At some point in your career in tech, you’ll probably hear something along the lines of: “We want to utilize the cloud and our existing infrastructure. How do we do that?”
There are several different ways to use Microsoft Azure to assist with this goal, but in my opinion, Azure AD Connect is one of the most useful. This service enables you to synchronize on-premises identities with Azure.
In this post, we’ll explore how to troubleshoot some issues that may pop up from time to time with Azure AD Connect.
What is Azure AD Connect?
Azure AD Connect enables you to synchronize on-premises identities with Azure to create one, single, hybrid identity. Why do we want to do that?
Well, unless you like your end-users yelling at you when they can’t remember which of their two or three accounts is used to access a cloud application vs an on-premises application, it’s pretty useful!
Troubleshooting Azure AD Connect
First off, let me describe the situation and environment we find ourselves in. You work as a cloud engineer for a booming electric car company, Beep-Beep Incorporated.
You have implemented Azure AD Connect with passthrough authentication on the primary Windows Active Directory domain controller, and it’s been synchronizing your on-premises identities up to Azure Active Directory without issue for a few weeks now.
However, as with most things in the IT world, it’s bound to break at some point.
So, let’s dive right in and start looking at some errors you might encounter with Azure AD Connect, how to troubleshoot it, and what the fix is for those errors!
Get the Cloud Dictionary of Pain
Speaking cloud doesn’t have to be hard. We analyzed millions of responses to ID the top concepts that trip people up. Grab this cloud guide for succinct definitions of some of the most painful cloud terms.
Error #1 – Sync Account Issue
Last week, Beep-Beep Incorporated’s security team required all domain user account passwords to be reset. They asked the systems administrators to perform these changes and after the password resets, things have been running smoothly. Or so it seemed…
This morning you attempted to create a user account on the on-premises domain for a new employee. Unfortunately, it’s not showing up in Azure AD. Your end-users are still able to sign in via the Azure portal though, so it seems to be a sync issue. Let’s take a look!
The first place I like to check when troubleshooting AD connect issues is the Azure portal, so let’s check that now.
Hmm, no issues reported on the main page of Azure AD Connect. Let’s check the AD Connect health page for sync errors.
No luck there either! If the portal fails to report the error, the next best place to check is the AD Connect Sync Service Manager on our Active Directory domain controller where the AD Connect agent is installed.
Ah-ha! We finally see some no-start-credentials errors, so let’s open one of those up and see if we can find more information.
And there it is: failed-authentication due to Invalid Credentials. Great, now we know exactly what the problem is!
But wait, you might say, what account and which credentials are invalid?
That’s a great question. During the installation of Azure AD connect, by default, it creates a new Active Directory account that AD connect uses to connect and synchronize to the Active Directory forest. Here is a link to the MS documentation for more information: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#connect-your-directories
With that knowledge in our pocket, it seems like the systems administrators updated the password of that account (in our example that account is named MSOL_2abd5ac8a8dd) but wasn’t aware that it also needed to be updated in the AD Connect settings. Let’s go ahead and update that password so we can start syncing again!
Head over to the connectors tab in the Sync Service Manager, double click on the Active Directory Domain Services connecter. In the properties window that opens, select the “Connect to Active Directory Forest” option on the left pane, and finally, type the updated password the systems administrators used in the password box and hit OK.
Great work. Now if you check the Sync Service Manager again, you should see success across the board!
Looking to sharpen your Azure Active Directory skills? Check out ACG’s new hands-on labs for Microsoft Azure AD.
Error #2 – Service Issue
Another week goes by at Beep-Beep Incorporated, and as you arrive Monday morning you are greeted by a flurry of emails and notifications from your service desk tech team. Your end-users are reporting when they attempt to sign in to Azure with their hybrid identities they are greeted with a sign-in failed error message. Yikes!
Logins were working fine on Friday and now, Monday morning, everything is broken. What happened over the weekend? You remember that the domain controller was patched and rebooted on Sunday evening, so maybe that has something to do with it?
Time to grab a cup of coffee, hop in, and start troubleshooting! First up, we’ll check the Azure portal for errors before diving into the VM. It’s also a good idea to check and see if Azure is having an outage before we get too far into troubleshooting: https://status.azure.com/en-us/status
No issues reported on the main AD connect page and no outages with Azure. Let’s check and see if the Azure AD Connect Health portal is showing any sync issues.
