Azure AD Sync Errors Test
Errors can occur when identity data is synced from Windows Server Active Directory to Azure Active Directory (Azure AD). Such errors can have a negative impact on the health and availability of the Azure AD Connect Sync service. To ensure the high uptime and good health of the synchronization service, administrators should be able to promptly capture these errors, determine what caused them, and rapidly resolve them. This is where the Azure AD Sync Errors test helps!
This test continuously tracks the health status of the Azure AD Connect Sync service, and alerts administrators if the service is in an Unhealthy state. In addition, the test reveals the probable cause of poor service health by reporting the number and type of errors the service has encountered. Detailed diagnostics of the test provides additional details of these errors, thus enabling administrators to swiftly troubleshoot them and enhance service health.
Target of the Test: A Microsoft Azure Active Directory Connect
Agent deploying the test: An internal agent
Output of the test: One set of results for the Azure AD Connect Sync Service that is monitored
Parameters | Description |
---|---|
Test Period |
How often should the test be executed. |
Host |
The host for which the test is to be configured. |
Port |
The port at which the specified Host listens |
Tenant ID |
Specify the Directory ID of the Azure AD tenant to be monitored. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API. |
Client ID, Client Password, and Confirm Password |
To connect to the target tenant, the eG agent requires an Access token in the form of an Application ID and the client secret value. For this purpose, you should register a new application with the Azure AD tenant. To know how to create such an application and determine its Application ID and client secret, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API. Specify the Application ID of the created Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box. |
DD Frequency |
Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency. |
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
Measurement | Description | Measurement Unit | Interpretation |
---|---|---|---|
Duplicate attributes |
Indicates the number of Duplicate Attribute errors that occurred. |
Number |
Azure AD schema doesn't allow two or more objects to have the same value of the following attributes. Each object in Azure AD is forced to have a unique value of these attributes at a given instance:
If Azure AD Connect attempts to add a new object or update an existing object with a value for the preceding attributes that's already assigned to another object in Azure AD, the operation results in the AttributeValueMustBeUnique sync error. Ideally, the value of this measure should be 0. A non-zero value implies that an sync error has occurred. In this case, you can use the detailed diagnosis of this measure to analyze the errors and fix them. |
Data mistmatches |
Indicates the number of Data Mismatch errors that occurred. |
Number |
Data Mismatch errors can be any of the following:
Ideally, the value of this measure should be 0. A non-zero value implies that a Data Mismatch error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them. |
Data validation failures |
Indicates the number of Data Validation errors that have occurred. |
Number |
Azure AD enforces various restrictions on the data itself before allowing that data to be written into the directory. These restrictions are to ensure that end users get the best possible experiences while using the applications that depend on this data. For instance:
The result of the preceding scenarios is an IdentityDataValidationFailed error. Ideally, the value of this measure should be 0. A non-zero value implies that a IdentityDataValidationFailed error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them. |
Large attributes |
Indicates the number of Large Attribute errors that occurred. |
Number |
When an attribute exceeds the allowed size limit, length limit, or count limit set by Azure AD schema, the synchronization operation results in a LargeObject or ExceededAllowedLength sync error. Typically, this error occurs for the following attributes:
Ideally, the value of this measure should be 0. A non-zero value implies that a LargeObject or ExceededAllowedLength error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them. |
Federated domain changes |
Indicates the number of changes made to the federation configuration. |
Number |
When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD. Due to this established trust, Azure AD honors the security token issued by the on-premises identity provider post authentication, to grant access to resources protected by Azure AD. Therefore, it's critical that this trust (federation configuration) is monitored closely, and any unusual or suspicious activity is captured. This measure alerts you to such activity. Ideally, the value of this measure should be 0. A non-zero value implies that the federation configuration has changed. In this case, you can use the detailed diagnosis of this measure to view the details of the change. |
Existing admin role conflicts |
Indicates the number of 'Existing admin role conflict' errors that occurred. |
Number |
An Existing Admin Role Conflict sync error occurs on a user object during synchronization when that user object has:
Ideally, the value of this measure should be 0. A non-zero value implies that a 'Existing Admin Role Conflict' error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them. |
Others |
Indicates the number of errors that are of types other than the ones captured by the other measures. |
Number |
The 'Other' errors captured by this test may include Deletion access violation and password access violation errors. Azure AD protects cloud-only objects from being updated through Azure AD Connect. While it is not possible to update these objects through Azure AD Connect, calls can be made directly to the AADConnect cloud-side back end to attempt to change cloud-only objects. When doing so, the following errors can be returned:
Ideally, the value of this measure should be 0. A non-zero value implies 'other' errors exist. You can use the detailed diagnosis of this measure to analyze the errors and fix them. |
Total sync errors |
Indicates the total number of errors that were detected in the synchronization service. |
Number |
Ideally, the value of this measure should be 0. A non-zero value implies that one/more errors have occurred in the Sync service. In this case, compare the values of the other 'error' measures reported by this test to know which type of errors occurred the most frequently. |
Active alerts |
Indicates the number of alerts that is still open / unresolved for the Azure AD Connect Syncs service. |
Number |
The Azure AD Connect Health service sends alerts indicating that your identity infrastructure is not healthy. These alerts get resolved on a success condition. Azure AD Connect Health Agents detect and report the success conditions to the service periodically. For a few alerts, the suppression is time-based. In other words, if the same error condition is not observed within 72 hours from alert generation, the alert is automatically resolved. If this measure reports a non-zero value, it means that one/more alerts are not resolved yet. Use the detailed diagnosis of this measure to know which are the open alerts, so you can figure out how to fix them. |
You can use the detailed diagnosis of the Duplicate attributes measure to analyze the AttributeValueMustBeUnique sync errors and fix them.
Figure 1 : The detailed diagnosis of the Duplicate attributes measure
You can use the detailed diagnosis of the Data validation failures measure to analyze the IdentityDataValidationFailed errors and fix them.
Figure 2 : The detailed diagnosis of the Data validation failures measure