Thursday 5 March 2015

Office 365 and Azure Active Directory DirSync Fails with "The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support."

You are trying to configure the Azure Active Directory DirSync tool to provision on premise Active Directory user accounts to the Office 365 tenant Azure AD instance to allow Same Sign On for domain users. After installing DirSync, you instruct it to “Synchronize Now”, the interface then closes, after sometime you notice that the user accounts are not appearing in Office 365. On investigating the DirSync server, in the Event Viewer under Application Logs there is a number of issues related to the synchronization "The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support."

I have done a lot of DirSync work so I know it’s a cut down version of FIM under the covers browse to the following path C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell and double click on miisclient.exe.

The miisclient.exe is the cut down version of the Forefront Identity Manger (FIM) Synchronization Server Manager GUI, this is what Azure AD DirSync is under the covers.

I understand not everyone is skilled up on Forefront Identity Manager itself, so I will highlight some of the details to help better understand this solution. Forefront Identity Manager has what are known as "Management Agents", which are basically connected to external systems that store identity information. The Management Agents are used to import and export identities into the internal FIM database known as the Metaverse.
Therefore using the figure below, imagine you had traditional Active Directory as "External System 1", the FIM Sync Server would import identity information into the FIM Metaverse with an inbound synchronization rule. To push out, identity information to "External System 2" an outbound synchronization rule would be provisioned to copy from the FIM Metaverse to "External System 2". Management Agents (sometimes referred to as connectors) would be required to each of the systems.


With this information in mind, return to the Synchronization Service Manager interface, and click on Management Agents.

You will notice a Management agent for Active Directory and the Azure AD instance that is to be populated for Office 365. 

Click on Operations, and returning to the original issue raised from the event logs "The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support." you will notice all of the errors with the Status stopped-extension-dll-exception are reported by the Azure Active Directory Management Agent. This suggests that the problem is exporting identity information to Azure AD from DirSync (or FIM Sync Service).

Click on Management Agents and then right click on the Windows Azure Active Directory Connector and select Run.

To flush out the error, I first run a Delta Import Delta Sync Run Profile, which completed successfully. To follow I then run an Export, followed by a Full Import Full Sync. After this the error listed on the Management Agent for Azure AD had disappeared. 

Then to confirm it had worked I checked within the Office 365 tenant administration console, and I could see the test users I created for this test.

It is worth mentioning that you can configure the DirSync (or FIM) tool to only synchronize objects from specific Organization Units (OU's) instead of the entire domain, which is configured by default. You can do that from the Synchronization Server Manager Interface, but click on Management Agents. At this stage, right click on the Active Directory Connector and select Properties...

Then click on Configure Directory Partitions and Containers.

You will have to enter authentication detail and it will then display a list of the entire Active Directory, you can then highlight and deselect at OU level what objects you want synced into FIM, and therefore synced out of FIM to the Azure AD.