I have multiple Office 365 environments and all of them having been giving me directory synchronization errors. I finally had time to research and troubleshoot these issues. So, if you are also getting the following e-mails, I’ll walk through the process that I went through to fix them. Please note that I am just sharing the process that I went through to fix these problems. Things may change in the interim between the time of this article and your scenario.
|Subject: Unhealthy Identity synchronization Notification: Wednesday, 21 October 2015 13:55:27 GMT.
On Wednesday, 21 October 2015 13:55:27 GMT, Azure Active Directory did not register a synchronization attempt from the Identity synchronization tool in the last 24 hours for Microsoft [XXX].
You can troubleshoot this issue by running the Directory Synchronization troubleshooter <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fgo.microsoft.com%2ffwlink%2f%3fLinkId%3d528798%26clcid%3d0x409&data=01%7c01%7cAli.Mazaheri%40microsoft.com%7cb22e1640c0c3459de66e08d2da1f518d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=HLtNGlkFuOvF2peHAeYWqiqspDREPZDbws%2bMr%2bfo%2fus%3d> on the server that has Azure Active Directory identity synchronization tools installed.
The Azure Active Directory Team
After getting these e-mails, if you login to your Office 365 portal (http://portal.office.com), check the user replication status. On the main Office 365 Admin Center page under Users > Active Users, you can check if synchronization has been working or not. In my case, I got the warning below.
I ran the Directory Synchronization Troubleshooter and it wasn’t much help.
Evolution of Office 365 Synchronization Services
So, I looked at the Dir Sync server. I had “Directory Sync” tool, upgraded it to “Azure AD Sync Service” and then upgraded that to “Azure AD Connect” around April 2015. For a brief background, there has been an evolution in the Microsoft Office 365 Directory Synchronization services. Initially, there was “Directory Synchronization Tool”. Then, the next version was called “Azure AD Sync” and now, the latest is called “Azure AD Connect”. For a comparison of the different tools (see Here). The Azure AD Connect tool has a lot of capabilities and a great presentation to learn more about it can be found from an Microsoft Ignite presentation (here).
Directory Synchronization Tool
On the Directory Synchronization server, I checked the synchronization. To check the synchronization, launch the MIISClient.exe which can be found in: c:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient. I would recommend making a shortcut to this program and putting it on your desktop since it is very handy.
Once it launches, you will see the synchronization history on the Operation tab (see below). Please note that the picture below shows the results after I had fixed the problem. I forgot to grab the screenshot before I fixed the problem. When I had the problem, the operations log was missing the two “Export” jobs. The Export jobs export the changes in the Metaverse (directory database on the synchronization engine) back to the connected directories (Active Directory and Azure Active Directory). Thus, all the changes were being imported into the metaverse but weren’t being synchronized back out to the directories.
After much troubleshooting and a call to Microsoft support, we determined that the version of the Azure AD Connect that we had installed back around April 2015 had a problem.
[Side Note: I think that my teammate had installed the preview/beta version of the Azure AD Connect]
So, we disabled the Scheduled Task that performs the synchronization. Basically, the dir sync job is run on a scheduled task that runs every 3 hours. Open up your scheduled tasks and you will see it.
We disabled it. Then we downloaded the latest version of the Azure AD Connect tool (here) and installed it onto a separate server.
After installing the latest version of the Azure AD Connect tool, we then initiated a full synchronization cycle.
Forcing A Directory Synchronization
To force a full synchronization cycle, you will need the DirectorySyncClientCmd.exe which can be found in: c:\program files\microsoft azure ad sync\bin
If you run the command by itself, it will initiate a directory synchronization. If you run it with the “initial” parameter, then the tool will initiate a full synchronization. After running it, the directory synchronization completed, export jobs will run, and my objects were updated in Office 365.
This was good news! Until a couple days later, I got the dreaded “Directory Synchronization error” e-mail again!
On my next blog post, I’ll walk through the steps that we took to fix the next issue that we encountered.