Forum Discussion

pischta's avatar
pischta
Copper Contributor
Apr 22, 2024

Entra ID Connect cloud sync: User and group sync is quarantined

Hi,

 

I connected our on-premise AD with Entra ID with Azure AD Connect Cloud Sync. Agents are active, but User and group sync is quarantined with the following error.

Error code: HybridSynchronizationContainerStateEnumerationFailed

Error message:
We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.... Additional details: Encountered an error while enumerating container changes in the provisioning agent. Please make sure you are running the latest version of the agent. Contact support if the issue persists. Additional Error Details: UnwillingToPerform: The server cannot handle directory requests.. ResultCode: UnwillingToPerform, HResult: -2146233088, responseType: System.DirectoryServices.Protocols.SearchResponse, serializedResponse: {"MatchedDN":"","Controls":[],"ResultCode":53,"ErrorMessage":"error in module dsdb_paged_results: Unwilling to perform during LDB_SEARCH (53)","Referral":[],"References":[],"Entries":[],"RequestId":null}.
 
I use SaMBa servers (4.19.4) as DCs. Agents are installed on Windows 2019 servers.
How can I resolve the problem?
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    pischta 

     

    Error 53 "UnwillingToPerform" is being thrown by your domain controllers when the agent is attempting to perform a search. Or put another way, your domain controllers are rejecting the request from the agent.

     

    There's multiple causes for this kind of error, but I'm only familiar with those common on Windows, not Samba hosts.

     

    On Windows, the most common scenario I've seen is where the client/agent is trying to set a secure property like a password over an unsecured (non-TLS) connection, but that isn't the scenario in your error (or at least the wording of the error suggests is isn't at any rate).

     

    You might want to check the following article that explains how to export the Cloud Sync log files as they may contain more specific information on what it was trying to do at the time it received the error 53.

     

    Failing that, I can only think to check that the Samba domain controllers have a valid certificate and are configured to support LDAPS.

     

     

    You might want to read that article in full for other troubleshooting pointers.

     

    There are other non-TLS reasons you can get an error 53 and I do have a hunch that this may not be TLS-related but perhaps unsupported query structure-related, or perhaps even that the agent is failing to authenticate first and is trying to run an anonymous search (I also have reservations about this, but it's possible), but as I say, I'm starting with the most common type I see from the Windows context.

     

    Cheers,

    Lain

Resources