- Article
Judgement
Taking sync errors a step further, Azure Active Directory (Azure AD) introduces Connect Health self-service recovery. Fixes duplicate attribute synchronization errors and fixes objects left outside Azure AD. The diagnostic function has the following advantages:
- Provides a diagnostic procedure that mitigates sync errors with duplicate attributes. And provides specific solutions.
- A workaround is applied for Azure AD mapped scenarios to resolve the error in one step.
- No upgrade or configuration is required to enable this feature. For more information, see Azure ADIdentity synchronization and duplicate attribute resistance.
Issues
A common scenario
WhenQuarantinedAttributeValueMustBeUniqueiAttributeValueMustBeUniquesynchronization errors occur, it is common to have aUserPrincipalNameofProxy adresconflict in Azure AD. You can resolve synchronization errors by locally updating the conflicting source object. The synchronization error will be resolved after the next synchronization. For example, this image shows two users having a conflict of their ownUserPrincipalName. They both areJoe.J@contoso.com. Conflicting objects are quarantined in Azure AD.
Abandoned facility scenario
Occasionally an existing user may loseOrigin Sidro. A deletion of the source object has occurred in the local Active Directory. But the delete signal change is never synced to Azure AD. This loss occurs for reasons such as problems with the synchronization mechanism or domain migration. When the same object is restored or recreated, logically the existing user should be the user to sync withOrigin Sidro.
When the existing user is a cloud-only object, you can also see that the conflicting user is synced to Azure AD. The user cannot be synchronized with an existing object. There is no direct way to reassignOrigin Sidro. See more aboutexisting knowledge base.
For example, an existing object in Azure AD stores Joe's license. A new synchronized object with anotherOrigin Sidroit shows up in the duplicate attribute state in Azure AD. Changes to Joe in the on-premises Active Directory are not applied to Joe's original user (existing object) in Azure AD.
Steps for diagnosis and troubleshooting in Connect Health
The diagnostics support user objects with the following duplicate attributes:
| Attribute name | Types of sync errors |
|---|---|
| UserPrincipalName | QuarantinedAttributeValueMustBeUnique of AttributeValueMustBeUnique |
| ProxyAdressen | QuarantinedAttributeValueMustBeUnique of AttributeValueMustBeUnique |
| SipProxyAdres | AttributeValueMustBeUnique |
| OnPremiseSecurityIdentifier | AttributeValueMustBeUnique |
Important
To access this feature,Global adminpermission, orAssociateAzure RBAC permission is required.
Follow the steps from the Azure portal to narrow down the sync error details and provide more specific solutions:
In the Azure portal, take a few steps to identify specific scenarios that can be resolved:
- To look atDetermine the statuscolumn. The status indicates whether there is a possible way to correct the sync error directly from Azure Active Directory. In other words, there is a troubleshooting flow that can reduce and potentially fix the number of errors.
| State | What does that mean? |
|---|---|
| Not started | You have not visited this diagnostic procedure. Depending on the diagnostic result, there is a possible way to resolve the sync error directly from the portal. |
| Manual repair required | The error does not match the portal's available fixes criteria. The conflicting object types are not users or you have already gone through the diagnostic steps and no remediation solution was available in the portal. In the latter case, local repair is still one of the solutions.Read more about local repairs. |
| Sync pending | A correction has been applied. The portal waits for the next sync cycle to clear the error. |
Important
The diagnostic status column is cleared after each synchronization cycle.
To electDiagnoseunder the error details. You answer several questions and identify the details of the sync error. The answers to the questions help to identify the object's abandoned trunk.
I'm aClose tobutton appears at the end of the diagnosis, there are no quick fixes available on the portal based on your answers. See the solution shown in the last step. Local repairs are still the solution. To electClose toknob. The current synchronization error status changes toManual repair required. The state is maintained during the current synchronization cycle.
Once an abandoned object case is identified, you can resolve duplicate attribute sync errors directly from the portal. Select to start the processApply the solutionknob. The status of the current sync error is updated toSync pending.
After the next synchronization cycle, the error should be removed from the list.
How to answer questions about diagnosis
Is there a user in your local active directory?
