Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (2023)

  • article

While the server is in test mode, you can make configuration changes and preview the changes before the server goes live. It also allows you to perform a full import and full sync to verify that all changes are as expected before pushing them to your production environment.

method of preparation

Staging mode can be used in a variety of scenarios, including:

  • High Availability.
  • Test and apply new configuration changes.
  • Bring in new servers and take out old ones.

During installation you can choose which server to usemethod of preparation.This action makes the server active for import and sync, but does not trigger any exports. A server in test mode does not perform synchronization or password recovery, even if you selected these features during installation. When you disable test mode, the server starts the export, enables password synchronization, and enables password recovery.


Assuming you have Azure AD Connect enabled for password hash sync. When you enable test mode, the server stops synchronizing on-premises AD password changes. When you disable change mode, the server continues synchronizing password changes where it left off. If the server remains in standby mode for an extended period of time, it may take some time for the server to synchronize any password changes that occur during that period.

You can still force an export using the Sync Services Manager.

The standby server continues to receive changes from Active Directory and Azure AD and can quickly take over another server in the event of a failure. If you change the configuration on the primary server, it is your responsibility to make the same changes on the standby server.

For those familiar with old sync technology, it works differently because the server has its own SQL database. This architecture allows for alternate servers to be located in different datacenters.

Check server configuration

To apply this method, follow these steps:

  1. Prepare
  2. settings
  3. import and sync
  4. confirmed
  5. change active server


  1. Install Azure AD Connect, selectmethod of preparationand uncheckstart syncOn the last page of the installation wizard. This mode allows you to manually initiate a sync.Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (1)
  2. Log out/log in and from the main menu choosesync service.


If you have made custom changes on the master server and want to compare the configuration with the test server, useAzure AD Connect Setup Documentation.

import and sync

  1. to chooseto connectand select the first connector of typeUse Active Directory domain.cliquerunning, to choosefull import, EUAll good.Follow these steps for all these connectors.
  2. Select connector typeAzure Active Directory (Microsoft).cliquerunning, to choosefull import, EUAll good.
  3. Make sure the Connectors tab is still selected. For each connector with typeUse Active Directory domain, cliquerunning, to chooseincremental sync, EUAll good.
  4. Select connector typeAzure Active Directory (Microsoft).cliquerunning, to chooseincremental sync, EUAll good.

You have now performed the export changes on both Azure AD and on-premises AD (if using an Exchange hybrid deployment). The following steps allow you to verify what changes will occur before starting the export to the catalog.


  1. Run cmd prompt and go to%ProgramFiles%\Microsoft Azure AD Sync\bin
  2. running:csexport "Ime Connector" %temp%\export.xml /f:xThe connector name can be found in the sync service. For Azure AD, it's something like " - Azure AD".
  3. running:CSExportAnalyzer %temp%\export.xml > %temp%\export.csvYou have a file called export.csv at %temp% that you can view in Microsoft Excel. This file contains all the changes that will be made.
  4. Make the necessary data or configuration changes and repeat the steps (import and sync and commit) until the expected changes occur.

Understanding the export.csv file

Most of this file is self-explanatory. Some abbreviations for understanding the content:

  • OMODT - Object modification type. Indicates whether the object-level operation is an add, update, or delete.
  • AMODT - The type of attribute modification. Indicates whether the attribute-level operation is add, update, or delete.

Retrieve the universal identifier

The export.csv file contains all the changes that will be made. Each line corresponds to a change to an object in the connector space, and the object is identified by the DN attribute. The DN attribute is a unique identifier assigned to objects in the connector space. When you have many lines/changes in export.csv to parse, it can be difficult to determine which objects the change applies to based on the DN attribute alone. To simplify the change analysis process, usecsanalyzer.ps1PowerShell scripts. The script retrieves the object's public identifier (for example, displayName, userPrincipalName). Use the script:

  1. Copy the PowerShell script from the sectionCSA analyzerfor a nomineecsanalyzer.ps1.
  2. Open a PowerShell window and navigate to the folder where the PowerShell script was created.
  3. running:.\csanalyzer.ps1 -xmlparaimportar %temp%\export.xml.
  4. now you have oneprocessed users1.csvCan be viewed in Microsoft Excel. Note that this file provides mappings from DN attributes to public identifiers such as displayName and userPrincipalName. It currently does not include the actual property changes that will be performed.

change active server

Azure AD Connect can be configured in an active-passive high availability configuration, where one server actively pushes changes to AD objects synchronized to Azure AD and the passive server deploys those changes if they need to be downloaded.


Azure AD Connect cannot be configured in an active-active configuration. Must be active-passive. Make sure only 1 Azure AD Connect server is actively synchronizing changes.

