Azure AD Connect - Error regarding a non synched user

Thanasis TaN 1

Hi,

We have deployed Azure AD Connect in our company since 2 years now and the last few days I'm getting the following error regarding to a specific user:

Get single object failed to get object User_<Object ID>. Tracking Id: 00000000-0000-0000-0000-000000000000, Exception: Exception details =>
Type => Microsoft.Online.Coexistence.AzureADObjectNotFoundException
An error occurred. Error Code: 53. Error Description: An internal error has occurred. This operation will be retried during the next synchronization. If the issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8e4e534f-049d-424b-bd41-b892cb6c1ab6 Server Name: .
StackTrace =>
at Microsoft.Online.Coexistence.ProvisionHelper.AdminWebServiceFaultHandler(FaultException1 adminwebFault) at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func1 awsOperation, String opsLabel, IEnumerable`1 operationHeaders)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.<>c__DisplayClass82_0.<GetSingleObject>b__0()
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.ExecuteWithRetry(String actionName, Action action)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.FullObjectRefetcher.FetchFullAzureADObject(CaseInsensitiveSchema schema, ProvisioningServiceAdapter provisioningServiceAdapter, SyncReference reference, Byte[] originatingReadbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.ReadFullRefetchObjects(Byte[] originatingCookie)

InnerException =>
Type => System.ServiceModel.FaultException`1[[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault, Microsoft.Online.Coexistence.Schema.Ex, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
An internal error has occurred. This operation will be retried during the next synchronization. If the issue persists for more than 24 hours, contact Technical Support.
StackTrace =>

Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Online.Coexistence.Schema.IProvisioningWebService.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Nullable1 isFullReadBack, String[] getSingleObjectReason) at Microsoft.Online.Coexistence.ProvisionHelper.<>c__DisplayClass67_0.<GetSingleObject>b__0() at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsApi[T](Func1 awsOperation, String apiAction, String applicationId, Guid clientTrackingId, String clientVersion, String contextId, String dirSyncBuildNumber, String fimBuildNumber, String machineIdentity, IEnumerable1 operationHeaders) at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func1 awsOperation, String opsLabel, IEnumerable`1 operationHeaders)

Synchronization Service Manager shows no errors, Azure Active Directory Connect Health shows no errors as well.
The specific user used to sync with Azure AD but since his retirement (about 6 months ago) we disabled the AD domain account (it is still there but in a disabled state), stopped the synching with AAD and we converted the mailbox to a shared mailbox in Office365 portal.
We're using an Office 365 Standard subscription, the DC is a Win2012 R2 running the latest Azure AD Connect version (1.6.16) and as far as I know nothing have changed since the last few days I'm getting those errors.

Can you please help?

Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee

2021-11-05T21:43:10.24+00:00

Do you see anything under the Operations tab in the Synchronization Service Manager? If you're trying to convert them to a shared mailbox, you may need to try the steps here to force the sync.

https://serverfault.com/questions/865495/convert-ad-connect-synced-user-to-shared-mailbox/865592

I would also check if it might be related to the proxy address issue described here: ttps://community.spiceworks.com/topic/2331821-azure-ad-connect-sync-error-directoryserviceexception

This may require deeper investigation in a support case.
Thanasis TaN 1 Reputation point

2021-11-08T10:29:58.747+00:00

Hello there,

The conversion to shared mailbox took place later, that is I stopped the domain account synching with AAD first. It's there for about 6 months now, and as i said the error events started a few days ago.
We've done this many times before but this one seems to have a problem.

right now i found out that today I'm getting errors for 5 additional converted to shared mailbox accounts. They don't have any proxyaddress attribute.

I think that for all those affected accounts I'm talking about, i used the: Connect-MsolService / Set-MSOLUser -UserPrincipalName username@keyman -ImmutableID "$null" during the conversion process.

Edit: This is it, all of these accounts have a null ImmutableId. Now what? :)

2 answers

Thanasis TaN 1 Reputation point

2021-11-08T14:12:37.487+00:00

Well,

Let me explain the conversion steps I follow.
Every time a user retires, i remove him from AzureADConnect AD security group so it stops sync, I run a sync, the status of Azure user becomes "In Cloud" and he automatically moves to deleted users, i restore him from deleted users, then i set the immutableid to $null so it doesn't go to deleted users again and then I proceed to shared mailbox conversion.
Every user mailbox on which i ran the immutableid to "$null" was triggering those error events.

So the problem was there since the 1st use of the immutableid setting and perhaps it appeared after the upgrade of Azure AD Connect application (about 5-6 months ago).

Anyway, i changed the Source Anchor of Azure AD Connect to ms-DS-ConsistencyGuid and the errors disappeared.

Thank you for your time.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Andy David - MVP 141.2K Reputation points MVP

2021-11-08T14:16:46.11+00:00

AzureADConnect AD security group ? What is that? Group based Syncing is not supported in production.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering

Typically, the easiest thing to do is exclude an OU from the sync for accounts you want to remove from Azure and move the account there.
Please sign in to rate this answer.
Thanasis TaN 1 Reputation point

2021-11-09T14:09:12.203+00:00

"AzureADConnect" is the name of the sec group i created when i initially started the sync. It seems that it is still working but I'd better enable OU filtering.
Thanx for the tip.
Sign in to comment