- Article
- 3 minutes to read
This article provides steps to troubleshoot object sync issues using the troubleshoot task. For troubleshooting Azure AD Connect, see ashort video.
Troubleshooting task
For Azure AD Connect version 1.1.749.0 or later deployments, use the troubleshooting task in the wizard to troubleshoot object synchronization issues. With earlier versions this is possiblefix manually.
Complete the troubleshooting task in the wizard
To run the troubleshooting task:
- Open a new Windows PowerShell session on your Azure AD Connect server using the Run as administrator option.
- Run
Set-ExecutionPolicy RemoteSignedÖSet an unrestricted execution policy. - Start the Azure AD Connect wizard.
- Oradditional tasks>solve problemsand then selectNext.
- About itTroubleshootingpage, selectThrowto launch the troubleshooting menu in PowerShell.
- Select in the main menuFix object sync issues.
Bug fix for input parameters
The troubleshooting task requires the following input parameters:
- Distinguished Name des Objekts: The Distinguished Name of the object that needs troubleshooting.
- Name des AD-Connectors: The name of the Windows Server Active Directory (Windows Server AD) forest in which the object resides.
- Azure Active Directory (Azure AD) tenant hybrid identity administrator credentials.
Understand the results of the troubleshooting task
The troubleshooting task performs the following checks:
- Detect user principal name (UPN) mismatches when the object is synced to Azure AD.
- Check if the object is filtered due to domain filtering.
- Check if the object is leaking due to organizational unit (OU) filtering.
- Check if item sync is blocked due to a linked mailbox.
- Make sure that the object is in a dynamic distribution group that is not intended for synchronization.
The rest of the article describes the specific results that the troubleshooting task returns. In each case, the task provides an analysis followed by recommended actions to resolve the issue.
Detect UPN mismatches when the object is synced to Azure AD
Review the UPN mismatch issues described in the following sections.
UPN suffix is not verified with Azure AD tenant
If the alternate login ID UPN or suffix isn't verified with your Azure AD tenant, Azure AD replaces the UPN suffixes with the default domain name.enmicrosoft.com.
The Azure AD tenant's SynchronizeUpnForManagedUsers function is disabled
When the Azure AD tenant DirSync feature "SynchronizeUpnForManagedUsers" is disabled, Azure AD doesn't support syncing updates using the UPN or an alternate sign-in ID for licensed user accounts that use managed authentication.
The object is filtered due to domain filtering
Review the domain filtering issues described in the following sections.
The domain is not configured for synchronization
The object is out of scope because the domain has not been configured. In the example in the image below, the object is out of sync range because the domain it belongs to has been filtered out of sync.
The domain is configured for synchronization, but run profiles or run steps are missing
The object is out of scope because the domain is missing run profiles or run steps. In the example in the following image, the object is out of sync scope because the domain it belongs to does not have execution steps for the full import execution profile.
Object is filtered due to OR filtering
The object is out of range for synchronization due to OU filter settings. In the example in the figure below, the object belongs toOU=NoSync,DC=bvtadwbackdc,DC=com. This OU is not included in the sync scope.
Problem with linked mailbox
A linked mailbox is assumed to be associated with an external primary account that is in a different trusted account forest. If the primary account doesn't exist, Azure AD Connect doesn't sync the user account that corresponds to the linked mailbox in the Exchange forest to the Azure AD tenant.
Problem with dynamic distribution group
Due to several differences between on-premises Windows Server AD and Azure AD, Azure AD Connect doesn't sync dynamic distribution groups to the Azure AD tenant.
HTML report
In addition to analyzing the object, the troubleshooting task generates an HTML report that contains everything that is known about the object. The HTML report can be shared with the support team for troubleshooting if needed.
Next Steps
learn more aboutIntegrate your on-premises identities with Azure Active Directory.
FAQs
How would you troubleshoot object synchronization issues with Azure AD Connect setup? ›
Run the troubleshooting task in the wizard
Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.
- Sign in to the Microsoft 365 admin center with a global administrator account.
- On the Home page, you'll see the User management card.
- On the card, choose Sync errors under Azure AD Connect to see the errors on the Directory sync errors page.
Run the troubleshooting task
Start the Azure AD Connect wizard. Navigate to the Additional Tasks page, select Troubleshoot, and click Next. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot password hash synchronization.
- Open the Start Menu and select Control Panel. Windows 10. ...
