After deleting a lot of old AD groups the Azure AD Connect sync stopped working.
We could start the sync no problem, but nothing was being synced.
In the Synchronization Service Manager we could see the following error:
stopped-deletion-threshold-exceeded
Turns out there is a limit of 500 items that get synced at once. Go over this and every thing stops. I had no idea this was in place, but its on by default. So in case of an accidental deletion your stuff gets saved , yay!
I came across this blogpost that explains just this problem, so Ali Tajran over at https://www.alitajran.com saved a couple of hours of trouble shooting and I learned something new đŸ˜„
First run PowerShell as administrator. Run the Get-ADSyncExportDeletionThreshold cmdlet to check both the objects DeletionPrevention and TresholdCount.
- DeletionPrevention is 1 (enable)
- ThresholdCount is 500 (default AD objects)
Step 2: Force sync Azure AD Connect
Force sync Azure AD Connect with PowerShell. The initial sync will do a full sync from AD on-premises to Azure AD. You can also run a Policytype Delta sync to only sync the changes, this is faster.Step 3: Verify Synchronization Service status
In Synchronization Service Manager, check that the export status shows as success. In our example, the export did delete 5069 AD objects.
Revert the change to protect AD objects from accidental removal. The default is 500 AD objects.
No comments:
Post a Comment