Home azure ad connect directory synchronization microsoft entra id troubleshooting

Troubleshoot Microsoft Entra ID Sync Errors: Directory Sync Stopped or Unregistered?

Updated: 0 min read
Table of Contents

Directory synchronization is a critical component for organizations utilizing hybrid identity with Microsoft Entra ID (formerly Azure Active Directory). When directory sync stops or becomes unregistered, it directly impacts the ability to provision and deprovision users, groups, and contacts, leading to potential access issues and administrative overhead. Identifying and resolving the root cause promptly is essential for maintaining a healthy hybrid environment. This guide provides a comprehensive approach to troubleshooting common issues that result in directory sync cessation or the unregistered state.

One of the initial steps in diagnosing sync problems involves verifying the credentials and status of the administrative account used by the synchronization process. This account, often a dedicated service account or a global administrator account, requires specific permissions within both your on-premises Active Directory and Microsoft Entra ID to perform its tasks effectively. Issues with this account, such as password changes, expiration, or the account being disabled or deleted, are frequent culprits behind sync failures. Ensuring this account is active and functional is paramount.

Verifying the Synchronization Service Account

The administrative account responsible for directory synchronization must exist and be allowed to sign in to both the on-premises environment and Microsoft Entra ID. If the account is still present, a straightforward troubleshooting step is to reset its password. Following the password reset, attempt to sign in interactively with the account. You may be prompted to change the password upon the first login after a reset, which is a necessary step to complete before the sync service can use the new credentials.

If you are unsure which global administrator account is configured for directory synchronization, you can identify it on the server where your directory synchronization application is installed. This application is typically Microsoft Entra Connect.

Follow these steps to identify the account:

  1. Navigate to the installation directory of Microsoft Entra Connect. The default path is often %ProgramFiles%\\Microsoft Azure AD Sync\\UIShell\\.
  2. Execute Miisclient.exe. This application is the Synchronization Service Manager.
    > Note: If you are using a recent version of Microsoft Entra Connect or the Azure Active Directory Sync Service, you can find and open the Synchronization Service application directly from the Start menu search.
  3. Within the Synchronization Service Manager, select Connectors from the top menu bar.
  4. Locate and double-click the connector configured for Microsoft Entra ID. This connector is usually identifiable by its type (Microsoft Entra ID (Microsoft)).
  5. In the connector properties window, select the Connectivity option on the left-hand navigation pane.
  6. Under the Connectivity settings, make note of the UserName value displayed. This value represents the global administrator account used to configure the connection to Microsoft Entra ID during the initial setup.

Once you have identified the synchronization account name, the next step is to verify its status within your on-premises Active Directory.

On a domain controller or any server with the Active Directory Users and Computers (ADUC) administration tools installed (accessible via Dsa.msc), open ADUC. Right-click on the domain name where the account resides and select Find. Enter the account name you noted from the Synchronization Service Manager into the search field and click Find now.

  • If the account is found, proceed to check its properties.
  • If the account cannot be found, it may have been deleted from Active Directory. Restoring a deleted account often involves using the Active Directory Recycle Bin feature, if enabled. Consult the documentation for your Windows Server version regarding the Active Directory Recycle Bin Step-by-Step Guide for restoration procedures. If the account cannot be restored, you will likely need to uninstall and then reinstall Microsoft Entra Connect, configuring it with a valid, existing global administrator account.

If the account was found in Active Directory, open its properties. Check the Account tab. Ensure that the “Account is disabled” checkbox is cleared. If the account is disabled, enable it by clearing this checkbox.

Even if the account is not disabled, its password might have been changed manually in Active Directory or it might have expired according to domain policies, rendering the credentials stored within Microsoft Entra Connect invalid. To address this, open Active Directory Users and Computers, locate and right-click the synchronization account, and select Reset Password. Set a new strong password for the account. It is crucial to note this new password, as you will need to update the credentials used by Microsoft Entra Connect.

After resetting the password in Active Directory, you must update the stored credentials within Microsoft Entra Connect to use the new password. This is typically done by running the Microsoft Entra Connect wizard and selecting the option to “Configure sync options” or “Customize synchronization options,” which allows you to re-enter the credentials for the Microsoft Entra ID connector.

Troubleshoot Microsoft Entra ID Sync Errors

Checking Microsoft Entra Connect Service Status

Microsoft Entra Connect operates as a set of Windows services on the server where it is installed. If these services are not running, synchronization cannot occur. Checking the status of the relevant services is a fundamental troubleshooting step.

Open the Services console (services.msc) on the Microsoft Entra Connect server. Look for services related to Microsoft Entra Connect or Azure AD Sync. The primary service responsible for the synchronization engine is typically named Microsoft Azure AD Sync or Azure AD Connect Synchronization Service.

