- article
If objects aren't syncing to Microsoft Azure Active Directory (Azure AD) as expected, there could be several reasons. If you receive an error email from Azure AD or see an error in Azure AD Connect Health, read onTroubleshooting when syncingInstead. However, if you're troubleshooting objects that aren't in Azure AD, this article is for you. Describes how to find errors in the Azure AD Connect on-premises component synchronization.
important
For Azure AD Connect deployments, version 1.1.749.0 or later, useproblem-solving tasksTroubleshoot object synchronization in the wizard.
synchronization process
Before we investigate sync issues, let's take a look at the Azure AD Connect sync process:
deadline
- CS:Joint space, table in database
- SN:Metaverse, a table in a database
synchronization steps
The synchronization process includes the following steps:
Import from AD:Active Directory objects are moved to Active Directory CS.
Import from Azure AD:Azure AD objects are moved to Azure AD CS.
Synchronize:Inbound sync rules and outbound sync rules run in order from lowest to highest. To view the sync rules, go to the sync rule editor from the desktop app. Inbound sync rules move data from CS to MV. Outbound sync rules move data from MV to CS.
Export to ad:After synchronization, objects are exported from Active Directory CS to Active Directory.
Export to Azure AD:After synchronization, objects are exported from Azure AD CS to Azure AD.
Troubleshooting
To find errors, look in a few different places in the following order:
- Tenoperation logLook for errors identified by the synchronization engine during import and synchronization.
- Tenplace for the connectorFind missing objects and synchronization errors.
- TenmetauniverseFind data issues.
beginningSync Service Managerbefore starting these activities.
work
TenworkOn the Sync Services Manager tab, start troubleshooting. This tab displays the results of recent operations.
upper partworkThe tabs display all waveforms in chronological order. By default, the activity log keeps information for the last 7 days, but you can use itFrom Plan.look for not shownsuccessstatus. You can change the sort by clicking on the headings.
TenstatusThe columns contain the most important information and show the most serious problems on the run. Below is a brief summary of the most common conditions, ordered by study priority (where * denotes several possible error strings).
| status | Comment |
|---|---|
| stop-* | The run cannot be completed. This can happen, for example, if the remote system is down and cannot be contacted. |
| stop error limit | There are more than 5000 errors. The run was automatically stopped due to a large number of errors. |
| done-*-error | The run ended with errors (less than 5000) that need to be investigated. |
| ready-*-warning | The run was completed, but some data was not in the expected state. This message is usually just a symptom if you have an error. Do not investigate warnings until the error is resolved. |
| success | No problem. |
When a row is selected, the bottom of the rowworkThe tab has been updated to show the details of this run. To the left of this area may be a titled headingstep #.This list only appears if you have multiple domains in the forest and each domain is represented by a step. The domain name can be found under the headingDivision.podSynchronous statisticsin the header you can find more information about the number of changes processed. Select the link for a list of changed objects. If your objects contain errors, they will be displayed in the filesync errortitle.
Errors on the Actions tab
When an error occurs, Sync Service Manager displays the error object and the error itself as links to more information.
First select the wrong string. (In the image above, the error string isThe sync rule error function is running.) First you will see an overview of the facility. To see the actual errors, selectStack trace.This trace gives incorrect debug level information.
Right-clickcall stack informationfield, clickSelect alland chooseCopy.Then copy the stack and view the errors in your favorite editor (e.g. Notepad).
If the error comes fromSynchronization rule engine, the call stack information first lists all properties of the object. scroll down until you see the headerinner exception =>.
The line after the title shows an error. In the image above, the error comes from a custom sync rule created by Fabrikam.
If the errors don't contain enough information, it's time to look at the data itself. Select the link with the object ID and continue troubleshootingConnector space import object.
Connector space object properties
IfworkThe tab shows no errors, according to the connector space object from Active Directory to Metaverse to Azure AD. You should find the problem in this path.
Search objects in CS
In Sync Services Manager, selectConnector, select Active Directory Connector, and then selectSearch the connector space.
insiderangefield, selectRDNWhen you want to search CN attributes or selectDN or anchorwhen you want to searchThe correct nameAttributes. Enter a value and selectsearch.
If you can't find what you're looking for, it may have been filtereddomain-based filteringLubOU-based filtering.To verify that filtering is configured as expected, read onAzure AD Connect sync: Set up filtering.
You can do another useful search by selecting the Azure AD connector. insiderangefield, selectbe importedand chooseAdd tocheck box. This search includes all synchronized objects in Azure AD that cannot be associated with on-premises objects.
