Share via

Entra Cloud Sync issue

Paul 25 Reputation points
2026-04-07T22:22:23.86+00:00

Trying to get Entra Cloud Sync to work on a dedicated Windows 2022 server (all servers are 2022 and up to date) and I'm running into an issue syncing for the first time.

Agent installs and registers without issue. When attempting to sync:

  • Local errors from C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace is Error: 0 : Unable to initialize performance counters and Error: 0 : Web socket failed to connect.
  • In 365 it's HybridIdentityServiceAgentTimeout

Troubleshooting steps:

In the Event logs I found these possible things of note:

  • "Agent re-registration failed: Internal error. Cannot renew registration with Microsoft Azure AD Connect Provisioning Agent. Error: 'Unable to renew trust with Cloud Proxy. Exception: 'System.TimeoutException: The HTTP request to 'https://his-nam1-cus1.renewtrust.msappproxy.net/renewTrust/RenewTrustCertificate' " 
  • The Microsoft Azure AD Connect Agent Updater service failed to check for updates. Additional details: 'The remote name could not be resolved: 'autoupdate.msappproxy.net''.
  • Also found CAPI2 errors about a related root cert chain check failing with "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Sync server is getting DNS from DCs which have no forwarders and valid root hints. 

Disabled proxy in Provisioning Agent config. Confirmed there was no proxy at the OS level.

Reviewed upstream hardware firewall logs, confirmed that there was no security filtering and sync server had direct access to the internet..

Reviewed TLS settings on Sync server. Disabled SSL 2 & 3, TLS 1 and 1.1. Enabled TLS 1.2 and 1.3. Updated .NET with same settings.

Rebuilt and updated Machine certificate store.

I also ran Repair-AADCloudSyncToolsAccount using Powershell.

I've never had this much trouble setting up a sync before and I'm kinda stumped. Thoughts?

Microsoft Security | Microsoft Entra | Other
0 comments

Answer accepted by question author

Anthony Porter 230 Reputation points
2026-04-07T23:49:53.47+00:00

Based on the errors you’re seeing, this looks less like an agent bug and more like outbound connectivity + certificate trust issues, with the performance counter error being secondary.

Key points to check:

DNS is very likely the primary issue. The failure to resolve autoupdate.msappproxy.net strongly suggests the server can’t resolve *.msappproxy.net in general. Cloud Sync relies heavily on these endpoints (WebSocket signaling, trust renewal, agent updates). DCs using only root hints often fail here if outbound DNS isn’t cleanly allowed. Quick test: nslookup autoupdate.msappproxy.net and nslookup login.microsoftonline.com from the sync server.

Firewall must allow URLs, not just “internet access”. Cloud Sync uses dynamic endpoints behind *.msappproxy.net and Azure Service Bus over TCP 443, plus port 80 for CRL checks. IP allow lists are brittle here, DNS name-based rules are the correct approach. Even “no filtering” firewalls sometimes still break WebSocket traffic.

CAPI2 root trust errors matter here. The “terminated in a root certificate which is not trusted” error will break TLS and cause:

  • WebSocket failures
    • Trust renewal timeouts (RenewTrustCertificate)
      • HybridIdentityServiceAgentTimeout in the portal

Make sure:

  • ctldl.windowsupdate.com is reachable (Windows root cert updates)
  • CRL/OCSP endpoints (DigiCert + Microsoft) are reachable on port 80
  • No TLS inspection is happening for *.msappproxy.net (this is explicitly unsupported)

Was this answer helpful?

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.