Backup and Restore Instructions for DirSync
Backup and Restore Instructions for Windows Azure Active Directory Sync Tool
Contents
Introduction 2
Installing DirSync to support backup and restore 2
Overview 2
Command for SQL Server with default SQL instance 2
Command for SQL Server with Named SQL Instance 2
DirSync Database Backup 3
Backup Steps 3
DirSync Database Restore 3
Restoring and Installing Directory Synchronization on a new or rebuilt machine 3
Restore Steps 4
Appendix 1 - Running the MIISActivate.exe command line tool 6
MIISActivate Usage Information 6
Introduction
The Windows Azure Active Directory Sync tool (DirSync) is used to provision user accounts from Windows Active Directory on-premises to Azure Active Directory in the cloud. DirSync will synchronize changes to user accounts made on-premises to the cloud so that cloud users have access to directory information and can sign-in. This tool is commonly used as part of Office 365 onboarding.
This document describes how to backup and later restore the database and encryption keys required for a DirSync install. This will reduce the time to resynchronize user accounts from your on-premises Active Directory to Windows Azure Active Directory when there has been a failure of the previous DirSync installation.
This document assumes the DirSync database is hosted on a full SQL Server instance. It will not work on the default DirSync installation that use SQL Express. It outlines backup and restore steps required when you need to reinstall DirSync on a new server after a failure condition. Specifically it will help you where the SQL Database used by DirSync is available either from a SQL high availability configuration or from backup and you are planning to use that with a new DirSync installation.
The steps in this document assume that the DirSync application will be installed on a new or rebuilt machine. Some steps will not be needed if simply restoring the DirSync database to an existing DirSync server.
Explicit steps to back up the database using SQL Server backup will not be included in this document. Those steps can be found in the SQL Server documentation here.
Installing DirSync to support backup and restore
The synchronization engine that’s used in the DirSync Tool uses self-generated encryption keys for encrypting certain data in the database. In order to successfully backup and restore the database, it’s essential to be able to back up and restore these encryption keys. In order to make a backup of the encryption keys, we must know the username and password for the service account that is being used for the FIMSynchronizationService.
Overview
If you have already installed DirSync using the default install with SQL Express then you would need to uninstall prior to installing with a full SQL database as is described here.
After running the DirSync.exe /FULLSQL command to begin the install of DirSync, a PowerShell cmdlet is used to complete the installation. Here are examples of the Install-OnlineCoexistenceTool cmdlet that include the minimum information needed to complete the steps in this document.
Command for SQL Server with default SQL instance
Install-OnlineCoexistenceTool -UseSQLServer -SQLServer "sqlServerName" -ServiceCredential (Get-Credential) –Verbose
Command for SQL Server with Named SQL Instance
Install-OnlineCoexistenceTool -UseSQLServer -SQLServer "sqlServerName" –SQLServerInstance “SQLInstanceName” -ServiceCredential (Get-Credential) –Verbose
Additional arguments are documented here.
Note: When choosing an account for the –ServiceCredential argument value, we should remember that this will be a service account and it also needs to be a domain account from a domain in the forest where the DirSync service is installed.
DirSync Database Backup
There are two different things that we will need to back up in order to successfully restore the database.
1. The FIMSynchronizationService Database
2. The FIM Synchronization Service encryption keys
The FIMSynchronizationService database backup should be done using the Backup Type of Full.
Backup Steps
1. Shut down the Windows Azure Active Directory Sync Service (MSOnlineSyncScheduler) service.
- This will ensure no automated synchronization runs are started during the backup
2. Use the MIISClient.exe to check for an active synchronization run.
3. Wait until no synchronization runs are active then shut down the “Forefront Identity Manager Synchronization Service” service.
4. Using SQL Server Management Studio, make a backup of the FIMSynchronizationService database. Backup type should be set to “Full.”
- Steps documented here.
5. Using the MIISKmu.exe, make a backup of the encryption key.
- Run the executable and follow the instructions in the user interface
- When asked for credentials, specify the DirSync service account
- Automation steps and usage information here.