This question attempts to identify the source object of an existing user from the local Active Directory.
- Verify that Azure Active Directory has an object with the specifiedUserPrincipalName. If not, please replyAnd.
- If so, make sure the object is still in range for sync.
- Search the Azure AD connector space by DN.
- If the object is found inAddition pendingcondition, answerAnd. Azure AD Connect cannot link the object to a real Azure AD object.
- If the item is not found, you can respondIn.
In these examples, the question attempts to determine whetherJo Jacksonstill exists in the local Active Directory.Forcommon scenario, both usersJo JohnsoniJo Jacksonexist in the local Active Directory. Quarantined objects are two different users.
Fororphan object scenario, only one userJo Johnsonis present in the local Active Directory:
Are both accounts of the same user?
This question checks the incoming conflicting user and an existing user object in Azure AD to see if they belong to the same user.
- The conflicting object was recently synchronized with Azure Active Directory. Compare object attributes:
- Display name
- UserPrincipalName of SignInName
- ID-object
- If Azure AD doesn't match, check if Active Directory has the objects listedUserPrincipalNamen. AnswerAndif you find both.
In the following example, two objects belong to the same userJo Johnson.
What happens after applying a fix in an abandoned facility scenario
Based on the answers to the previous questions, you will seeApply the solutionbutton when a solution is available from Azure AD. In this case, the on-premises object is synchronized with an unexpected Azure AD object. Two objects are mapped usingOrigin Sidro. OfApply the solutionchange takes these or similar steps:
- It's being updatedOrigin Sidroto the correct object in Azure AD.
- Deletes the conflicting object in Azure AD, if any.
Important
OfApply the solutionthe change only applies to cases of abandoned objects.
After the previous steps, the user can access the original resource, which is a link to an existing objectDetermine the statusthe value in the list view is updated toSync pending.The synchronization error will be resolved after the next synchronization. Connect Health no longer displays a resolved sync error in the list view.
Malfunctions and error messages
A user with a conflicting attribute is temporarily deleted in Azure Active Directory. Make sure the user is permanently deleted before trying again.
The user with the conflicting attribute in Azure AD must be cleaned up before you can apply the fix. To look athow to permanently delete a user in azure ADbefore attempting the repair again. The user is also automatically permanently deleted after 30 days in a soft-delete state.
Updating the source anchor to a cloud-based user in your tenant is not supported.
A cloud user in Azure AD should not have a resource anchor. Updating source anchors is not supported in this case. Manual repair required on site.
The repair process was unable to update the values.Specific settings such asUserWriteback in Azure AD Connectnot supported. Turn off in settings.
To ask
Q.What happens when the executionApply the solutionfailed?
A.If the run fails, Azure AD Connect may throw an export error. Refresh the portal page and try again after the next sync. The default sync cycle is 30 minutes.
Q.What ifexisting objectmust be an object to delete?
A.Asexisting objectmust be removed, the process does not involve any changeOrigin Sidro. You can usually resolve this from your local Active Directory.
Q.What privileges does the user need to apply the fix?
A. Global admin, ofAssociateof Azure RBAC, has permission to access the diagnostics and troubleshooting process.
Q.Do I need to configure Azure AD Connect or update the Azure AD Connect health agent for this feature?
A.No, the diagnostics process is a full cloud-based feature.
Q.If an existing object is temporarily removed, will the diagnostic process make the object active again?
A.No, the fix will not update the object's attributes exceptOrigin Sidro.
FAQs
How do I check sync errors in Azure AD Connect? ›
Sign in to the Microsoft 365 admin center with a global administrator account. On the Home page, you'll see the User management card. On the card, choose Sync errors under Azure AD Connect to see the errors on the Directory sync errors page.
How to fix sync errors detected on your Azure AD Connect service? ›Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.
How do I check my Azure AD sync health? ›- In the Azure portal, search for and select Azure AD Domain Services.
- Select your managed domain, such as aaddscontoso.com.
- On the left-hand side of the Azure AD DS resource window, select Health.
