Share via

Entra Connect Install & Sync Failure

John McIntyre 0 Reputation points
2025-02-26T19:10:53.7766667+00:00

I have a newly installed Server 2025 that im trying to set up Entra Connect on from an import. I have prod server currently running on 2016. I have tried both a global admin and HIA account for the set up. Both fail with the same directory sync state error. Below are the last few lines of my trace log. We have Defender for Identity. I have made exclusions for my new server in the necessary place. I know this because I no longer get new alerts when attempting to sync during stage mode at the end of the installation.

Any help would be greatly appreciated. Thanks!

[13:29:02.091] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] === Token Acquisition (SilentRequest) started:

 Scopes: https://graph.microsoft.com/.default

Authority Host: login.microsoftonline.com

[13:29:02.091] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] [Region discovery] Not using a regional authority.

[13:29:02.092] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] Access token is not expired. Returning the found cache entry. [Current time (02/26/2025 18:29:02) - Expiration Time (02/26/2025 19:33:07 +00:00) - Extended Expiration Time (02/26/2025 19:33:07 +00:00)]

[13:29:02.092] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] Returning access token found in cache. RefreshOn exists ? False

[13:29:02.092] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] [Region discovery] Not using a regional authority.

[13:29:02.092] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] 

=== Token Acquisition finished successfully:

[13:29:02.092] [ 33] [INFO ] MSAL: False MSAL 4.61.3.0 MSAL.Desktop 4.8 or later Windows Server 2025 Standard [2025-02-26 18:29:02Z - 2d30c2ae-9be5-4caa-9bf8-2dcd25847cc6] AT expiration time: 2/26/2025 7:33:07 PM +00:00, scopes: email https://graph.microsoft.com/.default https://graph.microsoft.com/Application.ReadWrite.All https://graph.microsoft.com/Directory.Read.All https://graph.microsoft.com/Domain.ReadWrite.All https://graph.microsoft.com/OnPremDirectorySynchronization.ReadWrite.All https://graph.microsoft.com/Organization.ReadWrite.All openid profile. source: Cache

[13:29:02.092] [ 33] [INFO ] Authenticate-MSAL: successfully acquired an access token. TenantId=4e1a2b60-3376-489b-8a61-363cef1a209f, ExpiresUTC=2/26/2025 7:33:07 PM +00:00, UserInfo=******@ciui.net, IdentityProvider=login.windows.net.

[13:29:02.092] [ 33] [INFO ] SyncDataProvider: successfully acquired graph token.

[13:29:02.268] [ 33] [INFO ] SyncDataProvider: DirectorySynchronizationEnabled=True

[13:29:02.268] [ 33] [INFO ] SyncDataProvider: DirectorySynchronizationStatus=Other

[13:29:02.268] [ 33] [INFO ] SyncDataProvider: lastDirectorySyncTime=2/26/2025 6:19:27 PM

[13:29:02.269] [ 33] [ERROR] EnableDirectorySyncTask Error: The directory synchronization state of the directory is invalid.

Exception Data (Raw): System.Exception: The directory synchronization state of the directory is invalid.

at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.EnableDirectorySyncFlag(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext)

at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(Action`1 UpdateProgressText)

[13:29:02.270] [ 33] [ERROR] ConfigureSyncEngineStage: Caught exception while enabling directory synchronization flag in cloud.

[13:29:02.271] [ 33] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed

[13:29:02.271] [ 33] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: Error details: System.Exception: The directory synchronization state of the directory is invalid.

at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.EnableDirectorySyncFlag(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext)

at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(Action`1 UpdateProgressText)

[13:29:02.271] [ 33] [ERROR] ExecuteADSyncConfiguration: configuration failed. Skipping export of synchronization policy. resultStatus=Failed

[13:29:02.307] [ 33] [ERROR] PerformConfigurationPageViewModel: The directory synchronization state of the directory is invalid.

[13:29:02.307] [ 33] [ERROR] PerformConfigurationPageViewModel: The directory synchronization state of the directory is invalid.

[13:29:09.913] [ 1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20250226-132457.log

[13:36:54.568] [ 1] [VERB ] ReleaseSyncConfigurationMutex(): Releasing sync config changes mutex.

[13:36:54.568] [ 1] [INFO ] ================================================================================

[13:36:54.568] [ 1] [INFO ] Application exiting

[13:36:54.568] [ 1] [INFO ] ================================================================================

[13:36:54.574] [ 1] [INFO ] FileUploader: Setup and configuration logs will not be uploaded until the Health Agent is installed.

[13:36:54.574] [ 1] [INFO ] FileUploader: The Azure AD Health sync agent install path was not found in the registry.

[13:36:54.574] [ 1] [WARN ] UploadInstallationLogs: Log files cannot be uploaded because the Azure AD Health agent has not been installed yet.

[13:36:54.604] [ 1] [INFO ] UploadTelemetryData: starting telemetry data upload...

[13:36:54.934] [ 1] [INFO ] UploadTelemetryData: upload finished. Success: True

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sakshi Devkante 4,395 Reputation points Microsoft External Staff Moderator
    2025-03-04T16:07:38.56+00:00

    Hello John,

    Thank you for posting your query on Microsoft Q&A.

    you are encountering a "directory synchronization state of the directory is invalid" error during the setup of Azure AD Connect on your new Windows Server 2025 instance.

    The log mentions that the DirectorySynchronizationStatus is "Other," which may indicate some misconfiguration. Verify if the directory synchronization is already enabled on your tenant or if there are any active sync services.

    Go to the Azure portal → MS Entra ID → Azure AD Connect.

    Check if your production server (2016) is listed as the Active Directory Synchronization tool.

    If yes, confirm whether there is an active sync process running and its status.

    If there is an existing instance of Azure AD Connect (running on your 2016 server) and you are trying to install it on the 2025 server, there could be a conflict, especially if the directory synchronization state is not correctly disabled or managed.

    On your current production server (2016), check if directory sync is running by using the Get-ADSyncScheduler PowerShell command.

    If it’s running, you may need to disable sync from the existing server before setting it up on the new one:
    Ensure that sync is fully disabled before moving forward with the new server installation.

    if all you needed was to move to another AADConnect server, then all you needed to do was build out a new one with the same config, set to staging mode, then set the current one to staging mode and set the new one to export.
    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server
    https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/active-directory/pending-state-issue-with-directory-synchronization
    https://learn.microsoft.com/en-us/answers/questions/1366568/installing-configuring-ad-connect-on-a-new-server

    Sometimes, the directory synchronization state can remain in an invalid state due to previous setup attempts or leftover configurations.

    In the Azure portal, under Azure AD Connect, try disabling directory sync temporarily, wait for a few minutes, and then re-enable it.

    Alternatively, run the Azure AD Connect Configuration Wizard on the 2025 server, but when prompted to "Start Sync", choose Do not start synchronization at this time.

    After this, you can attempt a manual sync later using the Start-ADSyncSyncCycle PowerShell command: Start-ADSyncSyncCycle -PolicyType Delta

    Reconfirm that the account you are using has Directory.ReadWrite.All and OnPremDirectorySynchronization.ReadWrite.All permissions granted in Azure AD

    I hope this clarifies things.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.