- Open Sync Center. Category View. ...
- Select View Sync Conflicts from the menu on the left.
- Select a conflict from the list.
- Click Resolve.
- Select file version for sync.
- Step 1: Check whether NIC is misconfigured. ...
- Step 2: Check whether network traffic is blocked by NSG or UDR. ...
- Step 3: Check whether network traffic is blocked by VM firewall. ...
- Step 4: Check whether VM app or service is listening on the port. ...
- Step 5: Check whether the problem is caused by SNAT.
Go to Windows Service Control Manager (START → Services). Select Microsoft Azure AD Sync and click Restart.
How do I force AD and Azure to sync? ›- Use the Enter-PSSession command to connect to your Azure AD Connect server.
- Perform a delta synchronization using the Start-ADSyncSyncCycle command.
- Exit the PSSession to kill the connection to your Azure AD Connect server.
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta . To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
How do I check Active Directory synchronization? ›Sign in to the Microsoft 365 admin center and choose DirSync Status on the home page. Alternately, you can go to Users > Active users, and on the Active users page, select the Elipse > Directory synchronization.
Where is synchronization service in Azure AD Connect? ›You start the Synchronization Service Manager UI from the start menu. It is named Synchronization Service and can be found in the Azure AD Connect group.
How do I see what is synced in Azure AD Connect? ›
To open Synchronization Service Manager, go to Start menu and type Synchronization Service. It should appear under the Azure AD Connect. In the Synchronization Service Manager console, under Operations tab, you can monitor the synchronization progress.
How often does Azure AD Connect sync passwords? ›The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.
How do I know if my password hash synchronization is enabled? ›Run Azure AD Connect, and then select View current configuration. In the details pane, check whether Password synchronization is enabled on your tenant.
How do I enable password sync in Azure AD Connect? ›- Install Azure AD Connect.
- Configure directory synchronization between your on-premises Active Directory instance and your Azure Active Directory instance.
- Enable password hash synchronization.
The classical problems of synchronization are as follows: Bound-Buffer problem. Sleeping barber problem. Dining Philosophers problem.
What are the two basic synchronization issues? ›2.1.
The time for rendering an image frame varies between frames, mostly depending on the number of tiles loaded for each frame. This causes two types of synchronization problems: synchronization (1) between frames and (2) between StarCAVE nodes.
Poor synchronizing can: Damage the generator and the prime mover because of mechanical stresses caused by rapid acceleration or deceleration, bringing the rotating masses into synchronism (exactly matched speed and rotor angle) with the power system.
Which two tools can be used to troubleshoot Azure Files connectivity? ›Storage Explorer is one of them. Download and Install Storage Explorer and connect to your file share backed by Azure Files. You can also use PowerShell which also uses REST API.
What is the main functionality of connection troubleshoot? ›The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address.
How do you diagnose and solve problems in Azure? ›Open App Service diagnostics
In the left navigation, click on Diagnose and solve problems. For Azure Functions, navigate to your function app, and in the top navigation, click on Platform features, and select Diagnose and solve problems from the Resource management section.
How do I update my AD sync connect? ›
If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.
How do I force AD sync 365? ›Force AD Sync Using AD Users & Computers
After making the changes to your user account that you want to replicate, select the check box in the bottom left corner of the Office 365 tab: Clicking Apply or OK will force an AD sync immediately.
Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group. Start Synchronization Rules Editor from the Start menu. Make sure Inbound is selected, and click Add New Rule. Give the rule a descriptive name, such as "In from AD – User Sales sync".
How long does it take for Azure AD to sync? ›Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity. On busy days, it is not uncommon for this process to take several hours to complete.
How do I sync my computer objects to Azure AD Connect? ›When a device receives an answer from the DRS in ADFS then the device will get a user certificate and the computer object of that specific device will be updated with the ID of this user certificate. After that, the computer object will be sync with Azure AD.
What is the difference between Delta Sync and full sync in Azure AD Connect? ›A full sync checks all objects across AD. A delta sync only checks and syncs changes since the last run. To start a full sync, you can use the Start-AdSyncSyncCycle cmdlet. Use the PolicyType parameter to choose either Full or Delta depending on the sync you'd like to initiate.