Verify the status of this service. It should be running and its Startup Type should ideally be set to Automatic. If the service is stopped, attempt to start it. If it fails to start, note any error messages that appear. These error messages can provide clues to the underlying problem, such as logon failures (indicating account issues), dependency service failures, or configuration errors.

If the service is running, consider restarting it. A service restart can sometimes resolve transient issues that might be causing the sync to hang or report an unhealthy status. Before restarting, it is good practice to check the event logs for any errors logged by the service immediately before the sync stopped.

Analyzing Sync Health in Microsoft Entra ID

Microsoft Entra ID provides a built-in health monitoring feature for directory synchronization. Checking the sync health status in the Microsoft Entra admin center can quickly reveal if Microsoft Entra ID is receiving sync updates from your on-premises environment and highlight reported errors.

Navigate to the Microsoft Entra admin center (https://entra.microsoft.com). Go to Identity -> Hybrid management -> Microsoft Entra Connect -> Sync health.

On this page, you can view the status of your sync connectors. Look for the status of your on-premises Active Directory connector and the Microsoft Entra ID connector. The health status is typically indicated as “Healthy” or “Error”. Pay close attention to the last synchronization time reported. If this timestamp is significantly old compared to your configured sync cycle (default is 30 minutes), it confirms that sync is not running correctly.

The Sync health dashboard also provides details about synchronization errors encountered during the last sync cycles. Reviewing these errors can pinpoint specific objects or attribute conflicts that are failing to synchronize. While object-level errors might not stop the entire sync process, a large number of persistent errors or errors related to critical infrastructure objects could potentially impact the overall sync health status or indicate deeper underlying issues.

Reviewing Event Logs on the Sync Server

Detailed information about the operation and any encountered errors of Microsoft Entra Connect is logged in the Windows Event Viewer on the sync server. The Application and System logs are key resources for troubleshooting.

Open the Event Viewer (eventvwr.msc) on the Microsoft Entra Connect server. Navigate to Windows Logs -> Application. Filter or search the log for events with the source Azure AD Sync, ADSync, MiiS_Service, or Directory Synchronization.

Look for Error or Warning level events that correlate with the time the sync stopped or was last reported as unhealthy. Common errors found here include:

  • Connectivity errors (e.g., unable to connect to a domain controller, unable to connect to Microsoft Entra ID endpoints).
  • Permission issues (e.g., access denied to read Active Directory objects, insufficient permissions for the service account).
  • Database errors (e.g., issues connecting to the ADSync database, database corruption).
  • Configuration errors (e.g., invalid sync rules, problematic attribute mappings).
  • Credential failures (often reported as logon failures for the service account).

The System log might also contain relevant information, particularly regarding service startup failures, network issues, or underlying operating system problems that could affect Microsoft Entra Connect’s operation. Check for errors from sources like Service Control Manager, Schannel, or network adapter drivers around the time of the sync failure.

Investigating Network and Connectivity Issues

Directory synchronization relies on robust network connectivity between the Microsoft Entra Connect server, the on-premises Active Directory Domain Controllers, and the Microsoft Entra ID service endpoints on the internet. Network problems, including firewall blocks, proxy issues, or DNS resolution failures, can prevent sync from completing.

Verify network connectivity:

  1. Connectivity to Domain Controllers: The sync server must be able to communicate with the on-premises domain controllers to read data from Active Directory. Ensure network paths are open and DNS can resolve domain controller names. Required ports include LDAP (389), Global Catalog (3268) over TCP, and potentially LDAPS (636), Global Catalog LDAPS (3269) if secure LDAP is used. Use tools like ping and Test-NetConnection -ComputerName <DomainController> -Port <PortNumber> to verify connectivity.
  2. Connectivity to Microsoft Entra ID Endpoints: The sync server needs outbound connectivity to various Microsoft Entra ID and Microsoft 365 endpoints over ports 80 and 443. Consult the official Microsoft 365 URLs and IP address ranges documentation to identify all necessary endpoints. Ensure your firewall and proxy server are configured to allow traffic to these destinations. Use Test-NetConnection -ComputerName login.microsoftonline.com -Port 443 or telnet login.microsoftonline.com 443 (if telnet client is installed) to test basic connectivity to a common endpoint.
  3. DNS Resolution: Correct DNS resolution is critical for locating both on-premises domain controllers and Microsoft Entra ID endpoints. Ensure the sync server is configured to use reliable DNS servers that can resolve both internal and external names. Use nslookup to test name resolution for domain controllers and external endpoints like login.microsoftonline.com.

If your organization uses a proxy server for outbound internet access, ensure Microsoft Entra Connect is configured to use the proxy correctly. Proxy settings can be configured during the initial installation or by rerunning the Microsoft Entra Connect wizard. Incorrect proxy settings are a common cause of connectivity issues to Microsoft Entra ID.

