The Ultimate Guide to Microsoft Entra Connect Solutions

Troubleshooting Microsoft Entra Connectivity with ADConnectivityTool

The ADConnectivity Tool is a PowerShell module designed to assist with diagnosing and troubleshooting network connectivity and Active Directory-related issues during specific scenarios with Microsoft Entra Connect (formerly Azure AD Connect).

Here are the two key scenarios where this tool is utilized:

During Installation
- The tool is used when network connectivity issues prevent successful validation of Active Directory (AD) credentials.
- It helps diagnose potential communication problems between the server running Entra Connect and the target AD domain controllers.
Post-Installation
- Users can manually invoke the tool’s functions from a PowerShell session to diagnose connectivity issues or validate configurations after Entra Connect has been installed.
- This is particularly useful for troubleshooting unexpected errors during ongoing synchronization or when changes to the environment affect connectivity.

Location of the Tool

The tool’s PowerShell module is located at:
C:\Program Files\Microsoft Entra Connect\Tools\ADConnectivityTool.psm1

Functions Typically Included in the Tool

While specific functions may vary, common capabilities of such tools include:

Testing LDAP connectivity to domain controllers.
Verifying AD replication health.
Diagnosing network-related issues, such as firewalls or DNS misconfigurations.
Providing detailed error messages for failed connectivity attempts.

How to Use the Tool

Open a PowerShell session with administrative privileges.
Import the module:
Import-Module "C:\Program Files\Microsoft Entra Connect\Tools\ADConnectivityTool.psm1"
Execute the relevant functions to diagnose or troubleshoot specific issues.

Would you like detailed examples of how to run this tool or explanations of its specific functions?

The ADConnectivityTool plays a vital role during the installation of Microsoft Entra Connect by automatically diagnosing network-related issues on the Connect your directories page of the wizard. When a network issue prevents successful validation of the provided Active Directory (AD) credentials, the tool attempts to pinpoint the problem.

Common Network Issues Diagnosed by the Tool

Here are the scenarios the ADConnectivityTool can detect and the associated conditions:

Incorrect Forest Name
- Issue: The forest name entered is incorrect or refers to a non-existent forest.
- Diagnosis: The tool checks the provided forest name’s validity and existence.
Closed UDP Port 389
- Issue: UDP port 389 (used for LDAP queries) is blocked on domain controllers.
- Diagnosis: The tool validates whether the port is open and accessible for LDAP communications.
Insufficient Privileges for AD Forest Account
- Issue: The credentials provided lack sufficient privileges to retrieve domain controller information for the target forest.
- Diagnosis: It checks the account’s ability to query AD and retrieve necessary information.
Closed TCP Ports (53, 88, or 389)
- Issue: TCP ports required for DNS (53), Kerberos authentication (88), or LDAP communication (389) are blocked.
- Diagnosis: The tool tests connectivity over these essential ports.
Both UDP 389 and TCP Ports Blocked
- Issue: A combination of closed UDP 389 and required TCP ports blocks communication entirely.
- Diagnosis: The tool evaluates whether both types of ports are restricted.
DNS Resolution Failure
- Issue: DNS cannot resolve the forest name or associated domain controllers.
- Diagnosis: It verifies DNS resolution for the provided forest name and its domain controllers.

Error Handling

When the tool detects any of these issues, it presents a detailed error message in the Microsoft Entra Connect Wizard. The error message highlights the specific problem, making it easier for administrators to address it. Examples include:

“Forest name cannot be resolved. Verify the forest name and ensure DNS is properly configured.”
“UDP port 389 is blocked. Ensure firewall rules allow this port for LDAP communication.”

How to Address Common Issues

Verify Forest Name: Double-check the spelling and ensure the forest exists.
Open Required Ports: Adjust firewall rules to allow necessary traffic:
- UDP: 389
- TCP: 53, 88, 389
Check DNS Configuration: Ensure DNS servers can resolve the forest and domain controller names.
Use Correct Credentials: Provide credentials with adequate privileges to query AD.

Entra Connect Single Object Sync

The Microsoft Entra Connect Single Object Sync tool is a PowerShell cmdlet designed to help administrators synchronize a single object (e.g., a user, group, or computer) from Active Directory (AD) to Microsoft Entra ID (formerly Azure Active Directory). This tool is particularly useful for investigating and troubleshooting synchronization issues for specific objects without having to perform a full directory sync.

Key Features:

Object Sync Scope:
- Synchronizes changes (Add and Update) for a specific object from AD to Microsoft Entra ID.
- Does not support synchronizing deletion of objects.
Direction of Synchronization:
- Supports only one-way synchronization from Active Directory to Microsoft Entra ID.
- Does not support synchronization from Microsoft Entra ID back to Active Directory.
Use Case:
- Ideal for testing and diagnosing issues with specific objects without waiting for the next scheduled synchronization or running a full sync.
Troubleshooting Aid:
- Generates a report detailing the synchronization status and any errors encountered during the process, aiding in resolution.

How Microsoft Entra Connect Single Object Sync Works

The Single Object Sync tool is a focused synchronization tool that uses an Active Directory Distinguished Name (DN) to synchronize an individual object from Active Directory (AD) to Microsoft Entra ID. The tool follows a step-by-step process to ensure that the object meets all the synchronization criteria and performs the necessary import, sync, and export operations.

Steps Performed by the Tool:

Determine Synchronization Scope:
- Source Domain: Verifies if the object’s Active Directory domain is included in the synchronization scope.
- Target Domain: Ensures that the corresponding domain in Microsoft Entra ID is within the sync scope.
- Organizational Unit (OU): Checks if the object’s OU is configured for synchronization.
- Connector Credentials: Confirms that the object is accessible using the credentials of the connector account.
- Object Type: Ensures that the object’s type (e.g., user, group) is supported for synchronization.
- Group Filtering: If group-based filtering is enabled, verifies that the object is in scope for sync.
Import Operations:
- From Active Directory: Imports the object into the Active Directory Connector Space.
- From Microsoft Entra ID: Imports the object into the Microsoft Entra Connector Space.
Synchronization:
- Processes and synchronizes the object in the Active Directory Connector Space.
Export Operation:
- Exports the synchronized object from the Microsoft Entra Connector Space to Microsoft Entra ID.

Output and Reporting:

JSON Output:
- The tool generates a JSON output similar to the provisioningObjectSummary resource type. This output provides details of the synchronization process and results.
HTML Report:
- A detailed HTML report is created at the following location:
  vbnet
  C:\ProgramData\AADConnect\ADSyncObjectDiagnostics\ADSyncSingleObjectSyncResult-<date>.htm
- This report contains comprehensive information about the synchronization operation, including success and error details.
- It can be shared with Microsoft support for further analysis if needed.

Key Benefits:

Enables detailed troubleshooting for individual objects.
Provides comprehensive insights into synchronization steps and potential issues.
Allows admins to resolve sync problems without triggering a full or delta sync for all objects.

Steps to Run the Single Object Sync Tool:

Open PowerShell as Administrator:
- On the Microsoft Entra Connect server, open Windows PowerShell with Run as Administrator.
Set Execution Policy:
- Ensure that your PowerShell execution policy allows scripts to run. Set it to RemoteSigned or Unrestricted:
  Set-ExecutionPolicy RemoteSigned -Scope Process
Disable the Sync Scheduler:
- Before running the sync, disable the synchronization scheduler to prevent any unwanted synchronization jobs while you’re running the Single Object Sync tool.
  Set-ADSyncScheduler -SyncCycleEnabled $false
Import the ADSyncDiagnostics Module:
- Load the necessary PowerShell module for diagnostics to run the tool.
  Import-Module -Name “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSyncDiagnostics\ADSyncDiagnostics.psm1”
Invoke the Single Object Sync Cmdlet:
- Replace "CN=testobject,OU=corp,DC=contoso,DC=com" with the Distinguished Name (DN) of the specific object you want to synchronize.
  Invoke-ADSyncSingleObjectSync -DistinguishedName "CN=testobject,OU=corp,DC=contoso,DC=com" | Out-File -FilePath ".\output.json"
- This will execute the synchronization for the specified object and output the results into a file named output.json.
Re-enable the Sync Scheduler:
- Once the sync operation is complete, re-enable the synchronization scheduler to resume regular sync operations.
  Set-ADSyncScheduler -SyncCycleEnabled $true

Single Object Sync Throttling

The Single Object Sync tool is specifically designed for investigating and troubleshooting synchronization issues for individual objects in Active Directory and Microsoft Entra ID. However, it is subject to throttling limits, especially for imports and exports to Microsoft Entra ID.