Sometimes large orgs have large errors that they need ignored. By default, Azure AD Sync (the new DirSync) has a limit of 5000 errors before it will cease synchronizing. Of course, you could also filter the OUs with known errors to not be synchronized, I can still see a use case where you would want known errors to continue reporting without preventing sychronization.
If you are hitting these error limits, and you are seeing the errors as permission denied, then you have not completed the custom permissions from the AADsync instructions here. Those instructions are clear, but not given in an ideal manner, so check here and here for scripts for deploying the current permissions to your AAD service account.
Using the miisclient.exe in AADSync, I was seeing a stopped-error-limit at 5000 errors, and was only getting about two-thirds of the users synchronized.
After IM'ing with a colleague from Microsoft, I had the answer. Here's a five year old KB article.
I've pasted and updated the content here:
Summary
Cause: Certain synchronization activities result in the creation of
temporary error conditions that are eventually resolved once the
synchronization has had the opportunity to finish running. In
environments where extremely large numbers of objects are being
processed the number of these errors may exceed the default error limit
of 5000 causing the synchronization process to terminate before it has
finished processing all objects.
More Information
You can increase the error limit to a sufficient value so that
synchronization can finish processing all objects before the error limit
is reached. Given the opportunity to finish, the synchronization
process will eventually resolve the temporary error conditions. The
error limit is configured by adding the ErrorLimit (REG_DWORD) entry to
the following registry subkey:
If you are using MIIS / ILM / IIFP
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miisserver\Parameters
If you are using AADSync
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADSync\Parameters
If you are using FIM 2010 or DirSync
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationService\Parameters
The value is an integer in the range of 0-100000.
• Value set to 0 = Error limit set to 100000
• Value in the range of 1-99999 = Error limit set to value
• Value set to 100000 = Error limit set to 100000
• Value set greater than 100000 = Error limit set to 100000
• No key present = Default error limit set to 5000
Note The miiserver service must be restarted after modifying this registry key.
No comments:
Post a Comment