Open the Azure AD Connect wizard, choose Tasks, and then choose Customize synchronization options. Sign in as an Azure AD Global Administrator. On the Optional Features page, select Directory extension attribute sync. Select the attribute(s) you want to extend to Azure AD.
How to monitor synchronization events generated by Azure AD Connect? ›Azure AD Connect Health Performance Monitoring provides monitoring information on metrics. Selecting the Monitoring box, opens a new blade with detailed information on the metrics. By selecting the Filter option at the top of the blade, you can filter by server to see an individual server's metrics.
How do I check synchronization status? ›Sign in to the Microsoft 365 admin center and choose DirSync Status on the home page. Alternately, you can go to Users > Active users, and on the Active users page, select the Elipse > Directory synchronization.
How do I force a sync in Azure AD Connect? ›- Open Azure AD Connect.
- Open Manage Azure AD cloud sync.
- Select your configuration (domain)
- Click Start or Restart Sync.
Response status code doesn't indicate success: 401 (Unauthorized). Azure AD Sync service account credentials are expired. You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988.
Why do I keep getting a sync error? ›Ensure you have an active internet connection
One of the first things that trigger the "Sync is currently experiencing problem" notification on Android is a poor internet connection. Your phone needs an active internet connection to sync information across your accounts.
How do I check my AD replication status? Running the repadmin /showrepl can help you view the replication status. If you would like an overall replication health summary, the command repadmin /replsummary should help.
How do I check Azure AD Sync logs? ›
You can find these trace logs in the following folder: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.
How do I get ad sync logs? ›1) On the server you wish to view logs for (AD Master or AD Slaves), open Windows Explorer and navigate to ADSync's log folder. By default this will be C:\Program Files (x86)\Exchange2010ADSync\ADSyncService\logs\gui. 2) Open the log file of your choice by double-clicking on it.
How to add the required attributes in the Directory server to proceed with the sync? ›- In the Workspace ONE Access console, select Settings > User Attributes.
- In the Default Attributes column, review the required attribute list and make changes, if necessary.
- In the Custom Attributes column, add other attributes to sync to the directory, if necessary.
- Click Save.
By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.
Does Azure AD Connect support syncing from two domains to an Azure AD? ›Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. The exception is the use of a staging server.
What is the difference between DirSync Azure AD Sync and Azure AD Connect? ›DirSync always used the proxy server that was configured for the user who installed it, but Azure AD Connect uses machine settings instead. URLs required to be open in the proxy server: For basic scenarios that were also supported by DirSync, the requirements are the same.
How often does Azure AD Sync Sync? ›How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.
What gets synced in Azure AD Connect? ›Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized.
How do I troubleshoot sync? ›Try switching off the device, resetting it or removing the battery, then trying again. Make sure you are using the manufacturer's cable. Make sure you correctly insert the USB cable in to the device and your vehicle's USB port. Make sure that the device does not have an auto-install program or active security settings.
How do I fix synchronization? ›- Open your phone's Settings app.
- Tap About phone Google Account. Account sync. If you have more than one account on your phone, tap the one you want to sync.
- Tap More. Sync now.
How do I start sync sync cycle command? ›
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta . To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
How do I restart Azure AD Connect sync? ›Go to Windows Service Control Manager (START → Services). Select Microsoft Azure AD Sync and click Restart.
What is the object sync limit for Azure AD Connect? ›An Azure AD tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. If you need even more objects in Azure AD, open a support case to have the limit increased even further.
What is the name of the Azure AD Sync service? ›The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements.
How do I overcome a 401 error? ›- Confirm the URL Is Correct. This might sound obvious, but the 401 error code might appear if the user entered the wrong URL in the browser's address bar. ...
- Clear User End Issues. ...
- Check Authentication Credentials. ...
- Disable Password Protection. ...
- Troubleshoot the Code.
The 401 error code appears when the client's web browser fails to receive resources from a web server due to a lack of or invalid authentication information. On the other hand, the 403 Forbidden Error indicates that the server has received the request but won't provide access to a specific part of the website.
What is the role of Azure Active Directory Connect Health? ›Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.
How do I get rid of synchronization error? ›- Check Your Internet Connection.
- Refresh Your Google Drive App.
