- Article
Cloud sync has many different dependencies and interactions, which can give rise to various problems. This article helps you troubleshoot these problems. It introduces the typical areas for you to focus on, how to gather additional information, and the various techniques you can use to track down problems.
Agent problems
When you troubleshoot agent problems, you verify that the agent was installed correctly, and that it communicates with Azure Active Directory (Azure AD). In particular, some of the first things that you want to verify with the agent are:
- Is it installed?
- Is the agent running locally?
- Is the agent in the portal?
- Is the agent marked as healthy?
You can verify these items in the Azure portal and on the local server that's running the agent.
Azure portal agent verification
To verify that Azure detects the agent, and that the agent is healthy, follow these steps:
Sign in to the Azure portal.
On the left, select Azure Active Directory > Azure AD Connect. In the center, select Manage sync.
On the Azure AD Connect cloud sync screen, select Review all agents.
On the On-premises provisioning agents screen, you see the agents you've installed. Verify that the agent in question is there. If all is well, you will see the active (green) status for the agent.
Verify the required open ports
Verify that the Azure AD Connect provisioning agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open:
| Port number | How it's used |
|---|---|
| 80 | Downloading certificate revocation lists (CRLs), while validating the TLS/SSL certificate. |
| 443 | Handling all outbound communication with the Application Proxy service. |
If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a network service.
Allow access to URLs
Allow access to the following URLs:
| URL | Port | How it's used |
|---|---|---|
*.msappproxy.net *.servicebus.windows.net | 443/HTTPS | Communication between the connector and the Application Proxy cloud service. |
crl3.digicert.com crl4.digicert.com ocsp.digicert.com crl.microsoft.com oneocsp.microsoft.com ocsp.msocsp.com | 80/HTTP | The connector uses these URLs to verify certificates. |
login.windows.net secure.aadcdn.microsoftonline-p.com *.microsoftonline.com *.microsoftonline-p.com *.msauth.net *.msauthimages.net *.msecnd.net *.msftauth.net *.msftauthimages.net *.phonefactor.net enterpriseregistration.windows.net management.azure.com policykeyservice.dc.ad.msft.net ctldl.windowsupdate.com www.microsoft.com/pkiops | 443/HTTPS | The connector uses these URLs during the registration process. |
ctldl.windowsupdate.com | 80/HTTP | The connector uses this URL during the registration process. |
You can allow connections to *.msappproxy.net, *.servicebus.windows.net, and other of the preceding URLs, if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the Azure IP ranges and service tags - public cloud. The IP ranges are updated each week.
Important
Avoid all forms of inline inspection and termination on outbound TLS communications between Azure AD Application Proxy connectors and Azure AD Application Proxy cloud services.
DNS name resolution for Azure AD Application Proxy endpoints
Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records, pointing to an A record. This ensures fault tolerance and flexibility. It’s guaranteed that the Azure AD Application Proxy connector always accesses host names with the domain suffixes *.msappproxy.net or *.servicebus.windows.net.
However, during the name resolution, the CNAME records might contain DNS records with different host names and suffixes. Due to this, you must ensure that the device can resolve all the records in the chain, and allows connection to the resolved IP addresses. Because the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.
On the local server
To verify that the agent is running, follow these steps:
On the server with the agent installed, open Services. Do this by going to Start > Run > Services.msc.
Under Services, make sure Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent are there. Also confirm that their status is Running.
Common agent installation problems
The following sections describe some common agent installation problems, and typical resolutions of those problems.
Agent failed to start
You might receive an error message that states:
Service 'Microsoft Azure AD Connect Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.
This problem is typically caused by a group policy. The policy prevented permissions from being applied to the local NT Service sign-in account created by the installer (NT SERVICE\AADConnectProvisioningAgent). These permissions are required to start the service.
To resolve this problem, follow these steps:
Sign in to the server with an administrator account.
Open Services by going to Start > Run > Services.msc.
Under Services, double-click Microsoft Azure AD Connect Provisioning Agent.
On the Log On tab, change This account to a domain admin. Then restart the service.
Agent times out or certificate isn't valid
You might get the following error message when you attempt to register the agent.
This problem is usually caused by the agent being unable to connect to the hybrid identity service. To resolve this problem, configure an outbound proxy.
