This document provides guidance on diagnosing and resolving common issues encountered with Azure AD Connect.

Common Issues and Solutions

Synchronization Errors

Synchronization errors can occur for various reasons, including duplicate attribute values, invalid characters, or connectivity problems.

Diagnosing Synchronization Errors

  • Use the Synchronization Service Manager to view synchronization runs and identify specific errors.
  • Filter the results for errors and examine the properties of the objects causing the issues.
  • Common error codes include:
    • 1004: Duplicate attribute value.
    • 1005: Invalid attribute value.
    • 1006: Object not found.

Resolving Synchronization Errors

  • For duplicate attribute errors (e.g., proxyAddresses, userPrincipalName), identify the conflicting object and either remove the duplicate or correct the attribute on one of the objects.
  • For invalid attribute errors, ensure attribute values conform to the expected format and character set.
  • If an object is not found, verify its existence in the source directory and ensure it's within the configured sync scope.
Important: Always back up your Azure AD Connect configuration before making significant changes.

Connectivity Issues

Azure AD Connect requires connectivity to both your on-premises Active Directory and Azure AD. Problems with firewalls, network latency, or DNS can disrupt synchronization.

  • Firewall Rules: Ensure that the necessary ports and URLs are open for communication. Refer to the Azure AD Connect prerequisites documentation for a comprehensive list.
  • DNS Resolution: Verify that your on-premises servers can resolve Azure AD endpoints.
  • Proxy Server Configuration: If you use a proxy server, ensure Azure AD Connect is configured to use it correctly.

Authentication Problems

Issues with password hash synchronization, pass-through authentication, or federation can prevent users from signing in.

Password Hash Synchronization (PHS)

  • Check the Event Viewer on the Azure AD Connect server for errors related to PHS.
  • Ensure the service account used by Azure AD Connect has the necessary permissions to read password hashes from AD.
  • Verify that PHS is enabled in your Azure AD tenant.

Pass-through Authentication (PTA)

  • Monitor the status of the Pass-through Authentication agents. Ensure they are running and healthy.
  • Check network connectivity between the PTA agents and Azure AD.
  • Review Azure AD sign-in logs for specific error messages related to PTA.

Federation (AD FS)

  • Verify the health of your AD FS servers and WAP servers.
  • Check the certificate validity and configuration on AD FS.
  • Ensure trust relationships between AD FS and Azure AD are correctly established.

Common Troubleshooting Steps

  1. Restart the Azure AD Sync Service: Sometimes, a simple restart can resolve temporary glitches.
  2. Run the Azure AD Connect Troubleshooter: Microsoft provides a built-in troubleshooter that can automatically detect and fix common problems. Access it via the Azure AD Connect icon in the system tray.
  3. Check Event Logs: The Application and System event logs on the Azure AD Connect server are invaluable sources of error information.
  4. Review Azure AD Sign-in Logs: In the Azure AD portal, examine sign-in logs for affected users to identify authentication failures.
  5. Update Azure AD Connect: Ensure you are running the latest version of Azure AD Connect, as updates often include bug fixes and performance improvements.
Caution: Uninstalling and reinstalling Azure AD Connect should be a last resort. Always ensure you have a proper backup of your configuration.

Performance Issues

Slow synchronization times can impact the timeliness of identity updates in Azure AD.

  • Large Number of Objects: If you have a very large number of objects, consider optimizing your synchronization rules or splitting your sync scope.
  • Network Bandwidth: Ensure sufficient bandwidth between your on-premises environment and Azure AD.
  • Server Resources: Monitor the CPU, memory, and disk I/O of the server running Azure AD Connect.

Troubleshooting Tools

  • Synchronization Service Manager: The primary tool for managing and monitoring synchronization.
  • Azure AD Connect Troubleshooter: Built-in tool for automated problem detection.
  • Event Viewer: Essential for reviewing system and application logs.
  • Azure AD Sign-in Logs: Available in the Azure portal.
  • PowerShell cmdlets: For advanced diagnostics and configuration.