmins local computer group (also created automatically during AADSync installation process). Use strong password during that process and option "Password never expires"

With new .\svc-aadsync-sa account you can safely make changes in Azure AD Sync schedule settings:

Be aware that changing of synchronization interval to less values may lead to AADSync Server "out of space" issues very quickly soon. You may need to check following folder sometimes and clear it or schedule PowerShell script clean up rule:
C:\Users\AAD_xxxxxxxx\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\

Where “AAD_xxxxxxxx” is an account was automatically created during AAD Sync installation process.

Mentioned changes are not supported by MS and provided AS IS.



DirSync and some older versions of AADSync
Some of you guys maybe still use it. If you want to change the default sync period then firstly navigate to the Windows Azure Active Directory Sync directory on the member server where the Directory Sync tool is installed. Older version (i.e. pre Azure) the directory will be called Microsoft Online Directory Sync. In DirSync the amount of time between synchronizations was determined by the Microsoft.Online.DirSync.Scheduler.exe.config file.

Process to change the Time interval for DirSync:

Step 1: Locate the config file Microsoft.Online.DirSync.Scheduler.exe.config in C:\program Files\Windows Azure Active Directory. In the Older version of DirSync C:\Progam Files\Microsoft Online Directory Sync folder.

Step 2: Open the Microsoft.Online.DirSync.Scheduler.exe.config file using notepad.

Step 3: Locate the value <add key=”SyncTimeInterval” value=”3:0:0″ /> which will be in hh:mm:ss format. Change the value from 3:0:0 to 10 minutes like this <add key=”SyncTimeInterval” value=”0:10:0″ />

Step 4: After saving the file restart the Windows Azure Active Directory Sync service and in the old version Microsoft Online Services Directory Synchronization Service.

The above process will change the DirSync Time interval from 3 hours to 10 minutes.