Resolving an object not syncing with Azure Active Directory" - Microsoft Entra (2023)

If an object is not syncing with Microsoft Azure Active Directory (Azure AD) as expected, it can be for several reasons. If you received an error message from Azure AD or see an error in Azure AD Connect Health, read onFix errors during syncInstead. But if you're troubleshooting a non-Azure AD object, this article is for you. Describes how to find synchronization errors in the on-premises Azure AD Connect component.

Synchronization process

Before we explore the synchronization issues, let's take a look at the Azure AD Connect synchronization process:

Terminology

• CS:Shared space, table in the database
• S N:Metaverse, a table in the database

Synchronize steps

The synchronization process includes the following steps:

1. Import from AD:Active Directory objects are moved to Active Directory CS.

2. Import from Azure AD:Azure AD objects are moved to Azure AD CS.

3. Synchronization:Inbound sync rules and outbound sync rules are run in order of priority, from lowest to highest. To view sync rules, go to the sync rules editor from the desktop apps. Inbound synchronization rules move data from CS to MV. Outbound synchronization rules move data from MV to CS.

4. Export to AD:After synchronization, objects are exported from Active Directory CS to Active Directory.

5. Export to Azure AD:After synchronization, objects are exported from Azure AD CS to Azure AD.

Solve the problem

To find errors, look in several different places in the following order:

1. Fromwork diariesfind errors identified by the synchronization engine during import and synchronization.
2. Fromplace for the connectorfind missing objects and sync errors.
3. Frommetauniverzumfind problems with the data.

StartSync service errorbefore starting these steps.

Activities

FromActivitiesThe Sync Services Manager tab is where you should start troubleshooting. This tab displays the results of recent edits.

The upper halfActivitiesThe tab displays all waveforms in chronological order. By default, the activity log tracks data for the last seven days, but you can change this setting usingFrom plans. Look for a waveform that does not show asuccessstatus. You can change the sorting by clicking on the headings.

Fromstatecolumn contains the most important information and shows the most serious problem to run. Here is a quick summary of the most common conditions in order of research priority (where * represents multiple possible error sequences).

When the row is selected, the lower partActivitiesthe map is updated to show the details of that waveform. To the left of this area may be a list of titlesstep #. This list only appears if there are multiple domains in the forest and each domain is represented by a step. You can find the domain name under the titleSeptum. FulaniSynchronization statisticsyou will find more information about the number of processed changes. Select the links for the list of changed objects. If you have objects with errors, those errors will appear belowSync errorscolumn.

Errors in the Operations tab

When an error occurs, Sync Service Manager displays both the object with the error and the error itself as links that provide more information.

Start by selecting an error string. (In the image above, the error string isfeature triggered by a sync rule error.) First, an overview of the object is displayed. Select to see the actual errorTracking stack. This trace contains information about the error at the debug level.

Right clickCall for stack informationfield, clickSelect alland then selectCopy. Then copy the stack and inspect the error in your favorite editor such as Notepad.

If the error comes fromSyncRulesEngine, the call stack information first lists all of the object's attributes. Scroll down until you see the headerinner exception =>.

The line after the header shows the error. In the image above, the error comes from a custom sync rule created by Fabrikam.

If the error doesn't provide enough information, it's time to look at the data itself. Select the Object ID link and continue troubleshootingimported connector spatial object.

Connector Spatial Object Properties

IActivitiestab shows no errors, follow the spatial connector object from Active Directory to the metaverse to Azure AD. You should find a trouble spot on this path.

Find an object in CS

In Synchronization, select Service ManagerConnections, select the Active Directory connector and selectSearch the connecting room.

wReachfield, select itRDNto search by CN attribute or selectDN cancerwhen you want to searchelegant nameattribute. Enter a value and selectis looking for.

If you can't find what you're looking for, it may have been filtereddomain based filteringLubOU-based filtering. Read on to verify that filtering is configured as expectedAzure AD Connect Sync - Configure filtering.

You can perform another useful search by selecting the Azure AD connector. UReachfield, select itWaiting for importand then selectTo addcheckbox. This search includes all synchronized objects in Azure AD that cannot be linked to an on-premises object.

These objects were created by another synchronization engine or by a synchronization engine with a different filter configuration. These abandoned facilities are no longer managed. Review this list and consider removing these objects fromAzure AD-PowerShellcmdleti.

CS'a importer

When you open the CS object, there are several tabs at the top. TheImportshows the data set after import.