- Force Stop and Relaunch Google Drive.
- Ensure Google Drive Can Sync Files on Cellular Data.
- Restart Your Android Phone to Get Rid of the Drive Sync Error.
The synchronization issues folders contain logs and items that Microsoft Outlook has been unable to synchronize with your email or SharePoint servers. Having messages in these folders is a normal function of Outlook as they are error checking mechanisms that the program uses to sync your email to email services.
How do I troubleshoot Active Directory replication issues? ›- Download and run the Microsoft Support and Recovery Assistant tool OR Run AD Status Replication Tool on the DCs.
- Read the replication status in the repadmin /showrepl output. Repadmin is part of Remote Server Administrator Tools (RSAT).
What causes AD replication errors? ›
Active Directory replication problems can have several different sources. For example, Domain Name System (DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail.
How to do replicate testing? ›A replication experiment is typically performed by obtaining test results on 20 samples of the same material and then calculating the mean, standard deviation, and coefficient of variation. The purpose is to observe the variation expected in a test result under the normal operating conditions of the laboratory.
Where are Azure AD Connect sync logs? ›You can find these trace logs in the following folder: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.
How do I view Azure error logs? ›You can access the activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the Monitor menu, the only filter is on the subscription. If you open it from a resource's menu, the filter is set to that resource.
How do I check for Azure AD Connect update? ›On your Windows Server, click Start > Control Panel > Programs and Features. Under the list of installed programs, look for Microsoft Azure AD connect. Look for the version column to determine the Azure AD Connect version.
What is the command to force Active Directory sync? ›To force Active Directory replication run the command 'repadmin /syncall /AeD' on the domain controller. Run this command on the domain controller in which you wish to update the Active Directory database. For example, if DC2 is out of Sync, run the command on DC2.
How do I force my computer to sync with Active Directory? ›Select Options > User/Group Sync. The User/Group Sync page is displayed. In the Sync Source area, in Primary sync source, select Windows Active Directory.
How do I add additional attributes to Active Directory? ›Add the Active Directory Schema snap-in, click Add, then click OK. Click Attributes, then right-click and select Create Attribute: Acknowledge the Schema Object Creation alert by clicking Continue.
What is the difference between initial sync and Delta Sync? ›Delta sync is faster than the initial sync, but it checks the whole data of the protected disk.
What is the minimum sync interval for Azure AD Connect? ›By default, Azure AD Connect sets up a regular synchronization schedule during installation. The sync interval is every 30 minutes.
Is Azure AD Connect outdated? ›
As of August 31, 2022, all 1. x versions of Azure AD Connect are retired because they include SQL Server 2012 components that will no longer be supported. Upgrade to the most recent version of Azure AD Connect (2. x version) by that date or evaluate and switch to Azure AD cloud sync.
Can I sync multiple domains to Azure AD? ›Yes, you can sync users from multiple domains, in multiple forests to single Azure AD tenant.
How do I sync users from a second domain using AD Connect? ›- Launch Azure AD Connect from the desktop or start menu.
- Choose “Add an additional Azure AD Domain”
- Enter your Azure AD and Active Directory credentials.
- Select the second domain you wish to configure for federation.
- Click Install.
By default every 30 minutes a synchronization cycle is run. If you have modified the synchronization cycle you will need to make sure that a synchronization cycle is run at least once every 7 days. A delta sync needs to happen within 7 days from the last delta sync.
What is the Active Directory Sync tool to Azure? ›The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
Where is Azure AD Sync service? ›You start the Synchronization Service Manager UI from the start menu. It is named Synchronization Service and can be found in the Azure AD Connect group.
What is the difference between Delta Sync and full sync in Azure AD Connect? ›Azure Active Directory Sync. There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration.
How often does Azure AD Connect sync? ›How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.
How do I update my AD sync connect? ›If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.
How to totally stop Azure AD sync after Directory sync stopped? ›- Start Windows PowerShell as administrator.
- Install and connect to Azure AD.
- Check the Azure AD directory synchronization is enabled and that it shows the value True.
- Turn off directory synchronization and convert your synchronized users to cloud-only.