The title of this article might seem a bit convoluted but this article will explain how to troubleshoot Azure AD Sync failures.
In our case we have a client that was making a lot of changes on their on premise active directory and then found that new accounts created on-prem were not syncing to M365 or Azure AD.
We launched the synchronization service manager on the azure ad connect server and found three odd things:
In our case the problem was hinted at by “stopped-deletion-threshold-exceeded” even though our problem as ADDING new accounts.
The problem turned out to be that various people had deleted hundreds of accounts from the on Prem Active Directory. Azure AD Sync Has a security feature to prevent accidental deletions that kicks in when more than 500 accounts have been deleted. Yes this stopped deletion threshold actually blocked syncing of new accounts as well, even though the errors an documentation we read did not mention this.
To confirm that this is your problem:
If you notice a substantial number of entries that have not synced well that’s your problem just like it was ours:
In our client situation one of the technicians was being particularly security conscious and actually lowered the default number of deletions from 500 down to 100. This meant that if we had more than 100 deletions in a single half an hour cycle that Azure Active Directory Sync would intentionally fail.
A curiosity about this is that we found password changes did continue to sync, it was just the addition of new accounts and the deletion of old accounts that were affected.
The solution is to disable the threshold, force a sync, wait a few minutes and then turn the threshold back on and that as you can see in the screen shot below is exactly what we did
Get-ADSyncExportDeletionThreshold
and press EnterDisable-ADSyncExportDeletionThreshold
and press EnterStart-ADSyncSyncCycle -PolicyType Delta
and press EnterEnable-ADSyncExportDeletionThreshold -DeletionThreshold 500
and press Enter This website uses cookies.