Sync Issues with AAD Connect Service not updating attributes

Copper Contributor

Hi Everyone, one for the big brains. We are having issues with our AAD Connect not updating attributes between on-prem and Azure AD. The issue was first found when migrating mailboxes to the cloud. Some mailboxes were failing as the user account in AAD didn't have a remote routing address. This was usually caused by the address policy being turned off for the user. I manually added the remote routing address on-prem, but the change didn't sync to the cloud. It has grown from there. It now appears most changes do not sync through. New accounts sync to AAD fine, but after that, I cannot get changes to sync through. They show up on the connectors in AAD Connect as "Updates", but when I look at the detailed list of attributes for the user being updated, the new details are in the list, but under the "Changes" column, every single line says "None", even the line where I have made a change. I have tried setting up a whole new AAD Connect Service on a different server, no change. Can someone help out, before I log a ticket with MS?

8 Replies

@ChrisFox273 : Is this an express installation or are you using a dedicated service account ? since you mentioned that you even tried installing on a different server with no luck, it might indicate permission issues with the account you are using. Verify the following Directory Services permissions at the root level of the Active Directory domains in scope:

  • Replicate changes
  • Replicate changes all
  • User objects: reset password, change password and read/write all properties
  • InetOrgPerson objects: read/write all properties
  • Groups: read/write all properties
  • Computer objects: read/write all properties

Also, when you search for the object in metaverse does it show your changes against the on-premises connector at least ?

That being said, it still doesn't make sense why the accounts would be synchronized in first go and then later wont accept changes, still permissions is the first box you would want to check off!

Other areas I would check- proxy being used ? Internal/External DNS resolution, firewall/ports.

@harveer singh  Thanks for your reply, and sorry it took so long to get back to you. I did a custom install of AAD Connect, and let the installer create a new service account. I have checked the permissions for this account in AD, and they are all fine. And yes, when I search for a changed user in Metaverse I see the updated local object fine, with all the relevant changes, coming from the AD connector. So the updates are making it into AAD Connect. But they just don't get sent to Azure AD. DNS is working fine on the AADC server, and there is no proxy. And no outbound filtering at all on the firewall. Is there any way of seeing what is happening with the export to Azure AD? I can also confirm it isn't just proxy addresses that aren't updating. We have a user who had a surname change done a little over a week ago. If I search the user in Metaverse, I see the account with the updated name and UPN. But if I look for the user in Azure AD, the name and UPN remain as they were before. Yet AADC is running and saying successful.

@ChrisFox273 couple of things

 

Are you running the most up to data Azure AC connect?

Have you forced a full sync ?

Have you enabled staged mode ?

If you look at the tasks do you see the export ones as complete?

 

 

 

@ChrisFox273 Okay, There is not much we can check regarding what Azure AD is doing with the data exported by AADconnect. All we can do is verify the data is flowing through all stages of ADconnect sync engine, rest is Microsoft.

Can you please provide some more clarification; perhaps a screenshot of "but under the "Changes" column, every single line says "None", even the line where I have made a change"

Do you see the changes being pushed to the user account in the cloud connector ? Search for the user in metaverse , open properties and check under cloud connector if the changes are being picked up by the cloud connector or not. Again we are trying to isolate where the sync engine is failing, reference article for metaverse search etc. : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing

 

Also another thing you can check is "Logon as service" settings in the domain policy : https://oddytee.wordpress.com/2015/08/12/aad-connect-will-not-start-due-to-logon-failure/

Though this is more relevant in cases where Azure AD connect service simply won't start but i have seen weird issues with synchronization without any errors ,if the logon as service is not in place. 

Ok! I have it working again. I'll explain as best I can. After digging into some more details I discovered that basically every user was showing as failing in the Export to AAD step due to the error "ExceededAllowedLength".

 

 

When I dug into that, it was a Directory Extension attribute, "extension_[alphanumeric-string]_thumbnailphoto". We had tried to sync thumbnails to the cloud in the past, and I had been playing with it a couple of months back. I turned off all synching of directory extensions and any references to thumbnail attributes, but the errors remained there. I was all set to try uninstalling and reinstalling AADC on my backup server which was running in staging mode (where the errors had first started to appear) to try and clean out the local DB when a workmate remembered he had dealt with the same issue in the past, and opened a ticket with MS. They came back to him with a process to clear out the "Connector spaces" in AAD. Details below:

 

Open Synchronization Service manager tool as an administrator:

  • Click on Connectors Tab
  • Right click on the "Active Directory Domain Services" connector type and click Delete.
  • In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK

Right click on 'Windows Azure Active Directory' connector and click Delete.

In the 'Delete Connector' box, check 'Delete connector space Only' and click Ok > Yes > OK

On the open PowerShell window, run the below command:

 

Start-AdSyncSyncCycle -PolicyType Initial

 

It's worth noting here that you need to disable the sync before you can delete the spaces using "Set-ADSyncScheduler -SyncCycleEnabled $false". Once you clean out the spaces, re-enable with the same command and "$true" (of course).

 

This fixed my issue, and cleaned up the logs heaps. And it's also worth noting that the issue above was stopping the sync of all sorts of changes (names, account details, org details, proxy addresses). Clearly, having that error in place stopped any other details from synching.

 

Thanks for helping out!

@ChrisFox273 : Great ! I was under the impression that there is no error anywhere in the synchronization manager /export cycle. Glad to hear that you got it working, Happy digging !

@ChrisFox273 Thank you very much for this, the only solution that worked for me!

Hi, this solutions worked for me. Thanks a lot ;)