Forum Discussion

pischta's avatar
pischta
Copper Contributor
Apr 22, 2024

Entra ID Connect cloud sync: User and group sync is quarantined

Hi,

 

I connected our on-premise AD with Entra ID with Azure AD Connect Cloud Sync. Agents are active, but User and group sync is quarantined with the following error.

Error code: HybridSynchronizationContainerStateEnumerationFailed

Error message:
We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.... Additional details: Encountered an error while enumerating container changes in the provisioning agent. Please make sure you are running the latest version of the agent. Contact support if the issue persists. Additional Error Details: UnwillingToPerform: The server cannot handle directory requests.. ResultCode: UnwillingToPerform, HResult: -2146233088, responseType: System.DirectoryServices.Protocols.SearchResponse, serializedResponse: {"MatchedDN":"","Controls":[],"ResultCode":53,"ErrorMessage":"error in module dsdb_paged_results: Unwilling to perform during LDB_SEARCH (53)","Referral":[],"References":[],"Entries":[],"RequestId":null}.
 
I use SaMBa servers (4.19.4) as DCs. Agents are installed on Windows 2019 servers.
How can I resolve the problem?
Active Directory (AD)
Azure Active Directory (AAD)
Azure AD Connect

4 Replies

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Aug 08, 2024

    pischta 

     

    Error 53 "UnwillingToPerform" is being thrown by your domain controllers when the agent is attempting to perform a search. Or put another way, your domain controllers are rejecting the request from the agent.

     

    There's multiple causes for this kind of error, but I'm only familiar with those common on Windows, not Samba hosts.

     

    On Windows, the most common scenario I've seen is where the client/agent is trying to set a secure property like a password over an unsecured (non-TLS) connection, but that isn't the scenario in your error (or at least the wording of the error suggests is isn't at any rate).

     

    You might want to check the following article that explains how to export the Cloud Sync log files as they may contain more specific information on what it was trying to do at the time it received the error 53.

     

    Failing that, I can only think to check that the Samba domain controllers have a valid certificate and are configured to support LDAPS.

     

     

    You might want to read that article in full for other troubleshooting pointers.

     

    There are other non-TLS reasons you can get an error 53 and I do have a hunch that this may not be TLS-related but perhaps unsupported query structure-related, or perhaps even that the agent is failing to authenticate first and is trying to run an anonymous search (I also have reservations about this, but it's possible), but as I say, I'm starting with the most common type I see from the Windows context.

     

    Cheers,

    Lain

    • pischta's avatar
      pischta
      Copper Contributor
      Jun 11, 2025

      I postponed this problem, but now I tried to solve it again. Entra ID still quarantines the configuration. I can connect on-prem users to Entra ID users, and when I change the on-prem users' attribute, it is syncronized to the Entra ID user. The problem is that password isn't syncronized. I tried the password writeback, it didn't work too.
      I installed the root ca of the Samba DC to the servers, where the agents are installed. I tested the connection to all dcs:
      Test-NetConnection -ComputerName dc4 -Port 636 
      ...
      TcpTestSucceeded : True
      It didn't solve the problem. I created debug logs from the agents. I see very much similar errors, with other attributes:
      AAD Connect Provisioning Agent Error: 6 : [2025-06-11T06:11:12.3932236Z](7) Processing this attribute of the the class, computer: cn.
      AAD Connect Provisioning Agent Error: 6 : [2025-06-11T06:11:12.3932236Z](10) Processing this attribute of the the class, computer: mhsORAddress.

Resources