- The path to the miiskmu.exe file is different than in the TechNet documentation. For the Directory Synchronization Tool, it is located in:
%programfiles%\Windows Azure Active Directory Sync\SyncBus\Synchronization Service\Bin
6. Re-start the Forefront Identity Manager Synchronization Service and the Windows Azure Active Directory Sync Service service.
DirSync Database Restore
Restoring and Installing Directory Synchronization on a new or rebuilt machine
If you have a backup of the FIMSynchronizationService database and a backup of the FIM Synchronization Service encryption keys then this process can be used to restore a DirSync implementation.
This process should be used in all of the following cases:
· The DirSync database is hosted on a SQL Server machine remote from the DirSync application, and the DirSync application will be installed on a new or rebuilt machine
· The DirSync database is hosted on a SQL Server instance on the same machine as the DirSync application and will be installed on a new or rebuilt machine
Restore Steps
Follow these steps to restore the database and encryption keys for DirSync.
1. Restore the FIMSynchronizationService database to the SQL Server instance, and to the name FIMSynchronizationService.
2. On the DirSync machine, run the DirSync install using the following command from an Administrative cmd.exe prompt:
· DirSync /FULLSQL
3. Run the following file to open a PowerShell command prompt loading the needed modules
· "C:\Program Files\Microsoft Online Directory Sync\DirSyncInstallShell.psc1"
4. From the cmd.exe prompt opened in step 3, use the following command to install the DirSync services:
· Forefront Identity Manager Synchronization Service
· Windows Azure Active Directory Sync Service
Command for SQL Server with default SQL instance
Install-OnlineCoexistenceTool -UseSQLServer -SQLServer "sqlServerName" -ServiceCredential (Get-Credential) –Verbose
Command for SQL Server with Named SQL Instance
Install-OnlineCoexistenceTool -UseSQLServer -SQLServer "sqlServerName" –SQLServerInstance “SQLInstanceName” -ServiceCredential (Get-Credential) –Verbose
Additional arguments documented here.
Important:
· sqlServerName is the machine name of the SQL Server where the FIMSynchronizationService database was restored.
· SQLInstanceName is the name of the SQL Server instance, if not the default.
· ServiceCredential should be the user ID and password for the service account you wish the DirSync services to run under.
· This command will end with an error message indicating that the Directory Synchronization service was not installed properly. This error is due to the FIM Synchronization Service not having the encryption keys available to read the database. The next step will correct that issue.
Log Name: Application
Source: FIMSynchronizationService
Date: 2/15/2012 5:57:26 PM
Event ID: 6206
Task Category: Database
Level: Error
Keywords: Classic
User: N/A
Computer: myDirSyncComputer.MyDomain.com
Description:
The service encryption keys could not be found.
User Action
Verify that the service account has permissions to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service
If the problem persists, run setup and restore the encryption keys from backup.
5. Run the miisactivate.exe command line utility to activate the current Directory Synchronization server with the database, specifying the encryption key backup.
· Information on running this tool can be found in Appendix 1 – Running the MIISActivate.exe command line tool.
Appendix 1 - Running the MIISActivate.exe command line tool
As described in the steps above, the MIISActivate.exe command line tool is needed to re-associate the encryption keys exported from the original DirSync install using the MIISKMU.exe utility.
If the Forefront Identity Manager Synchronization Service starts without issue after the restore, then this step may not be needed.
Steps to run MIISActivate.exe
1. From an Administrative cmd.exe prompt, navigate to the "%programfiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\bin" folder
2. At the command prompt, type the following command
miisactivate "miiskeys-1.bin" "myDomain\myUser" *
Where:
· miiskeys-1.bin is the file that was created when you ran the MIISKMU.exe in database backup step 5 earlier in this document.
· myDomain\myUser is the service account that DirSync is running under that was specified in the Install-OnlineCoexistenceTool cmdlet used to install DirSync.
· * is a placeholder telling the utility to prompt for the password
MIISActivate Usage Information
Usage: MIISACTIVATE [filename] [username {password | *}] [/q]
filename Filename of the key
username [domain\]username
[domain.com\]username
password Password (specify '*' to prompt for password)
/q Quiet mode (no pop up dialog boxes)
Page | 5