Azure AD Connect – stops replicating – “stopped-deletion-threshold-exceeded”

Issue

A customer reported that Azure AD Connect suddenly stopped replicating changes to Azure AD, including new user creations (i.e. newly created local AD users are not created in Azure AD).

Investigation

In the Office 365 Admin Centre, DirSync Status shows recent directory and password synchronisation.

DirSync-Good

DirSync_Good_Advanced

No warnings or errors have been flagged to the Windows Application log on the Azure AD Connect server.

Synchronization Service Manager shows stopped-deletion-threshold-exceeded against an Export operation.

stopped-deletion-threshold-exceeded

Looking at the Connector Space against Pending Exports, there are 964 deletes.

search-connector-space

A user cleanup had been performed, where over 900 users had been moved to a “leavers” OU that isn’t synched to Azure AD.

Solution

In Azure AD Connect, there is a feature enabled by default to prevent accidental deletes from Azure AD.  This prevents Azure AD Connect exports with more than 500 deletes.

This is clearly the issue here.

The feature is designed to protect a customer from accidental Azure AD Connect configuration changes (e.g. changes to filtering where an entire OU or domain is unselected), and changes to local AD (e.g. objects are deleted accidentally, or an OU is renamed causing all objects in it to be considered out of scope), that would affect many objects.

As the deletes are intentional, the threshold needs to be temporarily disabled to allow the Export operation to complete successfully.  Following that, the threshold needs to be re-enabled.

To temporarily disable this protection and allow the deletes to be processed, run the following PowerShell cmdlet:

Disable-ADSyncExportDeletionThreshold

Provide Azure AD Global Administrator credentials for the tenant when prompted.

With the threshold disabled, force a full synchronisation:

Start-ADSyncSyncCycle -PolicyType Initial

Monitor the results, wait for the full synchronisation cycle to complete.  All is good here and the deletes are processed:

export-success

Now re-enable the protection threshold:

Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500

Note: if necessary -DeletionThreshold can be changed.  This should be configured to fit the size of the organisation.  The sync scheduler runs every 30 minutes, therefore this value is the number of deletes seen every 30 minutes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s