These objects were created by a different sync engine or a sync engine with a different filtering configuration. These orphaned objects are no longer managed. Check out this list and consider using itAzure AD PowerShellOrder.
Import CS'a
When you open the CS object, there are several tabs at the top. ThisimportThe tab shows the data prepared after import.
Tenold valuethe column shows what is currently stored in Connect, iNew valueThe columns show what has been received from the source system but not yet applied. If the object contains errors, the changes will not be processed.
Tensync errorbookmark wConnector space object propertiesOnly open the window when there is a problem with the object. For more information, see howResolve sync errors in the Actions tab.
CS pedigree
Tenlineagebookmarks inConnector space object propertiesThe window shows how the connector space object is related to the metaverse object. You can see when the connector last imported changes from connected systems and what rules were applied to populate data in the Metaverse.
In the figure aboveactionthe column contains rules for synchronizing incoming traffic with activitiesconditionsThis means that the metaverse object will exist as long as this connector space object exists. If the list of synchronization rules contains outbound synchronization rulesconditionsAction when a metaverse object is deleted, this object will also be deleted.
You can also see it in the picture abovepassword synchronizationThe column where the password can be changed by the inbound connector space because the sync rule has a valuetrueThis password is sent to Azure AD via an outbound rule.
zlineagetab you can chooseMetaverse object properties.
announcement
in the lower left cornerConnector space object propertiesthe window isannouncementbutton. Select this button to openannouncementpage where you can synchronize individual objects. This page is useful if you're troubleshooting some custom sync rules and want to see how your changes affect individual objects. you can choose afull synchronizationLubIncremental sync.You can choose toogenerate a previewwhich only keeps changes in memory. or chooseupload a preview, which updates the metaverse and stages all changes to the connector's target space.
In the preview, you can check the objects and see the rules that apply to specific property flows.
journal
Nearannouncementbutton, selectjournalopen buttonjournalSide. Here you can view your password sync status and history. For more information, seeTroubleshoot password hash sync with Azure AD Connect sync.
It's usually best to start your search from the source Active Directory connector area. But you can also start your search from the metaverse.
Find objects in MV
In Sync Services Manager, selectMetaverse Searchas shown below. Create a query that you know can find users. Search for public properties such asaccount name(SAM account name) IMain username.For details, seeMetaverse Search Sync Services Manager.
insideSearch Resultsclick Objects.
If you don't find the object, it means it hasn't reached the Metaverse yet. Continue searching for objects in Active Directoryplace for the connector.If the object is in the Active Directory connector space, there may be a sync error that is preventing the object from entering the metaverse, or a sync rule scope filter may have been applied.
Object not found in MV
If the object is in Active Directory CS but not in MV, apply a scope filter. To view range filters, go to the desktop app menu and selectSynchronization rules editor.Filter the rules that apply to objects by adjusting the filters below.
Look at each rule in the list above and checkrange filter.In the range filter below, ifisCriticalSystemObjectThe value is NULL, FALSE, or empty, is in range.
go toImport CS'aproperty list and check which filter prevents the object from being transferred to the MV. Thisplace for the connectorThe list of properties will only contain non-null and non-null properties. For example, ifisCriticalSystemObjectis not displayed in the list, the value of this property is null or empty.
Object not found in Azure AD CS
If the object does not exist in the Azure AD connector space but does exist in the MV, check the outbound rule scope filter of the corresponding connector area to see if the object is filtered out becauseAtrybut MVDoes not meet the standard.
To view the outbound scope filters, select the appropriate rule for the object by adjusting the filters below. When looking at each rule, look at the appropriate oneAtrybut MVvalue.
MV attributes
existAttributestab you can see these values and what connectors provide them.
If the object is out of sync, ask the following questions about the state of the attributes in the metaverse:
- is an attributecloud filterexists and is settrue? If so, it has been filtered by following the steps inattribute-based filtering.
- is an attributesource anchorexpose? If not, do you have an account resource forest topology? If the object is identified as a linked mailbox (propertymsExchRecipientTypeDetailsvaluable2), Tensource anchorProvided by a forest with Active Directory accounts enabled. Make sure the master account has been imported and synced correctly. The main account must be listed inConnectorfor the object.
Medium voltage connector
TenConnectorThe tab displays all connector spaces with an object representation.
You should have a connector:
- Each Active Directory forest representing users. This representation may includehead of foreign securityItouchobject.
- Connectors in Azure AD.
If you are missing the connector for Azure AD, refer to the fileAtrybut MVCheck the terms of provisioning with Azure AD.
zConnectortab, you can also go toA connector space object.Select a row and clickCharacteristic.
next step
- learn more aboutAzure AD Connect sync.
- learn more aboutmixed identity.