How to disable \ enable Team Foundation Server (TFS) Active Directory Sync

2
votes

When performing a migration of TFS users from one domain to another the TFSConfig Identities command allows you to migrate the user within TFS as specified here: https://www.visualstudio.com/en-us/docs/setup-admin/tfs/command-line/tfsconfig-cmd#identities

One caveat to using this command is that TFS cannot "know" about the new user account already. Once TFS "knows" about a user you can never remove it... and you cannot use TFSConfig Identities to migrate the old user to the new user within TFS.

By default the TFS job agent runs its AD sync on the hour. So if you are using AD groups to provision access... the account gets migrated over... and the TFS AD sync process runs, picking up the new user before you can run TFSConfig Identities then you are hosed. The new account it picked up cannot be removed and you cannot run the TFSConfig Identities command to migrate the user over within TFS.

So, how do you turn off the AD Sync process within TFS. The answer is not readily available out there on the internet... hence this Q&A style post.

1
tfs

1 Answers

3
votes

There is a web service interface and .NET assemblies which can be used to make changes to the jobs running in the TFS Background Agent. I found it easier to use PowerShell to load the .NET assemblies and work with the object model. Note that my assembly versions are 11.0.0.0 because I ran this using TFS 2013. The assembly versions are different in other TFS versions.

Prior to the AD account migration you should disable the AD sync job. On the TFS Application Tier server the Powershell code needed to disable the AD sync job is...

[Reflection.Assembly]::Load("Microsoft.TeamFoundation.Client, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[Reflection.Assembly]::Load("Microsoft.TeamFoundation.Common, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

$TFSConfigurationServer = New-Object Microsoft.TeamFoundation.Client.TfsConfigurationServer(New-Object System.Uri("http://YourTFSServer:8080/tfs"))
$TFSJobService = $TFSConfigurationServer.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationJobService])

<#
Team Foundation Server Periodic Identity Synchronization
544dd581-f72a-45a9-8de0-8cd3a5f29dfe
#>

foreach($Job in $TFSJobService.QueryJobs())
{
    if($Job.JobId -eq "544dd581-f72a-45a9-8de0-8cd3a5f29dfe") { break }
}

$CurrentJobState = $Job.EnabledState
$NewState = [Microsoft.TeamFoundation.Framework.Common.TeamFoundationJobEnabledState]::FullyDisabled
$Job.EnabledState = $NewState
$TFSJobService.UpdateJob($Job)

After the user account migration you can run TFSConfig Identities to make the necessary updates within TFS. Then run more PowerShell to turn the AD Sync job back on...

[Reflection.Assembly]::Load("Microsoft.TeamFoundation.Client, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[Reflection.Assembly]::Load("Microsoft.TeamFoundation.Common, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

$TFSConfigurationServer = New-Object Microsoft.TeamFoundation.Client.TfsConfigurationServer(New-Object System.Uri("http://YourTFSServer:8080/tfs"))
$TFSJobService = $TFSConfigurationServer.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationJobService])

<#
Team Foundation Server Periodic Identity Synchronization
544dd581-f72a-45a9-8de0-8cd3a5f29dfe
#>

foreach($Job in $TFSJobService.QueryJobs())
{
    if($Job.JobId -eq "544dd581-f72a-45a9-8de0-8cd3a5f29dfe") { break }
}

$CurrentJobState = $Job.EnabledState
$NewState = [Microsoft.TeamFoundation.Framework.Common.TeamFoundationJobEnabledState]::Enabled
$Job.EnabledState = $NewState
$TFSJobService.UpdateJob($Job)

One other useful item is that you can view the status of the most recent run of the AD sync job using the QueryLatestJobHistory method. 

$TFSJobService.QueryLatestJobHistory("544dd581-f72a-45a9-8de0-8cd3a5f29dfe")

Note that it won't run again until the top of the hour after it's been re-enabled.