This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
Once we have AD Connect installed and configured, it’s important to monitor the synchronization service for errors. There are a variety of errors we can experience when running AD Connect and to understand how to troubleshoot errors, we need to understand the AD Connect Synchronization process. The below diagram from Microsoft explains really well the design of the AD Connect Synchronization process.
The order of steps in a standard AD Connect build is:
- Import from AD DS connector into the connector space – All in scope items are synchronized from the local directory into the AD DS connector space in AD Connect. Any scoping filters or OU selection are applied at this point
- Import from Azure AD connector into the connector space – Items in Azure AD are synchronized into the Azure AD connector space
- Synchronization of the AD DS connector space into the metaverse – The items in the AD DS connector space are synchronized with the Metaverse, at this point the metaverse and connector space are updated with the relevant changes pulled from AD
- Synchronization of the Azure AD connector space into the metaverse – The items in the Azure AD connector space are synchronized with the Metaverse, at this point the metaverse and connector space are updated with the relevant changes pulled from Azure AD
- Export of connector space to Azure AD – The items and relevant attributes which have been synchronized from the metaverse are pushed to Azure AD
- Export of connector space to AD – The items and relevant attributes which have been synchronized from the metaverse are pushed to AD
During this process, there are various factors to take into account which may result in AD Connect errors. These errors will appear in a few locations: On the AD Connect Synchronization Service Manager application sync runs, ont the Azure AD Connect Health page and as email notifications to specified recipients. Here are some errors to watch out for:
- Duplicate Attribute – An attribute which is required to be unique such as UserPrincipalName or MS-DS-ConsistencyGUID is detected in more that one object
- Data Mismatch – The attribute type detected does not match the type expected
- Data Validation – An attribute did not pass the data validation checks for synchronization, this can be caused by special characters in the attribute value or badly formatted attributes such as a UserPrincipalName with no “@domain.com”
- Large Attribute – The attribute value exceeds the size limit for the specific attribute
- Federated Domain Change – A users UPN has been modified from one federated domain to another
- Existing Admin Role Conflict – When a user with Admin privileges in Azure AD is soft-matched with an on-premises account this error will occur, this process is detailed further here
AD Connect Health
The Azure AD Connect Health Agent is installed along with Azure AD Connect. The Health Agent sends data to Azure AD for analysis and troubleshooting. The Azure AD Connect Health page is a great place to go to manage errors that occur during the sync process. The page can be accessed from the Azure AD portal and provides some great insight into the AD Connect status. We can see any synchronization errors that are present in our configuration and clicking the notification option will allow us to customize the error notifications.
The Sync Services blade will show us the status of each of our AD Connect servers.
If we have ADFS installed we can download and install the Health Agent on our ADFS and proxy servers. When running, we can see the health and statistics of the ADFS environment also:
We can also see details of AD DS and configure our automatic update policy for the AD Connect Health Agent.
AD Connect can be quite easy to manage and troubleshoot once you understand how it all works together. The AD Connect Health Agent also makes this much easier than it has been in the past.
Some useful links to check out: