If an object isn't syncing with Microsoft Azure Active Directory (Azure AD) as expected, there can be many reasons. If you've received an error email from Azure AD, or if you see an error in Azure AD Connect Health, read onFix errors during synchronizationrather. However, if you're troubleshooting an object not in Azure AD, this article is for you. Describes how to find errors in the on-premises Azure AD Connect sync component.
If deploying Azure AD Connect version 1.1.749.0 or later, useproblem solving taskin the Object Synchronization Troubleshooting Wizard.
Before we investigate sync issues, let's take a look at the Azure AD Connect sync process:
- CS:Joint space, table in database
- virtual machine:Metaverse, a table in a database
The synchronization process includes the following steps:
Import from AD:Active Directory objects are included in Active Directory CS.
Import from Azure AD:Azure AD objects are moved to Azure AD CS.
Synchronization:Inbound sync rules and outbound sync rules are executed in priority number order, from lowest to highest. To view the sync rules, go to the Sync Rule Editor from the desktop applications. Inbound sync rules move data from CS to MV. Outbound time rules move data from MV to CS.
Export to AD:After synchronization, objects are exported from Active Directory CS to Active Directory.
Export to Azure AD:After synchronization, objects are exported from Azure AD CS to Azure AD.
fix the problem
To find errors, look in several different places, in the following order:
- Zoperation recordsto find errors identified by the synchronization engine during import and synchronization.
- Zspace connectorfind lost items and sync errors.
- Zanother wayto detect data problems.
BeginSync Service Managerbefore starting these activities.
ZClassesOn the Sync Services Manager tab, start troubleshooting. This tab shows the results of recent edits.
Top halfClassesThe tab shows all waveforms in chronological order. By default, the edit log tracks information for the last seven days, but this setting can be changed usingFrom Plan. Look for a waveform that does not show asuccesscountry. You can change the ranking by clicking on the headings.
ZcountryThe column contains the most important information and shows the most serious running problem. Here is a brief overview of the most common conditions in order of investigation priority (where * denotes different possible error ranges).
|disturbed-*||The race couldn't be over. This can happen, for example, if the remote system is unavailable and cannot be contacted.|
|stuck error limit||There are more than 5000 errors. Execution stopped automatically due to a large number of errors.|
|finished-*-errors||The run is complete, but there are errors (less than 5000) that need to be investigated.|
|completed-*-warnings||The run has completed, but some data is not in the expected state. If you have errors, this message is usually just a symptom. Don't check the warnings until you fix the bugs.|
When a row is selected, the lower partClassesThe tab will update to show the details of that run. There may be a titled list to the left of this areaPaso #. This list is only displayed when there are multiple domains in the forest and each domain is represented by a step. The domain name can be found under the headingTo divide. Podsync statisticsyou will find more information about the number of changes processed. Select the links for a list of modified objects. If you have objects with errors, those errors will be listed in the filesync errorscolumn.
Errors on the Operations tab
If there are errors, Sync Service Manager displays both the object with the error and the error itself as links with more information.
Start by selecting the error range. (In the image above, the error string issync line error function enabled.) First you will see an overview of the facility. Select to see the actual errortrace stack. This trace contains the debug level information for the error.
Right-clickAccess stack informationclick on the fieldSelect allthen selectCopy. Then copy the stack and view the error in your favorite editor like Notepad.
If the error comes fromSyncRulesEngine, the call stack information first lists all the object's attributes. Scroll down until you see the title.inner exception =>.
The line after the header shows an error. In the image above, the error comes from a custom sync rule created by Fabrikam.
If the error doesn't contain enough information, it's time to look at the data itself. Select the Object ID link and continue troubleshooting.an imported object from the connector space.
Connector space object properties
asClassesThe tab shows no errors, follow the Active Directory connector space object in the metaverse to Azure AD. On this path you should find the problem spot.
Search for an object in CS
Under Synchronization, select Service Managerconnectors, select the Active Directory connector and selectFind a connection room.
IncludingDomainselect a fieldRDNif you want to search by CN attribute, or selectDN anchorwhen you want to searchpronounced nameattribute. Enter a value and selectsearch phrase.
If you can't find what you're looking for, it may have been filtereddomain-based filteringzOU-based filtering. Read to verify that filtering is configured as expectedAzure AD Connect sync - Configure filtering.
You can do another useful search by selecting the Azure AD connector. IncludingDomainselect a fieldpending importthen selectTo addcheck box This search returns all objects synchronized in Azure AD that cannot be associated with an on-premises object.
