Directory synchronization to Azure Active Directory stops or you're warned that sync hasn't registered in more than a day

PROBLEM
You experience one of the following symptoms:
  • The Microsoft Azure Active Directory Sync Tool stops syncing.
  • You receive email messages that say that Azure Active Directory (Azure AD) didn't register a synchronization attempt in the last 24 hours.
  • In the MIISClient.exe tool, you receive a "Stopped-Server-Down" message or a "Stopped-Extension-DLL-Exception" message.
  • You’re unable to start one or more of the directory synchronization services.
  • The Directory Synchronization troubleshooter indicates that there are problems that prevent one or more directory synchronization services from starting.
Note By default, directory synchronization runs every three hours.
CAUSE
This issue may occur if one or more of the following conditions are true:
  • The work or school account that was used in the configuration wizard to set up directory synchronization has one of the following problems:
    • The account was deleted.
    • The account was disabled.
    • The account password expired.
  • The logon account for one or more directory synchronization services has one of the following problems:
    • The account was deleted.
    • The account was disabled.
    • The account password expired.
       
    Note The logon account for the directory synchronization service is automatically configured and should not be modified.
  • The admin account that's used for directory synchronization was changed.
  • You have network connection issues.
  • Directory synchronization services are stopped.
SOLUTION
Note If you ran the Directory Synchronization troubleshooter and it indicated that there was a problem with the logon account for one of the services, go to Method 2.

Method 1: Run the Directory Synchronization troubleshooter

You can troubleshoot this issue by running the Directory Synchronization troubleshooter on the server that has the Azure Active Directory Synchronization appliance installed. An Azure Active Directory Synchronization appliance can be one of the following:
  • Azure Active Directory Connect
  • Azure Active Directory Sync Tool

Method 2: Manually verify that the service is started and that the admin account can sign in

  1. Click Start, click Run, type Services.msc, and then click OK.
  2. Locate the Azure Active Directory Synchronization appliance service, and then check whether the service is started. If the service isn't started, right-click it, and then click Start.
    • If you're using the Azure Active Directory Sync Tool, look for Azure Active Directory Sync Service.
    • If you're using Azure Active Directory Connect, look for Microsoft Azure AD Sync.
  3. Verify that the admin account that's being used for directory synchronization still exists and that it's allowed to sign in. If the account still exists, reset the password, and then verify that you can sign in. If you're prompted, change the password.

    If you don't know the global administrator account that's used to configure directory synchronization, follow these steps on the server on which you installed the directory synchronization appliance:
    1. Go to %ProgramFiles%\Microsoft Azure AD Sync\UIShell\, and then run Miisclient.exe.

      Note If you're using Azure Active Directory Connect or the Azure Active Directory Sync Service, click Start, and then search for and open Synchronization Service.
    2. Click Connectors, and then double-click the Azure Active Directory connector.
    3. Click Connectivity.
    4. Make note of the UserName value. This is the global administrator account that's used to configure directory synchronization.
  4. On the directory synchronization server, run the Azure Active Directory Synchronization appliance configuration wizard, type the new password for the admin account that's used for directory synchronization, and then follow the remaining steps in the wizard.
  5. When you're prompted, select the Force directory synchronization check box.

Method 3: Resolve the problem with the logon account for the directory synchronization service

  1. Click Start, click Run, type Services.msc, and then click OK.
  2. Locate the Azure Active Directory Synchronization appliance service:
    • If you're using the Azure Active Directory Sync Tool, look for Azure Active Directory Sync Service.
    • If you're using Azure Active Directory Connect, look for Microsoft Azure AD Sync.
       
     Right-click the service, and then click Properties. On the Log On tab, note the account name that's listed.

    Note Reconfiguring any of the directory synchronization services to log on as a local system account isn't supported and may introduce problems.
  3. On a domain controller or a computer that has the Administration Tools installed, open Active Directory Users and Computers (Dsa.msc), right-click the domain name, and then select Find. Type the name of the account that you noted in step 2, and then click Find now.
    • If you find the account, go to step 4.
    • If you cannot find the account, it may have been deleted. For more information about how to restore this account, see Active Directory Recycle Bin Step-by-Step Guide. If you cannot restore the account, you will have to uninstall and then reinstall the directory synchronization client. 
  4. Right-click the account, and then click Properties. On the Account tab, under Account options, follow these steps:
    1. Make sure that the Password never expires check box is selected.
    2. Make sure that the Account is disabled check box is cleared. Then, do one of the following:
      • If the Account is disabled check box is selected, clear it to enable the account. Then, restart the Azure Active Directory Synchronization appliance service. To do this, click Start, click Run, type Services.msc, and then click OK. Locate the service, right-click it, and then click Restart.
        • If you're using the Azure Active Directory Sync Tool, look for Azure Active Directory Sync Service.
        • If you're using Azure Active Directory Connect, look for Microsoft Azure AD Sync.
      • If the Account is disabled check box is already cleared, go to step 5. 
  5. If the Account is disabled check box is already cleared, it’s possible that the password for the account was manually changed. To set a new password, open Active Directory Users and Computers, locate and right-click the account, and then click Reset Password to reset the password. Note the password that you set because you'll have to use it in the next step. 
  6. Set the password on the logon account for the directory synchronization services. To do this, follow these steps:
    1. Click Start, click Run, type Services.msc, and then click OK.
    2. Set the password for the following services, depending on the client that you're using. To do this, right-click the appropriate service, click Properties, click the Log On tab, and then type the password.
      Azure Active Directory Synchronization clientAzure Active Directory Connect
      • Forefront Identity Manager Synchronization Service
      • SQL Server (MOSONLINE) (if present)
      • Azure Active Directory Sync Service
      • Azure AD Sync
    3. Start the service or services for which you set the new password. 
    4. Wait three hours for directory synchronization to occur, and then run the Directory Synchronization troubleshooter.

Method 4: Install the latest version of the Microsoft Online Services Sign-In Assistant

If you see the following event ID error in the Application log in Event Viewer, you may have an older version or a corrupted installation of the Microsoft Online Services Sign-In Assistant:
Event ID: 109
Log Name: Application
Level: Error
Source: Directory Synchronization
Description:
Failure while importing entries from Windows Azure Active Directory. Exception:
Microsoft.Online.Coexistence.Security.DynamicPInvokeException: Failed to get address
for method: CreateIdentityHandle2 from library: C:\Program Files\Common Files\Microsoft
Shared\Microsoft Online Services\msoidcli.dll. GetLastError code: 127
To resolve this issue, install the latest version of the Microsoft Online Services Sign-In Assistant. For information about how to do this, see the "Solution" section of the following Microsoft Knowledge Base article:
3037953 "Failed to get address for method: CreateIdentityHandle2" error when you run the Azure Active Directory Sync tool configuration wizard
MORE INFORMATION
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 2882421 - Last Review: 04/01/2016 21:51:00 - Revision: 17.0

Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management

  • o365 o365a o365e o365m o365022013 KB2882421
Feedback