You are trying to configure the Azure Active
Directory DirSync tool to provision on premise Active Directory user accounts
to the Office 365 tenant Azure AD instance to allow Same Sign On for domain
users. After installing DirSync, you instruct it to “Synchronize Now”, the interface then closes, after sometime you
notice that the user accounts are not appearing in Office 365. On investigating
the DirSync server, in the Event Viewer under Application Logs there is a
number of issues related to the synchronization "The Management Agent Windows Azure Active Directory Connector
failed on execution. Error returned is 'stopped-extension-dll-exception'. If
the problem persists, contact Technical Support."
I have done a lot of DirSync work so I know it’s
a cut down version of FIM under the covers browse to the following path C:\Program
Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization
Service\UIShell and double click on miisclient.exe.
The miisclient.exe is the cut down version
of the Forefront Identity Manger (FIM) Synchronization Server Manager GUI, this
is what Azure AD DirSync is under the covers.
I understand not everyone is skilled up on Forefront
Identity Manager itself, so I will highlight some of the details to help better
understand this solution. Forefront Identity Manager has what are known as
"Management Agents", which are basically connected to external systems
that store identity information. The Management Agents are used to import and
export identities into the internal FIM database known as the Metaverse.
Therefore using the figure below, imagine you had
traditional Active Directory as "External System 1", the FIM Sync
Server would import identity information into the FIM Metaverse with an inbound
synchronization rule. To push out, identity information to "External
System 2" an outbound synchronization rule would be provisioned to copy
from the FIM Metaverse to "External System 2". Management Agents
(sometimes referred to as connectors) would be required to each of the
systems.
With this information in mind, return to the
Synchronization Service Manager interface, and click on Management Agents.
You will notice a Management agent for Active
Directory and the Azure AD instance that is to be populated for Office 365.
Click on Operations, and returning to the
original issue raised from the event logs "The Management Agent Windows
Azure Active Directory Connector failed on execution. Error returned is
'stopped-extension-dll-exception'. If the problem persists, contact Technical
Support." you will notice all of the errors with the Status stopped-extension-dll-exception
are reported by the Azure Active Directory Management Agent. This suggests that
the problem is exporting identity information to Azure AD from DirSync (or FIM
Sync Service).
Click on Management Agents and then right
click on the Windows Azure Active Directory Connector and select Run.
To flush out the error, I first run a Delta
Import Delta Sync Run Profile, which completed successfully. To follow I
then run an Export, followed by a Full Import Full Sync. After
this the error listed on the Management Agent for Azure AD had disappeared.
Then to confirm it had worked I checked within
the Office 365 tenant administration console, and I could see the test users I
created for this test.
It is worth mentioning that you can configure the
DirSync (or FIM) tool to only synchronize objects from specific Organization
Units (OU's) instead of the entire domain, which is configured by default. You
can do that from the Synchronization Server Manager Interface, but click on Management Agents. At this stage, right
click on the Active Directory Connector
and select Properties...
Then click on Configure Directory Partitions and Containers.
You will have to enter authentication detail and
it will then display a list of the entire Active Directory, you can then
highlight and deselect at OU level what objects you want synced into FIM, and
therefore synced out of FIM to the Azure AD.
