Tuesday, June 23, 2015

Azure AD Sync doesn't warn if scheduled task is enabled on Server 2008/2008 R2

After running the Azure Active Directory Sync Services (AADSync) configuration wizard, a scheduled task is created to run a sync job every three hours. When an admin starts the wizard again to make changed to the configuration a warning is thrown to disable the scheduled task and forced to restart the wizard. This is to prevent configuration changes to be made while an actual sync could be in progress. This check does not work with Server 2008 and Server 2008 R2.

Under the hood AADSync uses the Get-ScheduledTask cmdlet to determine the status of the scheduled task. Unfortunately this cmdlet was introduced in Server 2012 and Windows 8, it's not available on Server 2008 and Server 2008 R2. Both older versions of Windows Server are on the list of supported operating systems.

So what happens if you have AADSync installed on Server 2008 or 2008 R2 and start the wizard again? It does not warn you to disable the scheduled task first and allows you to change the configuration while a sync could be in progress. While the chances of that happening are relatively small with the three hour interval, this obviously is not something we want to happen. The application log shows event id 906 from source AzureActiveDirectoryDirectorySyncTool:

image

IsSchedulerEnabled() failed, assuming FALSE: Details: System.Management.Automation.CommandNotFoundException: The term 'Get-ScheduledTask' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

The error message is self-explanatory, the IsScheduleEnabled function tries to use the Get-ScheduledTask cmdlet which is not available on this server. And the function assumes that the task is disabled, this is why we're no longer prevented from making configuration changes while the task is enabled. This behavior was noted with AADSync version 1.0.494.0501, the most recent version at this moment.

What does this mean for you if you're running AADSync on an older operating system? You should remember to verify that you disable the scheduled task before starting the configuration wizard, keep in mind that the wizard will not be able to check this and warn you if the task is still enabled.

Although Server 2008 and 2008 R2 are supported operating systems for AADSync I suspect Microsoft did not actually test the software on those operating systems. I brought the issue under their attention through Office 365 Support, an experience I wouldn't wish to my worst enemy. To be continued…

No comments: