search

microsoft / AADConnectConfigDocumenter

AAD Connect configuration documenter is a tool to generate documentation of an AAD Connect installation.
Other
245 stars 49 forks source link

Sync Rule Changes script issues #2

Closed Robingaal closed 7 years ago

Robingaal commented 7 years ago

I was trying out this script and found the following issues / bugs in the SyncRuleChanges script.

What I have is a test environment where I've setup AADC with 4 custom Sync Rules, A bunch of disabled default rules and 2 connectors; one to a test instance of O365 and one to our test Active Directory (lets name that ourdomain-test.ourcompany.com)

In production I've installed AADC as well, which connects to our production O365 and our production Active Directory ourdomain.ourcompany.com.

After exporting both AADC configs using, putting our test environments export in the "Pilot" folder and our Production export in the "Production" folder I ran the tool and downloaded the powershell script so I could move my 4 custom rules and other customizations (the disabled rules) to production. That gave the following issues:

It's trying to create the 4 custom sync rules in production with the $connectorName parameter set to the ConnectorName of our test instance (ourdomain-test.ourcompany.com). Of course this connector doesn't exist in production since its named ourdomain-test.ourcompany.com over there and it fails to create the 4 rules.

Default rules which I have disabled are not detected and thus not migrated by the script because of 2 reasons:

  1. The connectorName is used in the matching process instead of the ruleName (Write-Warning("The sync rule '{0}' for the connector '{1}' only exists in the config supplied as the "pilot" config." -f $syncRuleName, $connectorName))
  2. Default rules are skipped for comparison (Write-Warning ("This sync rule is inferred as a part of the out-of-box default rule set and will be skipped.")
NileshGhodekar commented 7 years ago

The tool is designed to work with config files for a single tenant. If you have different tenants and hence connector names, you can "prep" the config files manually by doing a find and replace on the name and then running the tool. You should then get the expected script.

Robingaal commented 7 years ago

For the 4 custom rules that works but it involves a lot more work then using the default supplies "export per rule" functionality already present in AADC. It also still requires me to disable the disabled default rules by hand (since default rules or skipped for comparison by the code) or am I missing something?

NileshGhodekar commented 7 years ago

If the only change to a sync rule is enable/disable, it will create a script for it. If it detects any other changes, you'll only see a warning script telling you unsupported changes detected. You should see all the changes in the report (details section, not the summary sections). If this is not the case, can you please share the config for further investigation? It should create a script that just works, unlike AADC functionality which requires hand-editing of GUIDs, so I'd also like to understand your first statement better.

Robingaal commented 7 years ago

For example, in acceptance we disabled the default rule named "In from AD - Computer Join" for the "ourdomain-test.ourcompany.com" AD connector. When running the compare script it doesn't create a script that disables this rule as well in production but instead it generates the following script:

#############################################################################################################################################
#### 'ourdomain-test.ourcompany.com' - 'In from AD - Computer Join'
#############################################################################################################################################

$connectorName = 'ourdomain-test.ourcompany.com'
$syncRuleName = 'In from AD - Computer Join'
Write-Warning("The sync rule '{0}' for the connector '{1}' only exists in the config supplied as the "pilot" config." -f $syncRuleName, $connectorName)
Write-Warning ("This sync rule is inferred as a part of the out-of-box default rule set and will be skipped.")
Write-Warning ("This may be due to different versions or feature set selection between the production and pilot config.")
NileshGhodekar commented 7 years ago

If you look at the first warning, the tool has detected this rule only exists in one environment (and not just disabled). So have you "prepp-ed" the config files for same names for all the connectors? Without that, you'll get tons of changes. If you have done this and still getting unexpected changes and script, would you mind sharing the complete set of config files for further troubleshooting?

Robingaal commented 7 years ago

Prepping 62 files (you actually have to open each XML to see what rule it is) is much more work and error prone then just moving the changed default rules by hand..

NileshGhodekar commented 7 years ago

So you haven't even looked at my suggestion?? Each MA name only appears once in the files located in the "Connectors" folder. Anyways, I'm closing this issue now as there is nothing more to do here. If the MA names don't match, the documenter will detect tons of changes, most of the changes on non-matching MAs will be unsupported changes, and will produce the script accordingly.

Robingaal commented 7 years ago

Ah that's where the issue is. I tried changing it in the "connector" xml node in each of the 62 Synchronization Rule XML files. Changing the Name in the 2 connector files does indeed work for disabling the rules!

NileshGhodekar commented 7 years ago

Thanks for confirming. I'll update the Wiki instruction for this.