Azure User Group Nepal

Learn and understand the cloud technology using Microsoft Azure platform to adopt it

Azure AD Connect : Customize Synchronization Interval

Author: Sakaldeep

April 24, 2017

After installation of the Azure AD Connect tool for hybrid identity management, the first thing System Admin wants to change the default synchronization interval. Even this task can be done using GUI and PowerShell, this post will be the focus around PowerShell command-lets. The current default synchronization interval is 30 minutes that might be so frequently for some organization or it might be too delay for some organization. Before diving into the process of customizing sync interval, first, let's understand the basic concept of Azure AD Sync cycle.

Azure AD Connect sync synchronize changes occurring in the on-premises directory using a scheduler. There are two scheduler processes, one for password sync and another for object/attribute sync and maintenance tasks.

In earlier releases, the scheduler for objects and attributes was external to the sync engine. It used Windows task scheduler or a separate Windows service to trigger the synchronization process. The schedule is with the 1.1 releases built-in to the sync engine and does allow some customization.

The scheduler is responsible for two tasks:

  • Synchronization cycle. The process to import, sync, and export changes.
  • Maintenance tasks. Renew keys and certificates for Password reset and Device Registration Service (DRS).

The scheduler itself is always running, but it can be configured to only run one or none of these tasks. For example, if you need to have your own synchronization cycle process, you can disable this task in the schedule but still run the maintenance task.

Customize Sync Scheduler

First, let's check the current synchronization interval using PowerShell command Get-ADSyncScheduler. It shows you something like this below.

1.0

Here, we can see currently effective sync cycle interval is 30 minutes and the next sync cycle start time is 6:43:17 AM along with other parameters. You can customize the default values using different parameters shown below of PowerShell command Set-ADSyncScheduler.

  • CustomizedSyncCycleInterval
  • NextSyncCyclePolicyType
  • PurgeRunHistoryInterval
  • SyncCycleEnabled
  • MaintenanceEnabled

Command to change SyncCycleInterval

Syntax: Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss
d – days, HH – hours, mm – minutes, ss – seconds

Example 1: Set-ADSyncScheduler -CustomizedSyncCycleInterval 01:00:00
2.0Changes the scheduler to run every 1 hour.

Example 2: Set-ADSyncScheduler -CustomizedSyncCycleInterval 2.0:0:03.0Changes change the scheduler to run in every 2 days.

Start the scheduler

The scheduler runs in every 30 minutes by default or as per the customized interval but a sync cycle in between the scheduled cycles can be run using Start-ADSyncSyncCycle -PolicyType PowerShell command. There are three (Delta, Initial and Unspecified) type of sync cycle as shown below.

4.0

Delta sync cycle
A delta sync cycle includes the following steps:

  • Delta import on all Connectors
  • Delta sync on all Connectors
  • Export on all Connectors

It could be that you have an urgent change that must be synchronized immediately, which is why you need to manually run a cycle. If you need to manually run a cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.

5.0

Initial sync cycle
If you have made one of the following configuration changes, you need to run an initial full sync cycle also known as full sync cycle.

  • Added more objects or attributes to be imported from a source directory
  • Made changes to the Synchronization rules
  • Changed filtering so a different number of objects should be included

If you have made one of these changes, then you need to run an initial sync cycle so the sync engine has the opportunity to reconsolidate the connector spaces. A full sync cycle includes the following steps:

  • Full Import on all Connectors
  • Full Sync on all Connectors
  • Export on all Connectors

To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt. This command starts a full sync cycle.

6.0

You can run any type of sync cycle manually as per the requirement and get all the objects updated in your hybrid infrastructure.

Total visits : 38