vrijdag 11 november 2011

How to stop Dirsync from breaking after 90 days ( password expiry )

Last week I noticed that Dirsync did not sync anymore.
When logging on to the Microsoft Online Portal I noticed that I needed to change my password.
During the initial setup of Office 365, I used my Office 365 admin account for setting up Dirsync.
My password had expired and therefore Dirsync did not work either.
To restore Dirsync synchronization you need to run the Directory Sync Configuration wizard again.

To prevent Dirsync from breaking every time your password expires, it is wise to setup a Dirsync service account with nog password expiry.

To do this, log on to the Microsoft Online Portal and create a new user.
  • Login to https://portal.microsoftonline.com as a tenant Administrator
  • Under the Management menu, click on Users
  • Click on New, then select User from the drop down
  • Enter the appropriate details for the new user account and click next
  • Assign the new account “Global Administrator” rights
  • Complete the user creation process (You do not need to assign this user an Office 365 License!)
  • Make a note of the temporary account password
  • Start IE in “InPrivate” mode and browse to https://portal.microsoftonline.com
  • Login with your new DISRYNC service account
  • On first login Office 365 will prompt you to change the password
  • Verify that you can logon to the Office 365 portal with your new account
No you need to run the Directory Sync Configuration wizard again.
To do this, u need to have the Dirsync service account details and AD enterprise administrator details.

  • Logon to your DIRSYNC server
  • Open Start –> All Programs > Microsoft Online Services –> Directory Synchronization : Directory Sync Configuration
  • Click Next at the welcome screen
  • Enter your new DIRSYNC service account details into the Microsoft Online Services Administrator Credentials box
  • Click Next (DIRSYNC will validate your credentials)
  • Enter your existing Enterprise Administrator Credentials into the Active Directory Enterprise Administrator Credentials box
  • Click Next (DIRSYNC will validate your credentials)
  • Enable the "Rich Coexistence” checkbox if you are deploying in “Hybrid” and want AD write-back
  • Click Next
  • DRSYNC Will re-configure itself to use the new account
At this point, I got an error saying that I did not have the appropriate permissions on the Dirsync registry key.

I needed to add permissions to the specified registry hive for my adm account to get the wizard to work.  Adding your account to local administrators also works.

  • Ensure that the Synchronize directories now checkbox is checked and click “Finish”
Dirsync is setup and working again, but password expiry is still active for the dirsync account.
Make sure you understand the security risks for disabling password expiry. The Dirsync account has admin rights in your tenant.

To disable password expiry we need to connect to Office 365 with powershell. To do this we need the Microsoft Online Services Sign in Assistant and the Microsoft Online Services Module for Windows Powershell.
These are present on the ADFS server, so no need to install them on another.
  • Logon to you ADFS server and open powershell.
I created a short powershell script to connect to Office 365 quite fast.

Import-Module msonline  
$Cred = Get-Credential -credential admin@domain.onmicrosoft.com
Connect-MsolService -cred $cred   
Get-Command –Module msonline

  • Save the script to "365login.ps1" or something similar.
  • Open the Microsoft Online Services Module for Windows Powershell.
    This is located in the start menu.
  • Browse to your newly created powershell script.
    This prompts you for your Office 365 admin credentials.
Next, we will do a get-msoluser to show the current settings for the user.

This shows the current settings for the user. Notice the "Passwordneverexpires" setting. This is set to false.
Now you run the following command:

To confirm you can rerun the get-msoluser command and confirm the setting has been changed.

Thats it, now Dirsync wont break anymore because the password does not expire.

2 opmerkingen:

  1. Thanks for this writeup. It explained the problem we were seeing.

    Here's a trick that we discovered, though.

    If you don't want to have to reconfigure Dirsync with a new password, you don't have to change it. Say the old password is working just fine and you use the admin account in other places for things like licensing.

    If you are getting the dll-exception error on dirsync and logs indicate a password problem, you can login to Windows Azure through powershell and set the currently expired account to never expire passwords (as above):

    Set-MSOLuser -UserPrincipalName [youradminacount]@[your azure domain] -NeverExpirePasswords $true

    This clears the problem and won't force a change of the old password, meaning dirsync and any other services and scripts that use that admin account won't have to change passwords.

    After making this change, rerun the dirsync management agents to confirm that they are working once again.

    Thanks for the tip that lead me down this road.