Verifying On-Premises Active Directory Health

The source of the data for synchronization is your on-premises Active Directory. If AD is experiencing health issues, such as replication failures, DNS problems within the AD infrastructure, or issues with specific domain controllers, it can directly impact the ability of Microsoft Entra Connect to read object data, leading to sync errors or a complete halt.

Use the dcdiag command on your domain controllers to check for overall AD health issues. Pay attention to tests related to Connectivity, Replication, DNS, and System log errors. Use repadmin /showrepl to check the status of AD replication between domain controllers. Ensure that the domain controller(s) that Microsoft Entra Connect is configured to connect to are healthy and have up-to-date copies of the AD database.

Examining Sync Server Resources

The server hosting Microsoft Entra Connect requires sufficient system resources (CPU, memory, disk space) to function correctly. If the server is constrained, the synchronization process can slow down, hang, or fail.

Check the server’s performance metrics using Task Manager or Performance Monitor. Look for consistently high CPU or memory usage that could indicate a bottleneck. Critically, check the available disk space on the drive where Microsoft Entra Connect is installed and where its database resides. The ADSync database can grow quite large, especially in larger environments or if there are persistent sync errors accumulating in the database. Running out of disk space can cause the sync service to stop or prevent the database from operating correctly. Freeing up disk space or extending the volume may be necessary.

Addressing Configuration Problems

While less likely to cause a complete “Stopped” or “Unregistered” status unless fundamental, severe configuration issues exist, incorrect synchronization rules, attribute mappings, or scoping filters can lead to persistent errors that might eventually impact overall sync health.

Review the Synchronization Service Manager console for errors reported on the “Operations” tab. This tab provides details about the results of sync cycles, including the number of adds, modifies, deletes, and, importantly, synchronization errors. Analyzing these errors can help identify if specific configuration problems are preventing objects from synchronizing correctly. For instance, conflicting attribute values, data formatting issues, or permission problems on specific objects can cause errors.

Ensuring Microsoft Entra Connect is Up-to-Date

Running an outdated or unsupported version of Microsoft Entra Connect can lead to compatibility issues, known bugs, or lack of support for changes in the Microsoft Entra ID service. Microsoft regularly releases updates for Microsoft Entra Connect that include bug fixes, performance improvements, and support for new features.

Check the version of Microsoft Entra Connect installed on your server. Compare it against the latest available version on the Microsoft download center. Plan and perform an upgrade if you are running an older version. Upgrading can often resolve issues caused by outdated software components. Microsoft provides guidance on recommended upgrade paths and methods (in-place upgrade or swing migration).

Advanced Troubleshooting and Reinstallation

If the standard troubleshooting steps do not resolve the issue, more advanced diagnostics may be required. This could involve investigating the ADSync database hosted in SQL Server LocalDB or a full SQL Server instance. Database corruption, transaction log issues, or connectivity problems to the SQL instance can all halt synchronization. Accessing and troubleshooting the database requires database administration skills and should be approached with caution.

In situations where the Microsoft Entra Connect installation appears fundamentally broken, or if troubleshooting points towards irreparable configuration damage or database corruption, a complete uninstallation and reinstallation of Microsoft Entra Connect might be the most effective solution. Before performing a reinstallation, ensure you have a backup of your custom configuration, if any, or be prepared to reconfigure it from scratch. The configuration wizard allows exporting and importing sync rules and other settings, which can speed up the reinstallation process.

Summary of Common Issues and Checks

Symptom (Stopped/Unregistered) Common Cause Initial Check
Sync not running/Last sync old Service account issues Verify account status in AD, reset password, update credentials
Sync not running/Last sync old Microsoft Entra Sync service stopped Check service status in services.msc, attempt restart
Sync health dashboard reports error Connectivity issues to AD or Entra ID Check firewalls, proxy, DNS, network paths, required ports
Sync health dashboard reports error On-premises AD health problems Run dcdiag, repadmin /showrepl, check AD DNS
Sync service won’t start Service account logon failure Verify account password, ensure “Log on as a Service” right
Sync service won’t start Database connection/corruption Check SQL service status (if not LocalDB), review database logs
Sync service runs but no data flows Configuration errors (filters, rules) Review “Operations” tab in Synchronization Service Manager for errors
Server slow, sync timing out Resource exhaustion Check CPU, Memory, Disk Space on the sync server
General instability/errors Outdated software Check Microsoft Entra Connect version, plan upgrade

Troubleshooting Microsoft Entra ID sync errors requires a systematic approach, starting with the most common causes like account issues and service status, then expanding to investigate network, directory health, server resources, and application configuration. By methodically working through these areas, administrators can identify and rectify the problems preventing successful directory synchronization.

Have you encountered these issues? Share your experiences or questions about troubleshooting Microsoft Entra ID sync problems in the comments below.

Post a Comment