Wednesday, April 15, 2015

Using PowerShell with AAD Sync Connector Partitions

It is so cool to have a PowerShell module for the sync engine in AAD, albeit sometimes a bit frustrating.  This post shows some of the functionality that works, as well as some of it that isn’t working just yet.

To cut to the chase, I am able to read partitions but only with the Get-ADSyncConnector command (the Get-ADSyncConnectorPartition command doesn’t work) but so far I have not figured out how to use the PowerShell module to update partitions (the Update-ADSyncConnectorPartition command doesn’t seem to work).

In the snippets below I try the same test twice sometimes, once for an AD connector, then again for an AAD connector.  The new PowerModule seems to work better for connectors based on ECMA 2, such as the AAD Connector.  The AD connector is legacy (man I feel old as I type that) so sometimes the commands in the ADSync PowerShell module do not work.

 

### What commands are available for Paritions?

Get-Command -Module ADSync -Name *partition*

<#

CommandType     Name                                               ModuleName                                                                                                                                             

-----------     ----                                               ----------                                                                                                                                             

Cmdlet          Disable-ADSyncConnectorPartition                   ADSync                                                                                                                                                 

Cmdlet          Disable-ADSyncConnectorPartitionHierarchy          ADSync                                                                                                                                                 

Cmdlet          Enable-ADSyncConnectorPartition                    ADSync                                                                                                                                                 

Cmdlet          Enable-ADSyncConnectorPartitionHierarchy           ADSync                                                                                                                                                 

Cmdlet          Get-ADSyncConnectorPartition                       ADSync                                                                                                                                                 

Cmdlet          Get-ADSyncConnectorPartitionHierarchy              ADSync                                                                                                                                                 

Cmdlet          Update-ADSyncConnectorPartition                    ADSync

#>

 

### TEST - Get a partition by name for an AD connector (NOT based on ECMA 2)

### FAIL - returns nothing

Get-ADSyncConnectorPartition -Name litware.ca -Connector (Get-ADSyncConnector -Name litware.ca)

 

### TEST - Get a partition by name for an AAD connector (based on ECMA 2)

### FAIL - returns nothing

Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name 'litware.ca - AAD') -Name Default

 

### TEST - Get all paritions

### FAIL - returns the wrong object (Connector instead of ConnectorPartition)

Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name litware.ca)

Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name 'litware.ca - AAD')

<#

ConnectorTypeName             : AD

Identifier                    : 929d2c70-42bf-4ad5-b02e-7b47f7003edd

Version                       : 1

InternalVersion               : 0

FormatVersion                 : 1

Name                          : litware.ca

Type                          : AD

Description                   :

CreationTime                  : 2/24/2015 12:16:37 AM

LastModificationTime          : 2/24/2015 12:16:37 AM

Partitions                    : {default}

RunProfiles                   : {Delta Import, Delta Synchronization, Export, Full Import...}

ComponentProvisioningMappings : {}

PasswordManagementSettings    : Microsoft.IdentityManagement.PowerShell.ObjectModel.ConnectorPasswordManagementSettings

Schema                        : Microsoft.IdentityManagement.PowerShell.ObjectModel.Schema

ConnectivityParameters        : {forest-port, forest-guid, default-ssl-strength, password...}

GlobalParameters              : {ADS_UF_ACCOUNTDISABLE, ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP, ADS_GROUP_TYPE_LOCAL_GROUP...}

CapabilityParameters          : {}

SchemaParameters              : {}

ObjectInclusionList           : {user, inetOrgPerson, group, contact...}

AttributeInclusionList        : {mailNickname, isCriticalSystemObject, sAMAccountName, msExchRecipientTypeDetails...}

AnchorConstructionSettings    : {}

ListName                      :

CompanyName                   :

SubType                       :

ExtensionConfiguration        : Microsoft.IdentityManagement.PowerShell.ObjectModel.ConnectorExtensionConfiguration

PasswordHashConfiguration     :

AADPasswordResetConfiguration :

allParameterDefinitions       : {}

#>

 

 

### TEST - (workaround) Get the Partitions through the 'Partitions' property on the connector object

### PASS

Get-ADSyncConnector -Name 'litware.ca - AAD' | Select -ExpandProperty Partitions

<#

Identifier              : f083884f-dbf1-4eef-a5b3-02adabc96dbd

DN                      : default

Version                 : 1

CreationTime            : 2/24/2015 12:16:38 AM

LastModificationTime    : 2/24/2015 12:16:38 AM

Selected                : True

ConnectorPartitionScope : Microsoft.IdentityManagement.PowerShell.ObjectModel.ConnectorPartitionScope

Name                    : default

Parameters              : {}

IsDomain                : True

ECMAWaterMark           : ....

#>

 

 

### TEST - (workaround) Get just one Partition

### PASS

Get-ADSyncConnector -Name litware.ca | Select -ExpandProperty Partitions | Where Name -eq litware.ca

 

### TEST - Update a partition using Update-ADSyncConnectorPartition

### FAIL - no error, just doesn't apply the change to the server

$connector = Get-ADSyncConnector -Name litware.ca

$connector | Select -ExpandProperty Partitions | Where Name -eq squamish.litware.ca | ForEach-Object {$_.Selected = $false}

Update-ADSyncConnectorPartition -Connector $connector -Verbose

Get-ADSyncConnector -Name litware.ca | Select -ExpandProperty Partitions | Where Name -eq squamish.litware.ca

 

 

No comments: