Why does new cloud sync configuration creation fail with "An unexpected error occurred"?

Question

The reason is I need to migrate from Exchange 2016 standalone, on-premise to Exchange Online. It needs to be in the hybrid configuration for a few months so I can stagger the migration. I am signed in using a Global Admin account.

In Azure's "New cloud sync configuration", I click to show "a list of active agents" and it shows the on-premise Exchange server's name, public IP and the status shows "active". The drop down list is greyed out and I receive the "Unexpected error..." when I press Create.

I removed an reinstalled the agent using the "Download on-premises agent" link made sure the agent was running but it did not resolve the problem.

I closed the browser and started opened using "New InPrivate window" but it did not resolve the problem.

I verified ports 80 and 443 were open and I could access the Microsoft URLs provided in the troubleshooting documents.

What am I missing?

Thank you in advance!

Jax

Answer 1

hi Jax!

thanks for posting this 8-))

first off, since u're using Microsoft’s cloud sync, make sure u’ve got the latest agent version installed. sometimes the old ones just don’t play nice with newer Azure updates. u might wanna uninstall completely, then grab the newest version from scratch check the agent requirements here.

next pls check if the service account running the agent has proper permissions. even as global admin, sometimes the local machine permissions get weird. try running the agent installation as administrator if u haven’t already. for a Microsoft-specific fix, look at the application event logs on ur Exchange server. there’s usually more details hiding there than what Azure shows u. search for 'azure ad connect' or 'cloud sync' events around the time u got the error. Microsoft’s https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-troubleshoot has good info on this.

now here’s something that might help in other tools too... when ports 80/443 are open but things still fail, try using telnet from the Exchange server to test connectivity. just open command prompt and type telnet yourproxy.microsoft.com 443 if it connects, great! if not, there might be a sneaky firewall rule blocking u.

one more thing worth looking into... the hybrid configuration wizard in Exchange 2016 can sometimes conflict with cloud sync. make sure u didn’t run both at the same time. Microsoft recommends completing the hybrid config first, see https://learn.microsoft.com/en-us/exchange/hybrid-deployment/hybrid-agent before setting up cloud sync.

check this... the agent needs Internet Explorer Enterprise Mode settings even if u're using Edge or Chrome. yeah, i know, it’s 2025 and we’re still dealing with IE stuff )) https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-it-pro/internet-explorer-11/ie11-deploy-guide/enterprise-mode-overview-for-ie11

this might sound basic, but double-check the time sync between ur on-prem server and Azure. time drift causes the weirdest authentication issues. make sure they’re within like 5 minutes of each other NTP sync guide here.

hope this my notes & advises helps Jax and good luck with that migration...

rgds,

Alex

Answer 2

Thank you for your reply, Alex!

Although your recommendations did not lead me to a solution, you provided some valuable information that may help me in the future.

The solution was to choose the "HR" option when running the Cloud Sync instead of the "On-Premises" option. Unlike the "On-Premises" option, the "HR" option prompted for the local domain administrator credentials.

The reason it took me so long was the customer does not use any "HR" applications or services. I was choosing the "On-Premises" option because the tenant will be managed by "On-Premise" AD.

This one decision stopped Cloud Sync from connecting even though all prerequisites were met.

I still don't understand why the "On-Premises" option would not prompt for the local domain administrator credentials but I'm hoping the "HR" option will be sufficient for me to keep things working until I retire the on-premises Exchange server and sever the AD/Entra connection.