For more information on configuring Azure AD Connect sync server in trial mode, seemethod of preparation

You may need to fail over the sync server for a variety of reasons, such as upgrading your version of Azure AD Connect or getting an alert that the sync service's health service isn't getting the latest information. In such cases, you can try the steps below to switch sync servers after a crash.


  • A currently active Azure AD Connect sync server
  • A test Azure AD Connect sync server

Change the currently active sync server to standby mode

We need to ensure that only one sync server is syncing changes at any time during the process. If the currently active sync server is available, you can move it into view by performing the following steps. If it becomes unavailable, make sure the server or VM doesn't regain access by accidentally shutting down the server or isolating it from outgoing connections.

  1. For the currently active Azure AD Connect server, open the Azure AD Connect wizard and click Configure Trial Mode and then click Next:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (2)

  2. You will need to log in to Azure AD with Global Administrator or Hybrid Administrator credentials:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (3)

  3. Check the Staging Mode box and click Next:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (4)

  4. The Azure AD Connect server will check the installed components and ask if you want to start the sync process after the configuration changes are complete:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (5)

Since the server will be in standby mode, it will not write changes to Azure AD, but it will keep any AD changes in its connector space, ready for writing.
We recommend keeping the server sync process in test mode so that if it becomes active, it takes over quickly without having to do many syncs to capture the current state of the AD/Azure AD objects in scope.

  1. After choosing to start the sync process and clicking Configure, the Azure AD Connect server is configured in test mode.
    Once completed, you will see a screen confirming that test mode is enabled.
    You can click Exit to finish.

  2. You can verify that the server is in test mode successfully by opening Windows PowerShell, loading the "ADSync" module and checking the ADSync scheduler configuration with the following command:

ADSyncGet-ADSyncScheduler import module

In the results, check the value of the "StagingModeEnabled" setting. If the server successfully enters standby mode, the value of this setting should beHe saidAs shown in the following example:

Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (6)

Change current test sync server to active mode

At this point, all of our Azure AD Connect sync servers should be in test mode and not exporting changes. Now we can move our test sync server to active mode and actively sync changes.

  1. Now switch to the Azure AD Connect server which was originally in test mode and open the Azure AD Connect wizard.

    Click "Configure test mode" and click Next:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (7)

    A message at the bottom of the wizard indicates that this server is in test mode.

  2. Sign in to Azure AD and go to the test mode screen.

    Uncheck the Staging Mode box and click Next

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (8)

    As per the notice on this page, it is important to ensure that no other Azure AD Connect servers are actively synchronizing.

    There can only be one active Azure AD Connect sync server at a time.

  3. When prompted to start the sync process, check the box and click Configure:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (9)

  4. When the process is completed, you will see the confirmation screen below where you can click Exit to finish:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (10)

  5. You can confirm that this works by opening the sync service console and checking that the export job is running:

    Azure AD Connect Sync: Operational Tasks and Considerations - Microsoft Sign In (11)

disaster recovery

Part of the deployment project is planning what to do in the event of an out-of-sync server catastrophe. There are different models available, and which one to use depends on several factors, including:

  • What is your tolerance for not being able to change objects in Azure AD during downtime?
  • If you use password sync, do users accept that they need to use the old password in Azure AD to prevent them from changing it locally?
  • Are you addicted to real-time operations like password recovery?

Depending on the answers to these questions and your organization's policies, one of the following strategies may be implemented:

  • Update if necessary.
  • There is a backup server calledmethod of preparation.
  • Use a virtual machine.

If you are not using embedded SQL Express database then also checkSQL High Availabilitypaper.

update if necessary

A sustainable strategy is to plan to rebuild the servers when needed. Typically, installing the sync engine and initial import and sync can be completed in a few hours. If no backup server is available, a domain controller can be used temporarily to host the synchronization engine.

The sync engine server does not store any state about objects, so the database can be rebuilt from data in Active Directory and Azure AD. thatanchor sourceProperties are used to merge on-premises and cloud objects. If you rebuild the server with existing local and cloud objects, the sync engine will reassemble these objects on reinstallation. What you need to register and save are server configuration changes such as filtering and synchronization rules. These custom settings must be reapplied before synchronization can begin.

Have a backup server - backup mode

If you have a more complex environment, it is recommended to have one or more backup servers. During installation, you can enable server accessmethod of preparation.

For more information, seemethod of preparation.

use a virtual machine

A common and supported approach is to run the sync engine in a virtual machine. If there is a problem with the host, the image with the sync engine server can be moved to another server.

SQL High Availability

If you are not using SQL Server Express that comes with Azure AD Connect, you should also consider SQL Server high availability. Supported high availability solutions include SQL clusters and Always On Availability Groups (AOA). Unsupported solutions include mirroring.

