Azure Active Directory Connect – Troubleshooting

Overview

This guide helps you diagnose and resolve issues with Azure AD Connect synchronization. It covers common error messages, steps to view diagnostic logs, and best‑practice remediation techniques.

Common Issues

1. Sync cycle does not start

Possible causes:

  • Incorrect service account permissions.
  • Disabled Windows Service (ADSync).
  • Stale configuration cache.

Resolution: Run the following PowerShell command to force a sync and capture verbose output.

Start-ADSyncSyncCycle -PolicyType Delta -Verbose
2. “Object Not Found” errors

These errors usually indicate that a source object was deleted or moved before the sync could process it.

Fix: Verify the object's existence in on‑premises AD and, if necessary, perform a full sync.

Start-ADSyncSyncCycle -PolicyType Initial
3. Attribute mapping conflicts

Conflicting attribute values can cause ObjectConflict errors.

Review the conflicting attributes in the Azure portal under Azure AD → Users → Conflict and adjust the mapping rules.

Viewing Logs

Azure AD Connect writes events to the Windows Event Viewer under Applications and Services Logs → AD Sync. For detailed diagnostics:

  1. Open PowerShell as Administrator.
  2. Run Get-ADSyncScheduler to view the current sync schedule.
  3. Export logs with:
Export-EventLog -LogName "ADSync" -Path "C:\Logs\ADSync.evtx"

Use the Event Viewer to filter by ADSyncConnector and SyncEngine sources.

Sync Errors & Their Meaning

Error Code Description Remediation
0x80070005 Access denied – service account lacks permissions. Grant Replicating Directory Changes and Replicating Directory Changes All on the domain.
0x800704C7 Sync was cancelled by user. Ensure no manual cancellations are triggered during scheduled cycles.
0x80180001 Schema mismatch. Run the Azure AD Connect Schema Upgrade wizard.

Resetting Azure AD Connect Sync

If the sync engine is stuck, you can reset it without reinstalling:

# Stop the service
Stop-Service ADSync

# Reset the sync metadata
Start-ADSyncSyncCycle -PolicyType Delta -ResetSync

# Restart the service
Start-Service ADSync

After resetting, monitor the first sync cycle for errors.

FAQ

How can I verify that password hash sync is working?

Check the AzureADConnectHealth portal for the Password hash sync status. You can also test with a known user:

Test-ADSyncPasswordHashSync -UserPrincipalName user@contoso.com
Can I sync specific OU’s only?

Yes. In the Azure AD Connect wizard, under Configure Directory Partitions, select the OU’s you want to include or exclude.

What is the recommended sync schedule?

For most production environments a 30‑minute delta sync and a 24‑hour full sync provide a good balance of freshness and performance.