Share via

Azure AD Sync error 114

Gaven Carley 1 Reputation point
2021-12-31T20:02:31.177+00:00

Have looked through a few other posts and not found an answer that would work.

Syncing an on premise AD to Azure AD and getting a 114 error

From the on premises sync service manager I can see the error in the export

I also see the error in Azure AD connect health

From the Azure AD Connect health I only can see the GUID no display name

From the On premises Sync Manager I can see the CN= Garbled text string

That being said I see the modification type was to delete and object type was user

I am not sure how to find the object that is having this issue so I can delete in from the Azure AD. There are several cloud only users. I would prefer not to rip them all out.
To add to the this the error is only occurring in the fallback domain so @keyman .onmicrsoft.com and is not present in primary domain. Any ideas how to find the account with the GUID or the Distinguished name?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,863 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,566 Reputation points
    2022-01-03T19:49:09.53+00:00

    Hello @Gaven Carley ,

    Thanks for reaching out.

    You could use following cmdlet on Azure AD connect sync server to find out accounts using distinguishedName as shown below, and this would help you find out relevant accounts' UPN and sourceAnchor (aka immutableid).

    Get-ADSyncCSObject -ConnectorName "domain.onmicrosoft.com - AAD" -DistinguishedName "CN={4F7372497A477A4A586B4352564A6D4473744F3331673D3D}"

    161985-image.png

    Alternatively, when you click each object from Export Error, you can also find out which users' UPN is causing the problem, as shown below:

    161996-image.png

    Here's an example of error 114: a user account was moved out of sync scope in on-premises AD, causing the sync server to remove the reference object in Azure AD and move it to the "Deleted user" container. Now, when I restore the deleted users object in AAD immediately rather than waiting for the delta sync cycle to complete (at least two delta sync must be completed before restoring a deleted user account in AAD), then I receive error 114 "complete-export-errors" during export of AAD connector space (@keyman .onmicrsoft.com).

    161927-image.png

    This is because AAD connector space (CS) (@keyman .onmicrsoft.com) did not complete two delta sync to update its own database to delete referral object, hence sync server kept trying to update newly restored account, which causing in Deletion access violation, as explained [here].

    To resolve error 114 from the Azure AD connect server, use the above-mentioned cmdlet to retrieve the corresponding user object's UPN and delete it from Azure AD.

    In case If you wish to keep a recently restored user account as a cloud only account, you must run a delta sync twice after you move a user to an OU that is out of scope before restoring the user, or the user object in AAD CS would be in pending deletion confirmation status, and will continue to generate the error.

    Steps: 

    1. Move an account to an OU that is not in scope for sync  
2. Run a delta sync  
   -> The user in AAD is soft deleted  
3. Run a delta sync again  
4. Restore the user from Deleted users

    Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.