Forum Discussion

pischta's avatar
pischta
Copper Contributor
Apr 22, 2024

Entra ID Connect cloud sync: User and group sync is quarantined

Hi,   I connected our on-premise AD with Entra ID with Azure AD Connect Cloud Sync. Agents are active, but User and group sync is quarantined with the following error. Error code: HybridSynchroniz...
Active Directory (AD)
Azure Active Directory (AAD)
Azure AD Connect
LainRobertson's avatar
LainRobertson
Silver Contributor
Aug 08, 2024

pischta 

 

Error 53 "UnwillingToPerform" is being thrown by your domain controllers when the agent is attempting to perform a search. Or put another way, your domain controllers are rejecting the request from the agent.

 

There's multiple causes for this kind of error, but I'm only familiar with those common on Windows, not Samba hosts.

 

On Windows, the most common scenario I've seen is where the client/agent is trying to set a secure property like a password over an unsecured (non-TLS) connection, but that isn't the scenario in your error (or at least the wording of the error suggests is isn't at any rate).

 

You might want to check the following article that explains how to export the Cloud Sync log files as they may contain more specific information on what it was trying to do at the time it received the error 53.

 

Failing that, I can only think to check that the Samba domain controllers have a valid certificate and are configured to support LDAPS.

 

 

You might want to read that article in full for other troubleshooting pointers.

 

There are other non-TLS reasons you can get an error 53 and I do have a hunch that this may not be TLS-related but perhaps unsupported query structure-related, or perhaps even that the agent is failing to authenticate first and is trying to run an anonymous search (I also have reservations about this, but it's possible), but as I say, I'm starting with the most common type I see from the Windows context.

 

Cheers,

Lain

  • pischta's avatar
    pischta
    Copper Contributor
    Jun 11, 2025

    I postponed this problem, but now I tried to solve it again. Entra ID still quarantines the configuration. I can connect on-prem users to Entra ID users, and when I change the on-prem users' attribute, it is syncronized to the Entra ID user. The problem is that password isn't syncronized. I tried the password writeback, it didn't work too.
    I installed the root ca of the Samba DC to the servers, where the agents are installed. I tested the connection to all dcs:
    Test-NetConnection -ComputerName dc4 -Port 636 
    ...
    TcpTestSucceeded : True
    It didn't solve the problem. I created debug logs from the agents. I see very much similar errors, with other attributes:
    AAD Connect Provisioning Agent Error: 6 : [2025-06-11T06:11:12.3932236Z](7) Processing this attribute of the the class, computer: cn.
    AAD Connect Provisioning Agent Error: 6 : [2025-06-11T06:11:12.3932236Z](10) Processing this attribute of the the class, computer: mhsORAddress.

Resources