Study Guide Series: Exam MS-500 – Monitor and Troubleshoot Azure AD Connect Events

This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.

Once we have AD Connect installed and configured, it’s important to monitor the synchronization service for errors. There are a variety of errors we can experience when running AD Connect and to understand how to troubleshoot errors, we need to understand the AD Connect Synchronization process. The below diagram from Microsoft explains really well the design of the AD Connect Synchronization process.

Diagram shows how the Connected Directories and Azure AD Connect provisioning engine interact, including Connector Space and Metaverse components in an SQL Database.

The order of steps in a standard AD Connect build is:

  • Import from AD DS connector into the connector space – All in scope items are synchronized from the local directory into the AD DS connector space in AD Connect. Any scoping filters or OU selection are applied at this point
  • Import from Azure AD connector into the connector space – Items in Azure AD are synchronized into the Azure AD connector space
  • Synchronization of the AD DS connector space into the metaverse – The items in the AD DS connector space are synchronized with the Metaverse, at this point the metaverse and connector space are updated with the relevant changes pulled from AD
  • Synchronization of the Azure AD connector space into the metaverse – The items in the Azure AD connector space are synchronized with the Metaverse, at this point the metaverse and connector space are updated with the relevant changes pulled from Azure AD
  • Export of connector space to Azure AD – The items and relevant attributes which have been synchronized from the metaverse are pushed to Azure AD
  • Export of connector space to AD – The items and relevant attributes which have been synchronized from the metaverse are pushed to AD

During this process, there are various factors to take into account which may result in AD Connect errors. These errors will appear in a few locations: On the AD Connect Synchronization Service Manager application sync runs, ont the Azure AD Connect Health page and as email notifications to specified recipients. Here are some errors to watch out for:

  • Duplicate Attribute – An attribute which is required to be unique such as UserPrincipalName or MS-DS-ConsistencyGUID is detected in more that one object
  • Data Mismatch – The attribute type detected does not match the type expected
  • Data Validation – An attribute did not pass the data validation checks for synchronization, this can be caused by special characters in the attribute value or badly formatted attributes such as a UserPrincipalName with no “@domain.com”
  • Large Attribute – The attribute value exceeds the size limit for the specific attribute
  • Federated Domain Change – A users UPN has been modified from one federated domain to another
  • Existing Admin Role Conflict – When a user with Admin privileges in Azure AD is soft-matched with an on-premises account this error will occur, this process is detailed further here

AD Connect Health

The Azure AD Connect Health Agent is installed along with Azure AD Connect. The Health Agent sends data to Azure AD for analysis and troubleshooting. The Azure AD Connect Health page is a great place to go to manage errors that occur during the sync process. The page can be accessed from the Azure AD portal and provides some great insight into the AD Connect status. We can see any synchronization errors that are present in our configuration and clicking the notification option will allow us to customize the error notifications.

Sync Error Report Categories

The Sync Services blade will show us the status of each of our AD Connect servers.

If we have ADFS installed we can download and install the Health Agent on our ADFS and proxy servers. When running, we can see the health and statistics of the ADFS environment also:

We can also see details of AD DS and configure our automatic update policy for the AD Connect Health Agent.

Summary

AD Connect can be quite easy to manage and troubleshoot once you understand how it all works together. The AD Connect Health Agent also makes this much easier than it has been in the past.

Some useful links to check out:

Factors influencing the performance of Azure AD Connect | Microsoft Docs

Azure AD Connect: Troubleshooting Errors during synchronization | Microsoft Docs

Using Azure AD Connect Health with sync | Microsoft Docs

Azure AD Connect: Automatic upgrade | Microsoft Docs

2 thoughts on “Study Guide Series: Exam MS-500 – Monitor and Troubleshoot Azure AD Connect Events

  1. Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue

  2. Pingback: Study Guide Series – Exam MS-500: Configure and Manage Azure AD User Authentication Options and Self-Service Password Management – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s