Forum Discussion
Sync Issues with AAD Connect Service not updating attributes
ChrisFox273 : Is this an express installation or are you using a dedicated service account ? since you mentioned that you even tried installing on a different server with no luck, it might indicate permission issues with the account you are using. Verify the following Directory Services permissions at the root level of the Active Directory domains in scope:
- Replicate changes
- Replicate changes all
- User objects: reset password, change password and read/write all properties
- InetOrgPerson objects: read/write all properties
- Groups: read/write all properties
- Computer objects: read/write all properties
Also, when you search for the object in metaverse does it show your changes against the on-premises connector at least ?
That being said, it still doesn't make sense why the accounts would be synchronized in first go and then later wont accept changes, still permissions is the first box you would want to check off!
Other areas I would check- proxy being used ? Internal/External DNS resolution, firewall/ports.
harveer singh Thanks for your reply, and sorry it took so long to get back to you. I did a custom install of AAD Connect, and let the installer create a new service account. I have checked the permissions for this account in AD, and they are all fine. And yes, when I search for a changed user in Metaverse I see the updated local object fine, with all the relevant changes, coming from the AD connector. So the updates are making it into AAD Connect. But they just don't get sent to Azure AD. DNS is working fine on the AADC server, and there is no proxy. And no outbound filtering at all on the firewall. Is there any way of seeing what is happening with the export to Azure AD? I can also confirm it isn't just proxy addresses that aren't updating. We have a user who had a surname change done a little over a week ago. If I search the user in Metaverse, I see the account with the updated name and UPN. But if I look for the user in Azure AD, the name and UPN remain as they were before. Yet AADC is running and saying successful.
ChrisFox273 Okay, There is not much we can check regarding what Azure AD is doing with the data exported by AADconnect. All we can do is verify the data is flowing through all stages of ADconnect sync engine, rest is Microsoft.
Can you please provide some more clarification; perhaps a screenshot of "but under the "Changes" column, every single line says "None", even the line where I have made a change"
Do you see the changes being pushed to the user account in the cloud connector ? Search for the user in metaverse , open properties and check under cloud connector if the changes are being picked up by the cloud connector or not. Again we are trying to isolate where the sync engine is failing, reference article for metaverse search etc. : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing
Also another thing you can check is "Logon as service" settings in the domain policy : https://oddytee.wordpress.com/2015/08/12/aad-connect-will-not-start-due-to-logon-failure/
Though this is more relevant in cases where Azure AD connect service simply won't start but i have seen weird issues with synchronization without any errors ,if the logon as service is not in place.
ChrisFox273 couple of things
Are you running the most up to data Azure AC connect?
Have you forced a full sync ?
Have you enabled staged mode ?
If you look at the tasks do you see the export ones as complete?
