Forum Discussion

Cloud_Geek_82's avatar
Cloud_Geek_82
Copper Contributor
Nov 07, 2024

Find out a server with Azure AD Connect

Hi All,

Normally, if someone need to find on which server Azure AD Connect is installed it can be done in Azure portal under Microsoft Entra Connect - Microsoft Entra Connect Health - Sync Services.

Is there any way to find out on which server Azure AD Connect is installed if Microsoft Entra Connect Health is not installed or its service stopped?

I know in this case no server will be displayed under Microsoft Entra Connect Servers.

The reason why I'm asking, someone deployed Azure AD Connect and ran syncing but for unknown reason stopped Azure AD Connect Health service. Because of that I couldn't find on which server Azure AD Connect tool was installed until that person advised. If he didn't tell me I most likely would need to sign in to each production server to check.

However, just wondering if it can be done with some PowerShell command.

Thanks.

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    Hi,

     

    This is one of those scenarios where you could write a script to execute against every server remotely, but that's more effort than is required. You'd also have to navigate which remote administration protocols are even reliably available across all servers, otherwise, you'd still have gaps to manually fill.

     

    Rather than scripting this requirement, you can find out which server is syncing more easily via Azure Portal -> Microsoft Entra ID -> Monitoring -> Sign-in logs, as shown below.

     

     

    In my example above, I've filtered on the AAD Connect application, and if you look at the section of "Username" boxed in green, this is the name of the computer on which this particular AAD Connect instance is running.

     

    It is possible for there to be multiple usernames and therefore computer names, as AAD Connect can run on more than one host for redundancy purposes (though only one instance of AAD Connect is permitted to run outside of staging mode).

     

    Cheers,

    Lain

    • Cloud_Geek_82's avatar
      Cloud_Geek_82
      Copper Contributor

      Hi LainRobertson 

      I think I've done filtering exactly as on your screenshot, but in my case I'm getting users' email addresses as usernames.

       

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        Hi Cloud_Geek_82 ,

         

        Yes, that's mostly correct. I've just blanked out the remainder of the username in my screenshot above.

         

        When AAD Connect is installed, it creates the synchronisation account with the username in the format of:

         

         

        sync_netBIOSName_randomNumber[@]yourTenant.onmicrosoft.com

         

        (Note, I've used [@] instead of just @ to avoid any addressing issues on the forums.)

         

        Where netBIOSName (the part I boxed in green in my screenshot) is the name of the computer running AAD Connect.

         

        Strictly-speaking, this username is not the mail address, but another attribute that looks the same named userPrincipalName. Most of the time, both mail and userPrincipalName will indeed contain the same values but it's important to note this is not required and that they are two different attributes with very different purposes.

         

        Anyhow, you're already looking at the right thing. You just need to pluck out the computer name and you're done.

         

        Cheers,
        Lain

  • micheleariis's avatar
    micheleariis
    Steel Contributor

    Hi, you can launch this by pointing to your servers.

    $servers = @("server1", "server2") # Replace with your server names

    foreach ($server in $servers) {
        Invoke-Command -ComputerName $server -ScriptBlock {
            Get-Service -Name ADSync -ErrorAction SilentlyContinue
        } | Select-Object PSComputerName, Status
    }

     

    If you want you can do this for all the servers in the domain; first install these:

    Install-WindowsFeature RSAT-AD-PowerShell

     

    # Import the Active Directory module Import-Module ActiveDirectory # Get all servers in the domain $servers = Get-ADComputer -Filter {OperatingSystem -Like "*Windows Server*"} | Select-Object -ExpandProperty Name # Check each server for the ADSync service foreach ($server in $servers) { try { Invoke-Command -ComputerName $server -ScriptBlock { Get-Service -Name ADSync -ErrorAction SilentlyContinue } | Select-Object PSComputerName, Status } catch { Write-Host "Cannot connect to $server" -ForegroundColor Red } }

  • You can check the Azure AD Connect install or sync service by follow PS:

     

    Checked install

     

    $servers = "Server1", "Server2", "Server3" # Replace with your server names
    foreach ($server in $servers) {
        $installedPrograms = Get-WmiObject -Class Win32_Product -ComputerName $server | Where-Object { $_.Name -like "*Azure AD Connect*" }
        if ($installedPrograms) {
            Write-Output "$server: Azure AD Connect is installed."
        } else {
            Write-Output "$server: Azure AD Connect is not installed."
        }
    }

     

    Check Sync service

     

    $servers = "Server1", "Server2", "Server3" # Replace with your server names
    foreach ($server in $servers) {
        $service = Get-Service -ComputerName $server -Name "ADSync" -ErrorAction SilentlyContinue
        if ($service) {
            Write-Output "$server: Azure AD Connect Sync service is running."
        } else {
            Write-Output "$server: Azure AD Connect Sync service is not found."
        }
    }

Resources