Forcing Azure AD Connect Sync

KB ID 0001590

Problem

If you are using Azure AD Connect, (AAD Connect) to sync your on-premise Active Directory with Azure AD (i.e. for Office 365), then there may be times when you need to manually ‘force a replication’ because by default it’s going to take 30 minutes between each normal ‘delta replication’

Solution

If you are directly on the server that’s running Azure AD connect, then use the following PowerShell. If you Don’t know which server is running AD connect the see the following link;

Locate Your Azure AD Connect Server

Firstly you need to add in the correct module, (you only have to do this once). Though the module should be already installed on the Sync server, let’s not tempt fate and check. (You can also use Get-Module to view installed modules).

[box]

Import-Module ADSync

[/box]

Note: If you get an error you may need to run Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Then to Manually Force a Synchronisation;

[box]

To Perform a FULL Sync
Start-ADSyncSyncCycle -PolicyType Initial
To Perform a (Normal) Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

[/box]

You can view the Sync settings with;

[box]

Get-ADSyncScheduler

[/box]

But I don’t like that, I prefer to watch synchronisations going on on the ‘Syntonisation Service Manager’ console, you can spot and troubleshoot errors in here also 🙂

Note: To Troubleshoot Sync errors, see the procedure I use in the following post;

Azure AD Connect: Correct Or Remove Duplicate Values

Force an Azure AD Connect Synchronisation From Another Server

Use the following syntax;

[box]

Invoke-Command -ComputerName AD-Connect-Server-Name -ScriptBlock { 
Import-Module ADSync 
Start-ADSyncSyncCycle -PolicyType Delta 
}

[/box]

Disable and Enable Azure AD Sync

[box]

Disable
Set-ADSyncScheduler -SyncCycleEnabled $False
Enable
Set-ADSyncScheduler -SyncCycleEnabled $True	

[/box]

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values

AAD Contains Another Object With The Same DN

Outlook Web App 2013 – Offline Mode

 

KB ID 0000727 

Problem

A great new feature of OWA 2013 is the ability to run in ‘Offline mode’. This runs in the same manner as Microsoft Outlook’s ‘Cached Mode’ which has been built into full Outlook since version 2003.

There are a few caveats before you can get it to work;

Requirements for OWA Offline Mode

1. A compatible browser (Internet Explorer 10, Chrome 18, or Safari 5.1). source
2. You have to be connecting to OWA being hosted on an Exchange 2013 CAS server.
3. Your mailbox needs to be hosted on an Exchange 2013 Mailbox server.

Capabilities of OWA Offline Mode

1. While you are in offline mode, you can open OWA, read and reply to emails, send new emails, respond to meeting requests, view your calendar, view and edit your contacts.

Note: Obviously all sent and updated data will not be sent to recipients, or changes reflected in Exchange until you are no longer in offline mode.

2. The system will only cache data for the past month and calendar entries for the next twelve months.

3. Contact information for recently used recipients will also be cached.

Disadvantages of OWA Offline Mode

1. A prolonged period in cached mode can cause scheduled events in your calendar to stop working. (Its only designed for users to be sporadically disconnected).

2. You cannot access Archived folders.

3. With the exception of the Inbox, Sent Items, Calendar, and Drafts items folder, only folders you have accessed will be cached.

Solution

1. Whilst online and connected to OWA > Settings > Use mail offline.

2. For security reasons you will be asked if you are on a public computer > Prompted to add the URL to favorites (or bookmarks depending on the browser).

Note: DO NOT use this feature on a shared or public computer, the cache is accessible from other user accounts on the machine.

3. In this example I’m using IE10 > Just for ease I’m enabling the Favorites bar to see the shortcut.

4. Depending on the size of the mailbox and speed of connection, it may take a while to syncronise. Whilst offline OWA will display the time it last connected to Exchange, and while you are working offline if you send any mail it will keep a track of pending options for next time you are online.

Internet Explorer 10 Caches and Databases

The whole system works because the supported browsers have the ability to cache information locally, to see where that’s being set in IE10, Internet Options > General > Browsing Data > Settings > Caches and Databases.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Configuring for NTP

KB ID 0000608

Problem

With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)

Solution

Allow internal host(s) to get system time though the firewall.

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. To rules are being applied to traffic going OUT through the firewall, run a “show run access-group” command.

[box]

PetesASA(config)# show run access-group

        Sample Output

access-group outbound in interface inside
access-group inbound in interface outside

[/box]

Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)

3. To allow ALL hosts use the word any, for a specific host use the keyword host.

[box]

Allow all hosts access to NTP

PetesASA(config)# access-list outbound permit udp any any eq 123

Allow one host (192.168.1.1)
        to NTP

PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123 

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
  PetesASA#

[/box]

Set the ASA to get its System Time from an External NTP Source

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)# 

[/box]

2. The IP address I’m using is in the UK if you want one more local look here.

[box]

PetesASA(config)#  ntp server 130.88.212.143 source outside

[/box]

3. To check on its status, simply execute a “show ntp status” command. BUT it will take a few minutes to synchronise, until it does you will see;

[box]

PetesASA(config)#  show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012)
clock offset is 3414265.0854 msec, root delay is 26.09 msec
root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec
PetesASA(config)#

[/box]

When it is finally synchronised it will say;

[box]

PetesASA(config)#   show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012)
clock offset is -9.1688 msec, root delay is 25.91 msec
root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec 
PetesASA(config)#

[/box]

4.  Finally save the updated config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Related Articles, References, Credits, or External Links

Set Cisco ASA for Kerberos Authentication