SQL AOA support was added to Azure AD Connect in version 1.1.524.0. SQL AOA must be enabled before installing Azure AD Connect. During installation, Azure AD Connect detects whether SQL AOA is enabled on the given SQL instance. If SQL AOA is enabled, Azure AD Connect determines whether SQL AOA is configured to use synchronous or asynchronous replication. When configuring an availability group listener, the RegisterAllProvidersIP property must be set to 0. This is because Azure AD Connect currently uses SQL Native Client to connect to SQL, and SQL Native Client does not support using the MultiSubNetFailover property .

CSA Analyzer Supplement

see chapterconfirmedon how to use this script.

Param([Parameter(Mandatory=$true, HelpMessage="must be the file generated by csexport 'Name of Connector' export.xml /f:x)")][string]$xmltoimport="%temp%\exportedStage1a.xml " ,[Parameter(Mandatory=$false, HelpMessage="Maximum number of users per output file")][int]$batchsize=1000,[Parameter(Mandatory=$false, HelpMessage="Show console output")] [bool ]$ showOutput=$false)#LINQ is not automatically loaded, so it is forced to load [Reflection.Assembly]::Load("System.Xml.Linq, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089 " ) | Out-Null[int]$count=1[int]$outputfilecount=1[array]$objOutputUsers=@()#XML must generate import via "csexport"Connector name"export.xml /f:x"write - host" XML" -ForegroundColor Yellow#XmlReader.Create will not resolve the file location correctly, #so expand it and resolve it $resolvedXMLtoimport=Resolve-Path -Path ([Environment]::ExpandEnvironmentVariables($xmltoimport))# use an XmlReader even handles large documentation objects #adding them here means we can enforce consistency "Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value "" Add -Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value " " Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name ti Alias​​-Value ""Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAc countName-Value ""Add-Member -inputobject $objOutputUser -MemberType Note Attributes -Name Name mail -Value ""$user = [System.Xml.Linq.XElement]::ReadFrom( $reader)if ​​​​​​($showOutput ) {Write-Host Exported object found... -ForegroundColor Green}#object id$ outID=$user.Attribute('id').Valueif ($showOutput) {Write- Host ID: $outID}$objOutputUser.ID= $outID#object type$ outType=$user.Attribute('Object Type') .Valueif ($showOutput) {Write Host Type: $outType}$objOutputUser.Type=$outType #dn$outDN= $user.Element(' unapplied-export'). Element('delta').Attribute('dn').Valueif ($showOutput) {Write-Host DN: $outDN}$objOutputUser.DN=$outDN#operation$outOperation= $user.Element ('unapplied-export' ).Element('delta').Attribute( 'operation').Valueif ($showOutput) {Write-Host Operation: $outOperation}$objOutputUser.operation=$outOperation # Now that we have the basics , let's dive into each $ $attr('unapplied-export-hologram').Element('entry').Elements("attr")) in user.Element{$attrvalue=$attr.Attribute('name'). Value$internalvalue=$ attr.Element('value').Valueswitch( $attrvalue){"userPrincipalName"{if ($showOutput) {Write-Host UPN: $internalvalue}$objOutputUser.UPN=$internalvalue}"displayName"{ if ($showOutput) {Write-Host displayName: $internalvalue} $objOutputUser .displayName=$internalvalue}"sourceAnchor"{if ($showOutput) {Write-Host sourceAnchor: $internalvalue}$objOutputUser.sourceAnchor=$internalvalue}"alias "{if ($showOutput) {Write-Host alias: $internalvalue} $objOutputUser.alias=$internalvalue}"proxyAddresses"{if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:"," ")}$objOutputUser .primarySMTP=$internalvalue -replace "SMTP :" , ""}}}$objOutputUsers += $objOutputUserWrite-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete(($objOutputUsers.Count / $batchsize ) * 100) #Occasionally dump processed users in case we blow up somewhere if ($count % $batchsize -eq 0) {Write - Host Hit The maximum number of users who have not completed processing... -ForegroundColor Yellow#Export user collection as CSVWrite-Host Writingprocessedusers${outputfilecount}.csv -ForegroundColor Yellow$objOutputUsers | Export-Csv -pathprocessedusers${outputfilecount }.csv -NoTypeInformation#increment output file counter$outputfilecount+=1#reset user counter and collection$objOutputUsers = $null$count=0}$count+=1#need to exit if there are no more users to process and loop a batch of 1000# users collection will be exported as CSVWrite-Host Writing Processed Users${outputfilecount}.csv -ForegroundColor Yellow$objOutputUsers | Export-Csv -pathprocessedusers${outputfilecount}.csv -NoTypeInformation}else{ Write-Host "Imported XML file is empty. No work. " -ForegroundColor red }

Next step

review questions

  • Azure AD Connect Sync: Understanding and Customizing Sync
  • Integrate on-premises identities with Azure Active Directory


Top Articles
Latest Posts
Article information

Author: Rubie Ullrich

Last Updated: 07/21/2023

Views: 5249

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.