What is the difference between DirSync Azure AD Sync and Azure AD Connect? ›DirSync always used the proxy server configured for the user installing it, but Azure AD Connect uses machine settings instead. The URLs required to be open in the proxy server. For basic scenarios, those scenarios also supported by DirSync, the requirements are the same.
How to check Azure AD sync status from command line? ›There are two ways to check synchronization status of synced users — using PowerShell cmdlets and the Azure AD Connect health tool. PowerShell cmdlets are available when you install Azure Windows PowerShell modules for Active Directory. You will be required to use the Get-MSOlUser cmdlet to check sync status of users.
How do you troubleshoot replication issues in AD? ›- Force AD DS removal in Directory Services Restore Mode (DSRM), clean up server metadata, and then reinstall AD DS.
- Reinstall the operating system, and rebuild the domain controller.
- Step 1 - Check the replication health. ...
- Step 2 - Check the inbound replication requests that are queued. ...
- Step 3 - Check the replication status. ...
- Step 4 - Synchronize replication between replication partners. ...
- Step 5 - Force the KCC to recalculate the topology.
Which port is used for synchronization AD to Azure AD? ›
The latest Azure AD Connect Health agent versions only require port 443.
How to synchronize users from Active Directory to Azure AD? ›The AD DS directory can be synchronized with Azure AD to enable it to authenticate on-premises users. Azure AD Connect sync server. An on-premises computer that runs the Azure AD Connect sync service. This service synchronizes information held in the on-premises Active Directory to Azure AD.
What is the name of the Azure AD Connect synchronization service? ›The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements.
What is the default sync for AD Connect? ›By default the Azure AD connect will perform a sync every 30 minutes. To view the Sync Schedule settings like the used synccycle and when the next scheduled sync is planned, you can use the ADSync module.
Is Azure AD Connect a two way sync? ›By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.
How long should it take for AD to sync after a password reset? ›After an Active Directory administrator resets the password on-premises, Azure AD Connect takes at least two minutes to sync that temporary password to Azure AD.
What is the difference between AD Connect password sync and pass through? ›Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.
How do I troubleshoot password sync in Azure AD? ›Run the troubleshooting task
Start the Azure AD Connect wizard. Navigate to the Additional Tasks page, select Troubleshoot, and click Next. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot password hash synchronization.
To resolve this issue, re-enable password synchronization. To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.
How do hackers find hashed passwords? ›Hackers could get the password hashes from the server they are stored on in a number of ways. These include through disgruntled employees, SQL injections and a range of other attacks. Whether the organization has good security or poor security, the possibility of the password hashes being stolen remains.
How do I troubleshoot Azure AD Connect synchronization? ›
Run the troubleshooting task in the wizard
Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.
Global Administrator role in Azure AD. - Used to enable sync in the Azure AD directory.
How to synchronize passwords between two Active Directory domains? ›- Log in to the ADSelfService Plus user portal.
- Go to Application.
- Click on the enterprise application with which they want to link their AD account.
- Provide their credentials for that user account.
- Provide the username and password of their account in Domain B to link both accounts.
If you configure write-back, changes from Azure AD are synchronized back to the on-premises AD DS environment. For example, if a user changes their password using Azure AD self-service password management, the password is updated back in the on-premises AD DS environment.
Which tool do we use for synchronizing objects from an AD to Azure AD? ›The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Azure AD.
How do I sync my AD with Azure with AD Connect? ›To open Synchronization Service Manager, go to Start menu and type Synchronization Service. It should appear under the Azure AD Connect. In the Synchronization Service Manager console, under Operations tab, you can monitor the synchronization progress.
Which Azure feature allows synchronization between on-premises and Azure AD? ›Azure AD Connect sync server.
An on-premises computer that runs the Azure AD Connect sync service. This service synchronizes information held in the on-premises Active Directory to Azure AD. For example, if you provision or deprovision groups and users on-premises, these changes propagate to Azure AD.
Force AD Sync Using AD Users & Computers
After making the changes to your user account that you want to replicate, select the check box in the bottom left corner of the Office 365 tab: Clicking Apply or OK will force an AD sync immediately.
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta . To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.
What is the difference between DirSync and Azure AD Sync? ›DirSync always used the proxy server that was configured for the user who installed it, but Azure AD Connect uses machine settings instead. URLs required to be open in the proxy server: For basic scenarios that were also supported by DirSync, the requirements are the same.
What is Azure AD Sync and how it syncs users? ›
Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application.