question

ThanasisTaN-4641 avatar image
0 Votes"
ThanasisTaN-4641 asked ThanasisTaN-4641 commented

Azure AD Connect - Error regarding a non synched user

Hi,

We have deployed Azure AD Connect in our company since 2 years now and the last few days I'm getting the following error regarding to a specific user:

Get single object failed to get object User_<Object ID>. Tracking Id: 00000000-0000-0000-0000-000000000000, Exception: Exception details =>
Type => Microsoft.Online.Coexistence.AzureADObjectNotFoundException
An error occurred. Error Code: 53. Error Description: An internal error has occurred. This operation will be retried during the next synchronization. If the issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8e4e534f-049d-424b-bd41-b892cb6c1ab6 Server Name: .
StackTrace =>
at Microsoft.Online.Coexistence.ProvisionHelper.AdminWebServiceFaultHandler(FaultException`1 adminwebFault)
at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel, IEnumerable`1 operationHeaders)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.<>c_DisplayClass82_0.<GetSingleObject>b_0()
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.ExecuteWithRetry(String actionName, Action action)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.FullObjectRefetcher.FetchFullAzureADObject(CaseInsensitiveSchema schema, ProvisioningServiceAdapter provisioningServiceAdapter, SyncReference reference, Byte[] originatingReadbackCookie, Boolean isFullImport, String[] reasons)
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.ReadFullRefetchObjects(Byte[] originatingCookie)

InnerException =>
Type => System.ServiceModel.FaultException`1[[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault, Microsoft.Online.Coexistence.Schema.Ex, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
An internal error has occurred. This operation will be retried during the next synchronization. If the issue persists for more than 24 hours, contact Technical Support.
StackTrace =>

Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Online.Coexistence.Schema.IProvisioningWebService.GetSingleObject(SyncReference reference, Byte[] singleObjectCookie, Byte[] readbackCookie, Nullable`1 isFullReadBack, String[] getSingleObjectReason)
at Microsoft.Online.Coexistence.ProvisionHelper.<>c_DisplayClass67_0.<GetSingleObject>b_0()
at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsApi[T](Func`1 awsOperation, String apiAction, String applicationId, Guid clientTrackingId, String clientVersion, String contextId, String dirSyncBuildNumber, String fimBuildNumber, String machineIdentity, IEnumerable`1 operationHeaders)
at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel, IEnumerable`1 operationHeaders)


Synchronization Service Manager shows no errors, Azure Active Directory Connect Health shows no errors as well.
The specific user used to sync with Azure AD but since his retirement (about 6 months ago) we disabled the AD domain account (it is still there but in a disabled state), stopped the synching with AAD and we converted the mailbox to a shared mailbox in Office365 portal.
We're using an Office 365 Standard subscription, the DC is a Win2012 R2 running the latest Azure AD Connect version (1.6.16) and as far as I know nothing have changed since the last few days I'm getting those errors.

Can you please help?


azure-ad-connect
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do you see anything under the Operations tab in the Synchronization Service Manager? If you're trying to convert them to a shared mailbox, you may need to try the steps here to force the sync.

https://serverfault.com/questions/865495/convert-ad-connect-synced-user-to-shared-mailbox/865592

I would also check if it might be related to the proxy address issue described here: ttps://community.spiceworks.com/topic/2331821-azure-ad-connect-sync-error-directoryserviceexception

This may require deeper investigation in a support case.


0 Votes 0 ·

Hello there,

The conversion to shared mailbox took place later, that is I stopped the domain account synching with AAD first. It's there for about 6 months now, and as i said the error events started a few days ago.
We've done this many times before but this one seems to have a problem.
147357-syncservicemanager.png



right now i found out that today I'm getting errors for 5 additional converted to shared mailbox accounts. They don't have any proxyaddress attribute.

I think that for all those affected accounts I'm talking about, i used the: Connect-MsolService / Set-MSOLUser -UserPrincipalName username@domain -ImmutableID "$null" during the conversion process.

Edit: This is it, all of these accounts have a null ImmutableId. Now what? :)

0 Votes 0 ·
ThanasisTaN-4641 avatar image
0 Votes"
ThanasisTaN-4641 answered AndyDavid converted comment to answer

Well,

Let me explain the conversion steps I follow.
Every time a user retires, i remove him from AzureADConnect AD security group so it stops sync, I run a sync, the status of Azure user becomes "In Cloud" and he automatically moves to deleted users, i restore him from deleted users, then i set the immutableid to $null so it doesn't go to deleted users again and then I proceed to shared mailbox conversion.
Every user mailbox on which i ran the immutableid to "$null" was triggering those error events.

So the problem was there since the 1st use of the immutableid setting and perhaps it appeared after the upgrade of Azure AD Connect application (about 5-6 months ago).

Anyway, i changed the Source Anchor of Azure AD Connect to ms-DS-ConsistencyGuid and the errors disappeared.

Thank you for your time.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ThanasisTaN-4641 commented

AzureADConnect AD security group ? What is that? Group based Syncing is not supported in production.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering

Typically, the easiest thing to do is exclude an OU from the sync for accounts you want to remove from Azure and move the account there.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"AzureADConnect" is the name of the sec group i created when i initially started the sync. It seems that it is still working but I'd better enable OU filtering.
Thanx for the tip.

0 Votes 0 ·