The provisioning agent supports the use of an outbound proxy. You can configure it by editing the following agent .config file: C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe.config.
Add the following lines into it, toward the end of the file, just before the closing </configuration> tag. Replace the variables [proxy-server] and [proxy-port] with your proxy server name and port values.
<system.net> <defaultProxy enabled="true" useDefaultCredentials="true"> <proxy usesystemdefault="true" proxyaddress="http://[proxy-server]:[proxy-port]" bypassonlocal="true" /> </defaultProxy> </system.net>Agent registration fails with security error
You might get an error message when you install the cloud provisioning agent. This problem is typically caused by the agent being unable to run the PowerShell registration scripts, due to local PowerShell execution policies.
To resolve this problem, change the PowerShell execution policies on the server. You need to have machine and user policies set as Undefined or RemoteSigned. If they're set as Unrestricted, you'll see this error. For more information, see PowerShell execution policies.
Log files
By default, the agent emits minimal error messages and stack trace information. You can find these trace logs in the following folder: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.
To gather additional details for troubleshooting agent-related problems, follow these steps.
- Install the AADCloudSyncTools PowerShell module.
- Use the
Export-AADCloudSyncToolsLogsPowerShell cmdlet to capture the information. You can use the following options to fine-tune your data collection.SkipVerboseTraceto only export current logs without capturing verbose logs (default = false).TracingDurationMinsto specify a different capture duration (default = 3 minutes).OutputPathto specify a different output path (default = user’s Documents folder).
Object synchronization problems
In the Azure portal, you can use provisioning logs to help track down and troubleshoot object synchronization problems. To view the logs, select Logs.
Provisioning logs provide a wealth of information on the state of the objects being synchronized between your on-premises Active Directory environment and Azure.
You can filter the view to focus on specific problems, such as dates. Double-click an individual event to see additional information.
This information provides detailed steps and where the synchronization problem is occurring. In this way, you can pinpoint the exact spot of the problem.
Provisioning quarantined problems
Cloud sync monitors the health of your configuration, and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error (for example, invalid admin credentials), the sync job is marked as in quarantine.
By selecting the status, you can see additional information about the quarantine. You can also obtain the error code and message.
Right-clicking on the status will bring up additional options to:
- View the provisioning logs.
- View the agents.
- Clear the quarantine.
Resolve a quarantine
There are two different ways to resolve a quarantine. You can clear the quarantine, or you can restart the provisioning job.
Clear the quarantine
To clear the watermark and run a delta sync on the provisioning job after you have verified it, simply right-click on the status and select Clear quarantine.
You should see a notice that the quarantine is clearing.
Then you should see the status on your agent as healthy.
Restart the provisioning job
Use the Azure portal to restart the provisioning job. On the agent configuration page, select Restart sync.
Alternatively, you can use Microsoft Graph to restart the provisioning job. You have full control over what you restart. You can choose to clear:
- Escrows, to restart the escrow counter that accrues toward quarantine status.
- Quarantine, to remove the application from quarantine.
- Watermarks.
Use the following request:
POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
Repair the cloud sync service account
If you need to repair the cloud sync service account, you can use the Repair-AADCloudSyncToolsAccount command.
Install the AADCloudSyncTools PowerShell module.
From a PowerShell session with administrative privileges, type, or copy and paste, the following:
Connect-AADCloudSyncToolsEnter your Azure AD Global Administrator credentials.
Type, or copy and paste, the following:
Repair-AADCloudSyncToolsAccountAfter this completes, it should say that the account was repaired successfully.
Password writeback
To enable and use password writeback with cloud sync, keep the following in mind:
- If you need to update the gMSA permissions, it might take an hour or more for these permissions to replicate to all the objects in your directory. If you don't assign these permissions, writeback can appear to be configured correctly, but users might encounter errors when they update their on-premises passwords from the cloud. Permissions must be applied to This object and all descendant objects for Unexpire Password to appear.
- If passwords for some user accounts aren't written back to the on-premises directory, make sure that inheritance isn't disabled for the account in the on-premises Active Directory Domain Services (AD DS) environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly.
- Password policies in the on-premises AD DS environment might prevent password resets from being correctly processed. If you're testing this feature and want to reset passwords for users more than once per day, the group policy for the minimum password age must be set to 0. You can find this setting in the following location: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies, within gpmc.msc.
- If you update the group policy, wait for the updated policy to replicate, or use the
gpupdate /forcecommand. - For passwords to be changed immediately, the minimum password age must be set to 0. However, if users adhere to the on-premises policies, and the minimum password age is set to a value greater than 0, password writeback doesn't work after the on-premises policies are evaluated.
- If you update the group policy, wait for the updated policy to replicate, or use the
Next steps
- Known limitations
- Error codes
FAQs
Azure AD Connect cloud sync troubleshooting - Microsoft Entra? ›
Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.
How do I troubleshoot Azure AD Connect synchronization? ›Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.
How do I force Azure AD cloud sync? ›- Open Azure AD Connect.
- Open Manage Azure AD cloud sync.
- Select your configuration (domain)
- Click Start or Restart Sync.
Go to Windows Service Control Manager (START → Services). Select Microsoft Azure AD Sync and click Restart.
How do I know if Azure AD sync is working? ›To check the user account sync status, in the Microsoft 365 admin center, go to Users —> Active Users. When you look at the list of users, you would see the Sync status column showing whether the account is In Cloud or Synced from on-premise.
What are the common issues with AD connect? ›Azure AD Connect requires proper installation and configuration to function properly. Common issues include incorrect credentials, network connectivity issues, and firewall settings.
Where is synchronization service in Azure AD Connect? ›You start the Synchronization Service Manager UI from the start menu. It is named Synchronization Service and can be found in the Azure AD Connect group.
How do I manually start Azure AD Connect sync? ›If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta . To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
How do I manually force AD sync? ›- Use the Enter-PSSession command to connect to your Azure AD Connect server.
- Perform a delta synchronization using the Start-ADSyncSyncCycle command.
- Exit the PSSession to kill the connection to your Azure AD Connect server.
Azure Active Directory Sync. There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration.
What is the service name for Azure AD Sync? ›
The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements.
What is the default sync time for ADSync? ›By default every 30 minutes a synchronization cycle is run. If you have modified the synchronization cycle you will need to make sure that a synchronization cycle is run at least once every 7 days.
Is Azure AD Connect no longer supported? ›Retiring Azure AD Connect 1.
As of August 31, 2022, all 1. x versions of Azure AD Connect are retired because they include SQL Server 2012 components that will no longer be supported. Upgrade to the most recent version of Azure AD Connect (2. x version) by that date or evaluate and switch to Azure AD cloud sync.
Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity. On busy days, it is not uncommon for this process to take several hours to complete.
How do I check my Azure AD Sync configuration? ›Open the “Azure AD Connect ” link to the Microsoft Azure Active Directory Connect wizard, found on the desktop or start menu. Select the View current configuration task on the Additional tasks page and click Next.
What gets synced in Azure AD Connect? ›Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized.
How do I force Azure AD Connect to update? ›If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.
What happens when Azure AD Connect is down? ›AAD Connect takes user accounts, and maybe passwords, from your on-premises Active Directory and copies them into Azure Active Directory. If your AAD Connect server goes down, you don't lose any data or very much functionality. There really isn't any need for a high availability configuration for AAD Connect.
What is error 113 in Azure Sync? ›This is sample error from the azure portal. In this case the error is 113 and simply shows the object GUID of the object in the on premises directory. When a sync error is listed in the Azure Portal and there is no additional information – a good place to look is the Azure Active Directory Connect server.
What is the difference between Azure AD Connect and Azure AD Sync? ›Understand your organization's requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.
How often does Azure Connect sync? ›
By default, the delta sync profile runs every 30 minutes. Organizations should strive to keep the time it takes to below 30 minutes, to make sure the Azure AD is up-to-date.
Which admin can perform Azure AD Connect Sync? ›Global Administrator role in Azure AD. - Used to enable sync in the Azure AD directory.
What is the difference between initial sync and Delta Sync? ›Delta sync is faster than the initial sync, but it checks the whole data of the protected disk.
How do I fix ad sync issues? ›- Remove the Azure AD account (owner) from all admin roles.
- Hard delete the quarantined object in the cloud.
- The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a Hybrid Identity Administrator.
Ensure that the Synchronization Cycle is Run at Least Once Every 7 Days. By default, a synchronization cycle is run every 30 minutes. Microsoft recommends that if you choose to modify the synchronization cycle, for whatever reason, make sure that it is run at least once every 7 days.
What is the difference between password sync and pass through in Azure AD Connect? ›Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.
Can you have multiple Azure AD Sync servers? ›Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects.
Where is Azure AD synchronization Service Manager? ›The Synchronization Service Manager UI is used to configure more advanced aspects of the sync engine and to see the operational aspects of the service. You start the Synchronization Service Manager UI from the start menu. It is named Synchronization Service and can be found in the Azure AD Connect group.
How do I know which server is running AD Sync? ›- Sign in to Microsoft Azure Portal.
- Click on Menu > Azure Active Directory.
- Select Azure AD Connect > Azure AD Connect Health.
- Click on Sync services > Service name.
- The Azure Active Directory Connect Servers appear on the screen in the Overview tile.
The precedence for Synchronization Rules is set in groups by the installation wizard. All rules in a group have the same name, but they are connected to different connected directories. The installation wizard gives the rule In from AD – User Join highest precedence and it iterates over all connected AD directories.
How often does sync run? ›
User synchronization of your full directory runs twice a day at 12-hour intervals chosen at random when you create your sync. Administrator synchronization runs every 30 minutes.
What is the frequency of password sync in Azure AD Connect? ›The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.
What is Microsoft Entra? ›Microsoft Entra is the vision for identity and access that expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.
What are the limitations of Azure AD Connect? ›By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. If you need to sync a group membership that's over this limit, you must onboard the Azure AD Connect Sync V2 endpoint API.
Does Azure AD Connect update automatically? ›Azure AD Connect automatic upgrade is a feature that regularly checks for newer versions of Azure AD Connect. If your server is enabled for automatic upgrade and a newer version is found for which your server is eligible, it will perform an automatic upgrade to that newer version.
How do I check Azure file sync status? ›To view Azure File Sync performance counters on the server, open Performance Monitor (Perfmon.exe). You can find the counters under the AFS Bytes Transferred and AFS Sync Operations objects. Number of bytes downloaded per second. Number of bytes uploaded per second.
How to troubleshoot password hash synchronization in Azure? ›Run the troubleshooting task
Start the Azure AD Connect wizard. Navigate to the Additional Tasks page, select Troubleshoot, and click Next. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot password hash synchronization.
Azure AD Connect Health Performance Monitoring provides monitoring information on metrics. Selecting the Monitoring box, opens a new blade with detailed information on the metrics. By selecting the Filter option at the top of the blade, you can filter by server to see an individual server's metrics.
What is the difference between AD Sync and AD Connect? ›Understand your organization's requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.
What is the command for Azure AD Connect Sync? ›Use the following steps to force a remote synchronization of AD and Azure: Use the Enter-PSSession command to connect to your Azure AD Connect server. Perform a delta synchronization using the Start-ADSyncSyncCycle command. Exit the PSSession to kill the connection to your Azure AD Connect server.
How does Azure AD Connect Sync work? ›
When you first deploy Azure AD DS, an automatic one-way synchronization is configured and started to replicate the objects from Azure AD. This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up-to-date with any changes from Azure AD.
How do I troubleshoot Azure connectivity? ›- Step 1: Check whether NIC is misconfigured. ...
- Step 2: Check whether network traffic is blocked by NSG or UDR. ...
- Step 3: Check whether network traffic is blocked by VM firewall. ...
- Step 4: Check whether VM app or service is listening on the port. ...
- Step 5: Check whether the problem is caused by SNAT.
To resolve this issue, re-enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.
What is the difference between password hash sync and pass through in Azure AD Connect? ›Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.
What is the precedence of synchronization rule in Azure AD Connect? ›The precedence for Synchronization Rules is set in groups by the installation wizard. All rules in a group have the same name, but they are connected to different connected directories. The installation wizard gives the rule In from AD – User Join highest precedence and it iterates over all connected AD directories.
How do I check Azure AD Sync logs? ›You can find these trace logs in the following folder: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.