Introducing AAD Connect 1.1.749.0 with new privacy and troubleshooting features
Jeff Guillet MVP, MCSM
Microsoft is drizzling out a new build of Azure Active Directory Connect via auto-upgrade to select customers. They often do this when a new build has significant changes to make sure it doesn't break in existing organizations that currently use AAD Connect. It will be available for all customers to download in the coming days/weeks as either an auto-upgrade or manual download.
Note: When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, please make sure that you have taken the necessary steps to support this or hold off on upgrading until you can allow a full sync to occur.
AAD Connect version 1.1.749.0 includes new several new privacy and troubleshooting features. The new Privacy Settings option allows customers to choose which information is shared with Microsoft.
In May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.
For GDPR compliance, Microsoft is required to indicate the kinds of customer data that is shared with them (telemetry, health, etc.), and must have links to detailed online documentation and provide a way for customers to change their preferences. This version adds the following:
Data sharing and privacy notification on the EULA page for clean installs.
Data sharing and privacy notification on the upgrade page.
A new additional task "Privacy Settings" where the user can change their preferences.
Using the same options, admins can switch application telemetry on or off at will.
To configure privacy settings, run Azure AD Connect from the desktop or start menu. Under Additional Tasks, click Privacy Settings. Enter your tenant administrator credentials and click Next. Then you can enable or disable application telemetry using the checkbox.
Click Next and Configure. The tool will respond with “Privacy settings have been successfully updated.”
AAD Connect troubleshooting is another new feature in this build. Run the Azure AD Connect wizard from the desktop or start menu and under Additional Tasks, click Troubleshoot. Click the Launch button to open the AAD Connect Troubleshooting tool in PowerShell.
Synchronization tests check for the following:
UserPrincipalName mismatch between synchronized user object and the user account in Azure AD Tenant.
If the object is filtered from synchronization due to domain filtering.
If the object is filtered from synchronization due to organizational unit (OU) filtering.
You will see three options:
Troubleshoot Object Synchronization – This option verifies and validates that an object is syncing successfully with Azure AD. Inputs are the AD Connector name and the Distinguished Name for the object you want to troubleshoot. Simple output on the screen shows any errors and a detailed HTML report is generated in the C:\ProgramData\AADConnect\ADSyncObjectDiagnostics folder.
Troubleshoot Password Hash Synchronization – This option brings up a submenu
Password Hash Synchronization does NOT work at all – Tests that password hash sync is enabled in the cloud configuration and on the AD connector, displays that latest password hash sync heartbeat, when the last successful password sync occurred, and tests connectivity to the domain from the AAD Connect server.
Password Hash Synchronization does NOT work for a specific user account – This option troubleshoots password hash sync for a particular user using their on-premises Distinguished Name. It tests that the object is in the AD connector space with links to the metaverse and that the object is synced properly. It tests for a password hash sync rule in the AAD connector and displays the last time the password hash was synced successfully for this object. Any errors are output to the display.
Synchronize password hash for a specific user account – This utility will attempt to synchronize the current password hash stored in the on-premises Active Directory for the specified user account. You specify the user account by providing the regarding AD Connector Name and on-premises Distinguished Name.
Collect General Diagnostics – This option collects detailed AAD Connect diagnostics information. Output includes a text file report in the C:\ProgramData\AADConnect folder, an HTML report in the C:\ProgramData\AADConnect\ADSyncObjectDiagnostics folder, and a ZIP file containing over 1,400(!) very detailed reports in the logged in user’s Documents folder. These reports are great for documenting your AAD Connect configuration and settings.
It important to keep in mind that as long as the AAD Connect wizard is open, the synchronization service scheduler is suspended. The wizard can be closed as soon as you launch the AAD Connect Troubleshooting tools.
If you want to run the AAD Connect Troubleshooting tools without launching the AAD Connect wizard, run the Invoke-ADSyncDiagnostics PowerShell cmdlet from your AAD Connect server. If you want to run diagnostics from another domain-joined computer, run the following cmdlet: