Office 365 and Azure Active Directory DirSync Fails with "The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support."

You are trying to configure the Azure Active Directory DirSync tool to provision on premise Active Directory user accounts to the Office 365 tenant Azure AD instance to allow Same Sign On for domain users. After installing DirSync, you instruct it to “Synchronize Now”, the interface then closes, after sometime you notice that the user accounts are not appearing in Office 365. On investigating the DirSync server, in the Event Viewer under Application Logs there is a number of issues related to the synchronization "The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support."

I have done a lot of DirSync work so I know it’s a cut down version of FIM under the covers browse to the following path C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell and double click on miisclient.exe.

The miisclient.exe is the cut down version of the Forefront Identity Manger (FIM) Synchronization Server Manager GUI, this is what Azure AD DirSync is under the covers.

I understand not everyone is skilled up on Forefront Identity Manager itself, so I will highlight some of the details to help better understand this solution. Forefront Identity Manager has what are known as "Management Agents", which are basically connected to external systems that store identity information. The Management Agents are used to import and export identities into the internal FIM database known as the Metaverse.

Therefore using the figure below, imagine you had traditional Active Directory as "External System 1", the FIM Sync Server would import identity information into the FIM Metaverse with an inbound synchronization rule. To push out, identity information to "External System 2" an outbound synchronization rule would be provisioned to copy from the FIM Metaverse to "External System 2". Management Agents (sometimes referred to as connectors) would be required to each of the systems.

With this information in mind, return to the Synchronization Service Manager interface, and click on Management Agents.

You will notice a Management agent for Active Directory and the Azure AD instance that is to be populated for Office 365. 

Click on Operations, and returning to the original issue raised from the event logs "The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support." you will notice all of the errors with the Status stopped-extension-dll-exception are reported by the Azure Active Directory Management Agent. This suggests that the problem is exporting identity information to Azure AD from DirSync (or FIM Sync Service).

Click on Management Agents and then right click on the Windows Azure Active Directory Connector and select Run.

To flush out the error, I first run a Delta Import Delta Sync Run Profile, which completed successfully. To follow I then run an Export, followed by a Full Import Full Sync. After this the error listed on the Management Agent for Azure AD had disappeared. 

Then to confirm it had worked I checked within the Office 365 tenant administration console, and I could see the test users I created for this test.

It is worth mentioning that you can configure the DirSync (or FIM) tool to only synchronize objects from specific Organization Units (OU's) instead of the entire domain, which is configured by default. You can do that from the Synchronization Server Manager Interface, but click on Management Agents. At this stage, right click on the Active Directory Connector and select Properties...

Then click on Configure Directory Partitions and Containers.

You will have to enter authentication detail and it will then display a list of the entire Active Directory, you can then highlight and deselect at OU level what objects you want synced into FIM, and therefore synced out of FIM to the Azure AD.

Azure Active Directory Sync Tool “A constraint violation occurred.” during Active Directory Sync with Office 365

When you try to run the first sync of your on-premise Active Directory to the Office 365 Azure AD instance you are halted by the error “A constraint violation occurred”, and you can either Cancel the sync or Retry. Performing a Retry does not resolve the issue.

As the Azure Active Directory Sync Tool is actually Forefront Identity Manager 2010 under the covers I thought I would look to see if that was operating correctly. The miisclient.exe is the interface you can use to see and edit the FIM 2010 configurations, it can be found at C:\Program Files\Windows Azure Active Directory Sync/SYNCBUS\Synchronisation Service/UIShell

When I tried to launch miisclient.exe the following error appeared “Unable to connect to the Synchronisation Service”, it was noted this could be related to a service or group membership. As I had seen this issue before with a traditional instance of Forefront Identity Manager I knew this was because the user account I was using was not a member of the FIMSyncAdmins group.

I opened up ADUC and checked the FIMSyncAdmins group and my user account was in there, so I logged out and then in again and rerun the sync job and it worked perfectly.

FIM 2010 R2 SP1: Inbound Sync Rule CustomAttributes Script "DomainObjectSid_IFFSStatement.ps1" script provided by The FIM Scriptbox. "Error: Could not find a forest identified by: 'domain'."

After reviewing the Microsoft guide "Syncing Active Directory with FIM", I got to the stage of populating the Synchronization Rules using the FIM Portal. In the guide the following section outlines how you must generate a CustomExpression string.

 

How to Sync Active Directory with FIM.

http://technet.microsoft.com/en-us/library/ff686264(v=ws.10).aspx

The FIM Generate CustomExpression for Domain Attribute Flow Script (PowerShell) https://social.technet.microsoft.com/Forums/en-US/50088024-d86a-49dc-bb03-3243ebd677eb/using-powershell-to-generate-the-custom-expression-for-the-domain-attribute-flow?forum=ilm2

As the domain I was trying to sync with Active Directory was Windows Server 2003 based, which does not natively have PowerShell (or the AD DS PowerShell cmdlets) I used a Windows Server 2012 R2 VM with the AD DS server role installed.

At first I had to reconfigure the ExecutionPolicy to allow Unrestricted scripts. I then tried to run the DomainObjectSid_IFFSStatement.ps1 script provided by The FIM Scriptbox. I received the error Error: Could not find a forest identified by: 'domain'.

To recognize where in the code the script was failing I opened the script in the PowerShell ISE and selected small sections of the code and used the Run Selection button to break out where then the code encounters an error.

 

In this instance it was on Line 10 $ForestObject = Get-ADForest that was causing the script to fail. At first I thought it was a DNS issue that was causing the issues so I did all the usual things and could not find anything.

The fix in this case was to configure the Active Directory Web Services service to start Automatically on the system starting. Once I did this and re-run the script it generated the required CustomExpression string I needed to continue.

Forefront Identity Manager 2010 R2 (FIM) portal "Service not available."

When you try to access the FIM 2010 R2 portal you receive the following screen stating that "Service not available. Please contact your help desk or system administrator."

 

In the Event Logs there is a continuous error "Event 3, Microsoft.ResourceManagement" in the error states that "System.Net.WebException: Unable to connect to remote server ---->" and "No connection could be made because the target machine actively refused it 10.25.1.40:433." That IP was actually one of my Domain Controllers, so I disabled the Windows Firewall to see if it would resolve the error. No change unfortunately.

 

After a bit research with some travling through TechNet blogs I came across this link which is "A hotfix rollup package (build 4.1.3508.0) is available for Forefront Identity Management 2010 R2" http://support.microsoft.com/kb/2913228/en-us although my issue was not directly mentioned in th More Information section I though it would be best to install the updates for the components I had deployed.

 

I installed FIMSyncService_x64_KB2913228.exe first.

 

Then FIMService_x64_KB2913228 secondly.

After the second patch was applied the FIM portal then started to work.