Thursday, May 08, 2014

Troubleshooting with System.DirectoryServices.DirectorySynchronization

The FIM Synchronization Engine uses the DirSync Control to track changes in Active Directory.  The DirSync Control is a very durable way to track changes in AD since it uses the same underlying mechanism that powers AD replication.  That same control is also very handy for reading data from AD because it bypasses access control lists.

Recently I was troubleshooting an object in FIM Sync so I wanted to look at the actual object in AD.  Using Get-ADUser didn’t work, then LDP also didn’t work, but sure enough there it was in my FIM Connector Space.

I suspected the Active Directory connector in FIM was able to see the object because it was querying with the AD DirSync Control.  The script snippet below proved the theory, and also proved once again that PowerShell is really cool.

 

 

<#

Execute these as an AD User with DirSync Privs

http://msdn.microsoft.com/en-us/library/ms677626(v=vs.85).aspx

#>

 

### SUCCESS!!! (finds the object in AD)

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher

$directorySearcher.Filter = "(samAccountName=HoofHearted?)"

$directorySearcher.DirectorySynchronization = New-Object System.DirectoryServices.DirectorySynchronization

$directorySearcher.FindOne()

 

### FAILURE!!! (returns nothing)

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher

$directorySearcher.Filter = "(samAccountName=HoofHearted?)"

#$directorySearcher.DirectorySynchronization = New-Object System.DirectoryServices.DirectorySynchronization

$directorySearcher.FindOne()

 

No comments: