Share via

Active directory sync update failure

Giles Phillips 0 Reputation points
2026-03-06T15:52:10.58+00:00

I am trying to update my AAD sync but getting a error "failed to retrieve schema error 0x31"

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 13,135 Reputation points Microsoft External Staff Moderator
    2026-03-06T16:04:02.0666667+00:00

    Hello Giles Phillips,

    You’re getting “Failed to retrieve schema – error 0x31” because Entra Connect can’t authenticate to your on‑prem Active Directory while reading the schema. Error 0x31 indicates an LDAP bind failure (invalid or unusable credentials).

    Please check the AD account used by Entra Connect:

    • Ensure the account password hasn’t changed/expired and the account isn’t locked or disabled.
    • Re‑enter the credentials for the AD DS connector in Sync Service Manager (miisclient.exe).
    • Make sure the account has sufficient permissions (typically Domain Admin during setup/upgrade).

    After updating the credentials, retry the sync/update.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-03-06T15:52:24.9+00:00

    The error “failed to retrieve schema” during Microsoft Entra ID (Azure AD) sync typically indicates a problem reading the on-premises Active Directory schema or a replication/synchronization issue in Active Directory that prevents the sync tool from getting a consistent schema view.

    Use the following checks and fixes:

    1. Verify Active Directory schema health
      • Confirm that all domain controllers have a consistent schema version and that there are no schema replication errors.
      • Check the schema version on domain controllers and ensure they match the expected version for the Windows Server level in use. The schema version can be verified via:
        • Registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\SystemSchemaVersion
        • Active Directory: CN=Schema,CN=Configuration,DC=<domain>,DC=<tld> attribute objectVersion.
      • If a recent schema update was applied and one or more DCs show a mismatch for an extended period, a reboot of the source DC that holds the updated schema may resolve the issue if the in-memory schema was not reloaded correctly.
    2. Check for AD replication and schema mismatch errors
      • Review Directory Service event logs on domain controllers for schema-related replication errors such as 8418 (schema mismatch) or 8464 (partial attribute set synchronization issues).
      • Error 8418 indicates a schema mismatch between DCs. Ensure the schema is fully replicated and that no underlying issues (for example, database corruption, memory constraints, replication quarantine, DNS or RPC issues, local firewalls) are blocking replication.
      • Error 8464 can appear after schema changes that modify the partial attribute set (PAS). This is normally transient. If it persists for more than a week, investigate PAS synchronization by:
        • Checking event IDs 1704 and 1702 in the Directory Service log to confirm PAS synchronization completion.
        • Using repadmin and PAS analysis as described in the PAS troubleshooting guidance to ensure all global catalog servers have consistent PAS values.
    3. Ensure schema replication completes successfully
      • If schema replication was recently triggered (for example, by extending the schema or adding attributes to the PAS), wait for replication to complete across all domain controllers and global catalog servers.
      • Confirm that no DC is stuck with an outdated schema or PAS. If one DC is lagging, resolve its replication issues first, then retry the Entra ID sync schema retrieval.
    4. Retry AAD sync after AD is healthy
      • Once schema versions are consistent and replication is error-free, restart the Azure AD Connect (or sync tool) service and retry the sync or schema refresh operation.
      • If the error persists, focus on the DC that Azure AD Connect is targeting for LDAP/schema queries and verify that this specific DC has no replication or schema issues.

    These steps ensure that the sync tool can successfully read a consistent and fully replicated Active Directory schema, which is required to update or refresh the Entra ID sync configuration.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.