These objects were created by a different sync engine or a sync engine with different filter settings. These orphaned objects are no longer managed. Review this list and consider removing these objects withAzure AD — PowerShellcmdlets.
When you open the CS object, there are several tabs at the top. HeMaterialThe tab presents data prepared after import.
Zold valuethe column shows what is currently stored in Connect, aNew valueThe column shows what was received from the source system and not yet applied. If an error occurs in the object, the changes will not be processed.
Zsync errorThe tab is visible onConnector space object propertieswindow only when there is a problem with the object. For more information, see howfix sync errors in the Operations tab.
Zlineagebookmark onConnector space object propertiesThe window shows how the connector space object is related to the inverse object. You can see when the connector last imported a change from the connected system and what rules are applied to populate data in the metaverse.
In the figure above,Actionthe column displays the incoming sync rule with the actionWarehouse. This means that as long as this connector space object is present, the inverse object will persist. On the other hand, if the sync rule list contains an outbound sync rule from aWarehouseaction, this object will be deleted when the inverted object is deleted.
In the previous image you can also see inpassword synchronizationcolumn where the input slot space can contribute to the password change as the sync rule has a valueWHERE. This password is sent to Azure AD via an outbound rule.
zlineagetab, you can go to the Metaverse by selectingMetaverse object properties.
In the lower left corner of theConnector space object propertiesthe window isExampleCommand. Select this button to do soExamplea page where a single object can be synchronized. This page is useful if you're troubleshooting some custom sync rules and want to see the impact of a change on a single object. you can choose onefull synchronizationby onedelta sync. You can also choosegenerate a samplewhich saves only the change in memory. Or choosecapture previewwhich updates the Metaverse and coordinates all changes to the target socket space.
In the preview, you can check an object and see which rule was applied to a particular attribute stream.
apart fromExamplebutton, selectrecordbutton to open itrecordside. Here you can see the password sync status and history. For more information, seeTroubleshoot password hash sync with Azure AD Connect sync.
Generally, it's best to start your search from the Active Directory connector source space. But you can also start your search from the Metaverse.
Search for an object in MV
Under Synchronization, select Service Managerfind the metaverseas shown in the picture below. Create a query that you know will find the user. Look for common attributes such asbookkeeping(SAM account name) Wprimary user name. For more information, seeSearch for Metaverse Sync Services Manager.
IncludingSearch Resultsclick on the object.
If you haven't found the item, you haven't reached the Metaverse yet. Continue searching for the object in Active Directoryspace connector. If it finds an object in the Active Directory connector space, a sync error may occur that prevents the object from reaching the metaverse, or a sync rule scope filter may be applied.
Object not found in MV
If the object is in Active Directory CS but not in MV, the scope filter is applied. To view the range filter, go to the desktop app menu and selectSynchronization rules editor. Filter the rules that apply to the object by adjusting the filter below.
View each rule listed above and verifyrange filter. In the range filter below, ifEsCriticalSystemObjectthe value is null or FALSE or is null in the range.
Ve a lacs-importlist of attributes and check which filter is blocking the function from going to the MV. Heplace for the connectorattribute list shows only non-null and non-empty attributes. For exampleEsCriticalSystemObjectis not listed, the value of this attribute is null or empty.
Object not found in Azure AD CS
If the object is not present in the Azure AD connector space but is present in the VM, look at the scope filter of the relevant outbound rules from the connector area and find out if the object has been leaked becauseMV attributesdo not meet the criteria.
To display the outbound range filter, select the appropriate rules for the object by modifying the filter below. Look at each line and look at the corresponding oneAtrybut MVprowess.
Oh noattributestab, you can see the values and which connectors contributed them.
If the object is not syncing, ask the following questions about attribute states in the Metaverse:
- is an attributecloud filterpresent and putWHERE? If so, it has been filtered following the steps inattribute-based filtering.
- is an attributecase Ankergift? If not, do you have an account resource forest topology? If the object is identified as a linked mailbox (attributemsExchRecipientTypeDetailshas value2), zcase Ankerit is provided by a forest with an Active Directory account enabled. Make sure the master account has been successfully imported and synced. The primary account must be listed in the sectionconnectorsfor the object
ZconnectorsThe tab shows all connection spaces that have an object representation.
You should have a link to:
- Any Active Directory forest where the user is represented. This representation may includeOverseasSecurityDirectorsWContactitems.
- Azure AD connector.
If you're missing the connector to Azure AD, see the section onMV attributesto check the Azure AD provisioning criteria.
zconnectorsyou can also go tospace object connector. Select a row and clickCharacteristic.
- learn more aboutAzure AD Connect sync.
- learn more abouthybrid identity.