Fromold valuecolumn shows what is currently stored in Connect, aNew valuecolumn shows what has been received from the source system and not yet applied. If there is an error in the object, the changes will not be processed.

FromSync errortab is visible inConnector Spatial Object Propertieswindow only when there is a problem with the object. See how to do this for more informationFix sync errors in the Operations tab.

CS pedigree

Fromdisasterbookmark wConnector Spatial Object Propertiesthe window shows how the spatial connector object is connected to the reverse object. You can see when the connector last imported a change from the connected system and what rules were used to populate the data in the metaverse.

In the previous pictureActioncolumn shows the rule for synchronizing incoming traffic with the actionPoluga. This means that as long as this spatial connector object is present, the reverse object will exist. Instead, if the synchronization rule list contains a synchronization rule for outgoing traffic from aPolugathis object will be deleted when the reverse object is deleted.

You can also see in the picture aboveSynchronization of passwordscolumn that input connector space can contribute to password changes since one sync rule has this valueWHERE. This password is sent to Azure AD via an outbound rule.

Combidisastertab, you can go to Metaverse by selectingProperties of metaversal objects.

Notice

In the lower left cornerConnector Spatial Object Propertiesit's a windowNoticebutton. Select this button to openNoticepage with which one object can be synchronized. This page is useful if you are troubleshooting some custom synchronization rules and want to see the impact of a change on a single object. You can chooseFull synchronizationfromdelta synchronization. You can also chooseGenerate one examplewhich only retains the change in memory. Or chooseApprove the sample, which updates the metaverse and sets any changes to destination connector spaces.

In the example, you can inspect the object and see which rule has been applied to a particular attribute stream.

log

NearNoticebutton, selectlogbutton to openlogpage. Here you can see the status and history of password synchronization. For more information seeFix password hash sync issues with Azure AD Connect sync.

It is usually better to start your search from the source part of the Active Directory connector. But you can also start your quest from the metaverse.

Find an object in MV

In Synchronization, select Service ManagerFind metaversesas in the picture below. Create a query that you know will find the user. Look for common attributes likeaccountnaam(sAMANazwa konta) andprimary_username. For more information seeSynchroniseer Service Manager Metaverse Search.

wSearch resultsclick on an item.

If you haven't found the object, it means it hasn't arrived in the Metaverse yet. Continue searching for the object in Active Directoryplace for the connector. If you find an object in the Active Directory connector space, there may be a synchronization error preventing the object from being moved to the metaverse, or a synchronization rule scope filter may be applied.

Object not found in MV

If the object is in Active Directory CS but not in MV, the scope filter is applied. To see the range filter, go to the desktop application menu and selectSync rule editor. Filter the rules that apply to the object by adjusting the filter below.

Look and check each rule in the list aboverange filter. In the following filter range, ifisCriticalSystemObjectvalue is NULL, FALSE, or empty, is in the range.

To goSee CSattribute list and check which filter blocks the feature from going to MV. TheConnector spacethe attribute list displays only non-null and non-empty attributes. For exampleisCriticalSystemObjectnot listed, the value of this attribute is null or empty.

Object not found in Azure AD CS

If the object is not present in the Azure AD connector space but is present in the MV, look at the output rule scope filter of the corresponding connector region and verify that the object is filtered becauseMV attributesdo not meet the criteria.

To view the outgoing range filter, select the appropriate rows for the object by setting the filter below. List each line and look at the appropriate oneAtrybut MVvalue.

MV attributes

Alattributeson the map you can see the values ​​and connectors that contributed to it.

If the object is not syncing, ask the following questions about attribute states in the Metaverse:

• That's an attributecloud filteredpresent and set upWHERE? If so, it is filtered according to the steps inattribute-based filtering.
• That's an attributemost AnkerRight now? If not, do you have a forest topology for account resources? If the object is identified as a linked mailbox (attributemsExchRecipientTypeDetailshas value2),most Ankerit is provided by an Active Directory account-enabled forest. Make sure the main account is correctly imported and synced. The main account must be specifiedconnectorsfor the object.

SN connectors

FromConnectionsthe tab displays all connection spaces that have an object view.

You should have a link to:

• Any Active Directory forest in which the user is represented. This representation may includeForeign primary securityandContactobject.
• Azure AD connector.

If you are missing the Azure AD connector, see the section aboutMV attributesto verify the Azure AD provisioning criteria.

CombiConnectionsmark wherever you can goconnector spatial object. Select a row and clickproperty.

Next steps

• Learn more aboutAzure AD Connect synchronization.
• Learn more abouthybrid identity.