No errors here either. As with last time, the next stop is on our domain controller in the Sync Service Manager application.
Huh, no errors are showing here either… When you get to this stage and you’re still not seeing any errors, the best spots to check are the services for AD Connect and then Windows Event Viewer.
Let’s open the Windows services via Win key + R and typing services.msc then press enter. We’re going to check and make sure the AD Connect services are running.
Hey, that authentication agent service isn’t running! Let’s right-click on that guy and start it up.
Great news. After starting that service you ask your end-users to try signing in again, and they report back that they can access Azure now!
So, why was that service causing user login issues?
In this scenario, AD Connect is set up with pass-through authentication. When users attempt to sign in, it will validate their password directly against your Active Directory domain. If that authentication agent service is down on your domain controller, AD Connect can’t authenticate against your domain and no user logins can happen.
Error #3 – Attribute error
A couple more weeks pass by without incident at Beep-Beep Incorporated, but now there is another issue! Earlier today, you asked a systems administrator to create a user account for a new employee, Mary Anderson.
Unfortunately, her user account is not showing up in Azure AD yet, and it’s been a few hours since her account was created. Time to troubleshoot!
Again, no issues on the main page, so it’s time to head over to the AD Connect Sync Health page.
Uh oh. Looks like we have one data validation failure! Let’s click on that box and investigate. I also want to mention that Microsoft has great documentation on troubleshooting AD connect.
But for the sake of a full troubleshooting experience, we’ll keep moving forward in a logical, progressive order.
Looks like our issue is with the user account that you asked the systems administrator to create, so that makes sense why we’re not seeing it in Azure AD yet. Let’s click on Mary Anderson’s name here and see more details about the error.
Great. Let’s break this down and see what we’ve got. Under the description, we see that her account failed to synchronize because the attribute did not meet the validation requirements. Unfortunately, under the property section, the attribute is listed as N/A… So, which attribute failed to meet the validation requirements? (Bonus points if you can already identify the issue!)
Since there is no more information in the portal, let’s hop into our VM and see if we can find any errors.
Our first stop is to pull up our trusty Sync Service Manager for AD Connect. Looks like we’ve got an error to take a look at! Let’s take a closer look and see if it can help us narrow that attribute down.
There it is! In the first sentence:
the attribute [userPrincipalName], is not valid. We see the attribute that is having issues is the
userPrincipalName, which is the logon name for that user.
With that knowledge, let’s take a look at Mary’s account in Active Directory and see what is wrong with her logon name.
Ah-ha! There is an
& in her username which Azure AD connect does not support. (Active Directory won’t warn you either when creating an account with the
& in it.)
That’s all well and good, but how did I know that the
& character wasn’t supported? Microsoft has documentation for what is and isn’t allowed for various attributes. So, if we open that documentation, scroll down to the user principal name section, we’ll see that there are several invalid characters such as: & <> * + and others.
(This is another case proving the career-changing art of reading the documentation.)
Now that we know what characters to avoid, let’s go ahead and just remove the
& and leave Mary’s login name as
MaryAnderson. Once we hit OK at the bottom of the properties tab, we can start a sync via the Sync Service Manager or wait for a sync to kick off which happens about every 30 minutes.
After that sync takes place, we see that Mary’s user account is now showing up in Azure AD and we no longer have any data validation failures!
Excellent job, my friend!
Great work with keeping Beep-Beep Incorporated functioning and its users satisfied! In this article, we saw a couple of different issues that can occur with Azure AD Connect, what the errors look like, how to troubleshoot them, and how to fix them.
If you want to learn more about hybrid environments and how you can utilize Azure services like Azure AD Connect to support your organization, check out my course Introduction to Hybrid Environments on Azure. In it, I cover several Azure services that can help with hybrid environment scenarios.
Level up your cloud career.
Join A Cloud Guru and get access to courses, hands-on labs, quizzes, and learning paths, which take you step-by-step from novice to guru in your chosen area of the cloud. Get a 7-day free trial or check out our free courses.