Azure AD Connect - Error regarding a non synched user

Thanasis TaN 1 Reputation point
2021-11-05T09:17:58.837+00:00

Hi,

We have deployed Azure AD Connect in our company since 2 years now and the last few days I'm getting the following error regarding to a specific user:

Get single object failed to get object User_<Object ID>. Tracking Id: 00000000-0000-0000-0000-000000000000, Exception: Exception details =>
Type => Microsoft.Online.Coexistence.AzureADObjectNotFoundException
An error occurred. Error Code: 53. Error Description: An internal error has occurred. This operation will be retried during the next synchronization. If the issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8e4e534f-049d-424b-bd41-b892cb6c1ab6 Server Name: .
StackTrace =>
at Microsoft.Online.Coexistence.ProvisionHelper.AdminWebServiceFaultHandler(FaultException1 adminwebFault) at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func1 awsOperation, String opsLabel, IEnumerable`1 operationHeaders)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.<>c__DisplayClass82_0.<GetSingleObject>b__0()
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.ExecuteWithRetry(String actionName, Action action)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.FullObjectRefetcher.FetchFullAzureADObject(CaseInsensitiveSchema schema, ProvisioningServiceAdapter provisioningServiceAdapter, SyncReference reference, Byte[] originatingReadbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.ReadFullRefetchObjects(Byte[] originatingCookie)

InnerException =>
Type => System.ServiceModel.FaultException`1[[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault, Microsoft.Online.Coexistence.Schema.Ex, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
An internal error has occurred. This operation will be retried during the next synchronization. If the issue persists for more than 24 hours, contact Technical Support.
StackTrace =>

Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Online.Coexistence.Schema.IProvisioningWebService.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Nullable1 isFullReadBack, String[] getSingleObjectReason) at Microsoft.Online.Coexistence.ProvisionHelper.<>c__DisplayClass67_0.<GetSingleObject>b__0() at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsApi[T](Func1 awsOperation, String apiAction, String applicationId, Guid clientTrackingId, String clientVersion, String contextId, String dirSyncBuildNumber, String fimBuildNumber, String machineIdentity, IEnumerable1 operationHeaders) at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func1 awsOperation, String opsLabel, IEnumerable`1 operationHeaders)

Synchronization Service Manager shows no errors, Azure Active Directory Connect Health shows no errors as well.
The specific user used to sync with Azure AD but since his retirement (about 6 months ago) we disabled the AD domain account (it is still there but in a disabled state), stopped the synching with AAD and we converted the mailbox to a shared mailbox in Office365 portal.
We're using an Office 365 Standard subscription, the DC is a Win2012 R2 running the latest Azure AD Connect version (1.6.16) and as far as I know nothing have changed since the last few days I'm getting those errors.

Can you please help?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,728 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Thanasis TaN 1 Reputation point
    2021-11-08T14:12:37.487+00:00

    Well,

    Let me explain the conversion steps I follow.
    Every time a user retires, i remove him from AzureADConnect AD security group so it stops sync, I run a sync, the status of Azure user becomes "In Cloud" and he automatically moves to deleted users, i restore him from deleted users, then i set the immutableid to $null so it doesn't go to deleted users again and then I proceed to shared mailbox conversion.
    Every user mailbox on which i ran the immutableid to "$null" was triggering those error events.

    So the problem was there since the 1st use of the immutableid setting and perhaps it appeared after the upgrade of Azure AD Connect application (about 5-6 months ago).

    Anyway, i changed the Source Anchor of Azure AD Connect to ms-DS-ConsistencyGuid and the errors disappeared.

    Thank you for your time.

    No comments

  2. Andy David - MVP 110.1K Reputation points Microsoft MVP
    2021-11-08T14:16:46.11+00:00

    AzureADConnect AD security group ? What is that? Group based Syncing is not supported in production.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering

    Typically, the easiest thing to do is exclude an OU from the sync for accounts you want to remove from Azure and move the account there.