Field Notes: Azure Active Directory Connect – Troubleshooting Task Overview

This is a continuation of a series on Azure AD Connect. Previous parts have mostly been focusing on the installation and configuring different user sign-in options for Azure AD. Links to these are provided in the summary section below.

Now that we have covered the common setup options for Azure AD Connect, I would like to switch gears a little and discuss troubleshooting. In this post, I cover the troubleshooting task available in Azure AD Connect version 1.1.614.0 and newer.


Azure AD Connect Troubleshooting

The Azure AD troubleshooting task is triggered by selecting troubleshoot under additional tasks as depicted below.

Selecting the ‘troubleshoot’ task and clicking next presents the Welcome to Azure AD Connect Troubleshooting screen, which provides the ability to launch the troubleshooter. Click Launch to proceed.

This opens up a PowerShell window with the following options:

  • [1] Troubleshoot Object Synchronization
  • [2] Troubleshoot Password Synchronization
  • [3] Collect General Diagnostics, and
  • [Q] Quit

You may need to set the PowerShell execution policy to remote signed or unrestricted.


Let’s explore each option.


Troubleshooting Object Synchronization

Selecting the first option allows us to troubleshoot object synchronization. For this demonstration, we will focus on diagnosing object synchronization issues by pressing number 1 and hitting the enter key.

The troubleshooter enumerates a list of connectors and prompts for a distinguished name of the object of interest. This is followed by a request for the Azure AD tenant’s global administrator credentials. Next, it attempts to connect to the Azure AD tenant, and checks both the domain & OU filtering configuration.

An HTML report is generated and exported to the C:\ProgramData\AADConnect\ADSyncObjectDiagnostics folder. Below is a sample that shows object details for the on-premises directory and the Azure AD Connect database.

In the example depicted above, I reproduced a synchronization issue by using a duplicate attribute for the test account I am using. On the flip side; with an account that is successfully synchronized, we see that object details for Azure AD are also provided with information such as last directory synchronization time, immutableId, UPN, as shown below:

Do we have other options for this scenario? Yes – IdFix, Azure AD Connect Health and the Synchronization Service Manager. Let’s briefly go through each.

IDFix

IdFix identifies errors such as duplicates and formatting problems in on-premises directories before an attempt to synchronize objects to the Azure AD tenant.

In this example, we can see we have two objects with the same attribute value.

Azure AD Connect Health

Azure AD Connect Health provides robust monitoring of your on-premises identity infrastructure.

In this example, we see that contactus@idrockstar.co.za is a duplicate attribute value (Error Type:AttributeValueMustBeUnique).

Synchronization Service Manager

The Synchronization Service Manager UI is used to configure more advanced aspects of the sync engine and to see the operational aspects of the service.

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:contactus@idrockstar.co.za;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.


Troubleshooting Password Hash Synchronization

Troubleshoot Password Hash Synchronization is the second option on the main menu, which is invoked by pressing 2 and hitting the enter key. For the purpose of this demonstration, we select option 3 from the sub-menu (synchronize password hash for a specific user account). Other options are:

  • Password hash synchronization does not work at all
  • Password hash synchronization does not work for a specific user account
  • Going back to the main menu, and quitting the program

The single object password hash synchronization utility attempts to synchronize the current password hash stored in the on-premises directory for a user account. A distinguished name of an object is required as input. Let’s see two scenarios in action:

  • An attempt to synchronize a password of an object that has not yet been exported
  • Synchronizing a password of an object that has already been exported

Account not exported

I am using the account that reported errors in the troubleshooting object synchronization section above to demonstrate this. After providing the distinguished name, we see a message confirming that password hash synchronization is enabled for the connector. This is followed by a message stating that password hash synchronization has failed. This is obviously because the object has not yet been exported.


Account is exported

Now what happens if an account has already been exported? The password hash is synchronized successfully.


Collecting General Diagnostics Information

Let’s explore the last option – collect general diagnostics. With this option, the troubleshooter collects diagnostics information. The output report contains useful information such as Azure AD tenant settings, Azure AD Connect settings, sync scheduler and more:

There is also a lot of useful troubleshooting information stored in the C:\ProgramData\AADConnect\<date>-111422_ADSyncDiagnosticsReport folder.



Summary

Previous parts of this blog post series have mostly been focusing on installation and configuring different user sign-in options for Azure AD. Here’s a list for reference:

This post was an introduction to troubleshooting, covering the troubleshooting task available in Azure AD Connect.

References

Till next time…

One thought on “Field Notes: Azure Active Directory Connect – Troubleshooting Task Overview

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.