Troubleshoot data freshness alerts in Microsoft Entra Connect Health
This article offers common diagnostic fixes for the data freshness alert "Health service data is not up to date", which is generated when the Microsoft Entra Connect Health Service hasn't received data in the last two hours. The alert occurs in the Health Service for the following services:
- Azure AD Sync service
- Microsoft Entra Domain Services
- Active Directory Federation Services (AD FS)
Prerequisites
- Microsoft Entra Connect.
- The Microsoft Entra Connect Health agent for AD DS.
- The Microsoft Entra Connect Health agent for Active Directory Federation Services.
- The PsExec tool.
Symptoms
To view the data freshness alert, take the following steps:
In the Azure portal, search for and select Microsoft Entra Connect Health.
In the Microsoft Entra Connect Health | Quick start menu pane, select AD DS Services.
Select your domain name, and then select Alerts.
In the Active Directory Domain Services Alerts pane, select Health service data is not up to date.
In the Health service data is not up to date pane, select the Server Name. The lists of properties for Alert Details and Data Type Details appear.
Common diagnostic steps
Before you continue, see Health service data is not up to date alert.
HTTP proxy troubleshooting steps
If you use an HTTP proxy, follow these steps:
If Secure Sockets Layer (SSL) inspection is turned on, make sure that you've added the policy key service endpoint (
policykeyservice.dc.ad.msft.net
) to the allow list.Use a PowerShell cmdlet to find connectivity issues. You can run the Test-AzureADConnectHealthConnectivity cmdlet successfully as a regular user. However, if all data types are missing, the proxy setting might be correct for the user but not for Local System (the context that the service runs under). In that case, run the appropriate
Test-AzureADConnectHealthConnectivityAsSystem
cmdlet instead:To check whether the proxy settings are correct for Local System:
Enter the following
PsExec
command to view the Windows settings remotely:PsExec.exe -i -s "start ms-settings:"
Select Network & internet > Proxy, and then select Edit under the Manual proxy setup heading.
In the Edit proxy server dialog box, update the proxy server settings to match the current setup.
Restart the services.
Performance counter troubleshooting steps
Run the following PowerShell commands to check for the existence of certain performance counter categories.
[System.Diagnostics.PerformanceCounterCategory]::Exists("Processor")
[System.Diagnostics.PerformanceCounterCategory]::Exists("TCPv4")
[System.Diagnostics.PerformanceCounterCategory]::Exists("Memory")
[System.Diagnostics.PerformanceCounterCategory]::Exists("Process")
If any of these commands return False, run the following script to get more information about the performance counters:
$perfCounters = @(
"\Processor(_Total)\% Processor Time",
"\Memory\Available MBytes",
"\TCPv4\Connections Established",
"\Process(Microsoft.Identity.AadConnect.Health.AadSync.Host)\Private Bytes",
"\Process(Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup)\Private Bytes"
)
foreach($counter in $perfCounters)
{
try
{
$counterResult = Get-Counter -Counter $counter -MaxSamples 1 -ErrorAction SilentlyContinue
if($counterResult -eq $null)
{
Write-Host $counter " -> does not exist" -ForegroundColor Red
if($counter -eq "\Process(Microsoft.Identity.AadConnect.Health.AadSync.Host)\Private Bytes")
{
Write-Host " Please make sure Azure AD Connect Health Sync Insights Service is running." -ForegroundColor Magenta
}
elseif($counter -eq "\Process(Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup)\Private Bytes")
{
Write-Host " Please make sure Azure AD Connect Health Sync Monitoring Service is running." -ForegroundColor Magenta
}
}
else
{
Write-Host $counter " -> exists " -ForegroundColor Green
}
}
catch {}
}
Data type troubleshooting steps
This section includes troubleshooting steps for fixing data type issues.
Data type | Troubleshooting steps |
---|---|
PerfCounter |
|
AadSyncService‑Connectors AadSyncService‑GlobalConfigurations AadSyncService‑RunProfileResults AadSyncService‑ServiceConfigurations AadSyncService‑ServiceStatus AadSyncService‑SynchronizationRules |
Make sure that the Microsoft Entra Connect Health Sync Insights Service is running. |
Collect logs for the Monitoring Agent and Insights Agent
If the dashboard isn't helping, collect the agent logs. The relevant service can be run in the console to get more information.
