Troubleshooting the Directory Synchronization Tool 9.1 for FOPE
Applies to: Live@edu, Forefront Online Protection for Exchange
Topic Last Modified: 2012-02-21
The troubleshooting steps listed here can help solve some Directory Synchronization Tool 9.1 problems. There are several directory synchronization tools available from Microsoft. The information here applies to only the Forefront Online Protection for Exchange-related DST 9.1 that enables you to securely synchronize selected data between an on-premises Active Directory Domain Service and the Forefront Online Protection for Exchange (FOPE) service and Exchange Hosted Archive (EHA) service.
If this topic does not solve your DST 9.1 issues, review the links in the See Also section at the end of this topic or contact Microsoft Technical Support as noted in Support Information.
The issues and suggested solutions here are not a result of a DST 9.1 synchronization.
System requirements for your local environment
Ensure that the minimum system requirements are met as listed in System Requirements. The DST 9.1 does not work on Windows Small Business Server operating system.
32-bit systems: Ensure that you have installed only the 32-bit version of the DST 9.1 if you have a 32-bit operating system. This system is referred to as an i386 environment on the download center page where the DST 9.1 tool is available. The file for 32-bit systems is DirSyncTool_I386.msi.
64-bit systems: Ensure that you have installed only the 64-bit version of the DST 9.1 if you have a 64-bit operating system. This system is referred to as a 64-bit environment on the download center page where the DST 9.1 tool is available. The file for 64-bit systems is DirSyncTool_AMD64.msi. This 64-bit Windows Installer file can be used regardless of the brand of your 64-bit processor.
Confirm that your proxy server settings are configured correctly in the DST 9.1 Sync Settings section. You can set the tool to detect the proxy each time it runs, detect the proxy based on your Internet browser settings, or you can enter your own custom values and port number. If the DST was previously run with the latter option of manually set custom values, and these have changed, then the synchronization will fail. For more information about this, see Change Proxy Server Settings.
Error While Applying Security Settings
For on-premises and hosted service security or permission issues, it will be helpful to ensure that you install the DST 9.1 on an English-language only operating system.
Ensure that an account manager or administrator role exists in FOPE and that you can log in to the FOPE Administration Center site.
Non-Recoverable Error: System.Security.AuthenticationException
The issues and suggested solutions here are can be encountered after DST 9.1 synchronization. For help with specific error codes and warnings, see Event IDs and Error Codes for Directory Synchronization Tool 9.1.
Windows PowerShell cmdlet Does Not Work
Ensure that you have installed Windows PowerShell components before you run the DST 9.1. You can uninstall the DST 9.1, install Windows PowerShell and then install the DST 9.1 again. For more information about Windows PowerShell, see Scripting with Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).
Cannot Start a Full Sync, Daily Limit
Ensure that you are running one and only one instance of the DST 9.1 for your organization and that you synchronize from only one system at a time. If you have two separate synchronization tools in two different locations but you are just one organization, each DST 9.1 process can overwrite the previous data and cause you to exceed a daily limit. To resolve this issue, remove all but one instance of the DST and force a full synchronization during the next update by using Windows PowerShell. The procedure for this is shown below.
The DST PowerShell environment must be installed on your computer before the synchronization tool itself is installed. Typically Windows PowerShell is found in the same program folder as the DST in the Start Menu. If it is not there, then it could indicate that Windows PowerShell is either not installed or was installed after the DST 9.1. In either case you will either need to install Windows PowerShell and reinstall the DST 9.1 or just reinstall the DST to make sure the DST PowerShell environment is available. For more information about Windows PowerShell and directory synchronization, see PowerShell and cmdlets. This procedure will not perform the full synchronization; it will force the next synchronization to be a full synchronization rather than a differential synchronization.To force a full synchronization
Start Windows PowerShell.
Type Clear-SyncCookies and press ENTER.
Valid Accounts are Disabled or Non-Valid Accounts are Enabled
Ensure that you are running one and only one instance of the DST 9.1 for your organization. After the initial synchronization, which is a full synchronization, only incremental updates are performed so that only changed information is updated. The DST 9.1 incorporates the name of the domain controller during its synchronization, and the domain controller name is stored in FOPE and then passed back when synchronization starts. If multiple domains or forests are used by more than one DST 9.1 process, then there can be confusing and unintended consequences. To resolve this issue, you can force a full synchronization and use only one instance of the DST. The procedure to force a full synchronization is explained earlier in this topic.
The DST 9.1 does not synchronize dynamic distribution lists.
No Domains are Shown in the DST 9.1 Filtering Domains Field
Ensure that both the local Windows operating system account and the FOPE Administration Center account that are being used to authenticate have sufficient permissions for their respective domains. In the FOPE Administration Center, use an account that is a Company or Domain Administrator for the domains that are set to use the DST user list upload. Also ensure that Domains are enabled and that the upload mode is set to DST 9.1.
In the on-premises environment, use an Active Directory account that has read-only access to query Active Directory. Using a Domain Administrator account is not required and not recommended. DST 9.1 does not need to run on the Exchange server.