Begin by entering the following PsExec
command to run the command prompt remotely:
PsExec.exe -i -s cmd
Then, collect the agent logs for the Monitoring and Insights services of Sync, AD DS, or AD FS, as described in the next section.
Note
AD FS also has a Diagnostics service. Instructions for collecting the corresponding Diagnostic Agent logs are shown after the log collection sections for Monitoring and Insights.
Collect Monitoring Agent logs
To collect Monitoring Agent logs, follow these steps:
At the remote command prompt, enter
services.msc
to open the Services snap-in.Stop the Monitoring Service for the appropriate service type.
For example, for AD FS, select Microsoft Entra Connect Health AD FS Monitoring Service from the list of services, then select the Stop Service icon.
Change the current directory to the appropriate directory according to the service type. Then, open the configuration file of the Monitoring Agent service executable in a text editor (such as Notepad) for editing. The path name and executable file name for each service type is shown in the following table. The configuration file name simply appends the
.config
file name extension to the end of the executable file name.Service type Path Executable Sync C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe AD DS C:\Program Files\Azure AD Connect Health Adds Agent\Monitor Microsoft.Identity.Health.Adds.MonitoringAgent.Startup.exe AD FS C:\Program Files\Azure AD Connect Health Adfs Agent\Monitor Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe For example, for AD FS, enter the following commands:
cd "C:\Program Files\Azure Ad Connect Health Adfs Agent\Monitor" notepad "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe.config"
In the text editor, insert the following line to set the
ConsoleDebug
key totrue
:<add key="ConsoleDebug" value="true" />
Save and close the configuration file.
Run the Monitoring Agent service, and direct its output to a log file (monitor.log).
For example, for AD FS, enter the following command:
Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe > monitor.log
Let the Monitoring Agent service run for 15 minutes. Then, press Ctrl+C to stop the service, and inspect the monitor.log file.
Collect Insights Agent logs
To collect Insights Agent logs, follow these steps:
At the remote command prompt, enter
services.msc
to open the Services snap-in.Stop the Insights service for the appropriate service type.
For example, for AD FS, select Microsoft Entra Connect Health AD FS Insights Service from the list of services, then select the Stop Service icon.
Change the current directory to the appropriate directory according to the service type. Then, run the Insights Agent service executable by using the
/console
parameter and direct its output to a log file (insights.log). The path name and executable file name for each service type is shown in the following table.Service type Path Executable Sync C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Insights Microsoft.Identity.AadConnect.Health.AadSync.Host.exe AD DS C:\Program Files\Azure AD Connect Health Adds Agent\Insights Microsoft.Identity.Health.Adds.InsightsService.exe AD FS C:\Program Files\Azure AD Connect Health Adfs Agent\Insights Microsoft.Identity.Health.Adfs.InsightsService.exe For example, for AD FS, enter the following commands:
cd "C:\Program Files\Azure Ad Connect Health Adfs Agent\Insights" Microsoft.Identity.Health.Adfs.InsightsService.exe /console > insights.log
Let the Insights Agent service run for 15 minutes. Then press Ctrl+C to stop the service, and inspect the insights.log file.
Collect logs for the Diagnostics Agent (for AD FS only)
To collect Diagnostics Agent logs for AD FS, follow these steps:
In the remote command prompt, enter
services.msc
to open the Services snap-in.Stop the Diagnostics service for the appropriate service type.
For example, for AD FS, select Microsoft Entra Connect Health AD FS Diagnostics Service from the list of services, then select the Stop Service icon.
Change the current directory to the diagnostics directory for AD FS. Then, run the Diagnostics Agent service executable by using the
-Debug
parameter, and direct its output to a log file (diagnostics.log).cd "C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics" Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe -Debug > diagnostics.log
Press Enter.
Let the Diagnostics Agent service run for 15 minutes. Then, press Ctrl+C to stop the service, and copy the console output into diagnostics.log.
Search for
Error
in the logs, and check whether any error entry indicates a specific problem (such as connectivity or proxy configuration).
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for