Microsoft Entra Connect Health Alert Catalog
Microsoft Entra Connect Health service send alerts indicate that your identity infrastructure isn't healthy. This article includes alerts titles, descriptions, and remediation steps for each alert.
Error, Warning, and Prewarning are three stages of alerts that are generated from Connect Health service. We highly recommend you take immediate actions on triggered alerts.
Microsoft Entra Connect Health alerts get resolved on a success condition. Microsoft Entra Connect Health Agents detect and report the success conditions to the service periodically. For a few alerts, the suppression is time-based. In other words, if the same error condition isn't observed within 72 hours from alert generation, the alert is automatically resolved.
General Alerts
Alert Name | Description | Remediation |
---|---|---|
Health service data isn't up to date | One or more Health Agents running on one or more servers isn't connected to the Health Service and the Health Service isn't receiving the latest data from this server. The last data processed by the Health Service is older than 2 Hours. | Ensure that the health agents have outbound connectivity to the required service end points. Read More |
Alerts for Microsoft Entra Connect (Sync)
Alert Name | Description | Remediation |
---|---|---|
Microsoft Entra Connect Sync Service isn't running | Microsoft Entra ID Sync Windows service isn't running or couldn't start. As a result, objects won't synchronize with Microsoft Entra ID. | Start Microsoft Entra ID Sync Services
|
Import from Microsoft Entra ID failed | The import operation from Microsoft Entra Connector has failed. | Investigate the event log errors of import operation for further details. |
Connection to Microsoft Entra ID failed due to authentication failure | Connection to Microsoft Entra ID failed due to authentication failure. As a result objects won't be synchronized with Microsoft Entra ID. | Investigate the event log errors for further details. |
Export to Active Directory failed | The export operation to Active Directory Connector has failed. | Investigate the event log errors of export operation for further details. |
Import from Active Directory failed | Import from Active Directory failed. As a result, objects from some domains from this forest may not be imported. | |
Export to Microsoft Entra ID failed | The export operation to Microsoft Entra Connector has failed. As a result, some objects may not be exported successfully to Microsoft Entra ID. | Investigate the event log errors of export operation for further details. |
Password Hash Synchronization heartbeat was skipped in last 120 minutes | Password Hash Synchronization hasn't connected with Microsoft Entra ID in the last 120 minutes. As a result, passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Entra ID Sync Services: Any synchronization operations that are currently running will be interrupted. You can choose to perform below steps when no synchronization operation is in progress. 1. Select Start, select Run, type Services.msc, and then select OK. 2. Locate Microsoft Entra ID Sync, right-select it, and then select Restart. |
High CPU Usage detected | The percentage of CPU consumption crossed the recommended threshold on this server. |
|
High Memory Consumption Detected | The percentage of memory consumption of the server is beyond the recommended threshold on this server. | Inspect the top processes consuming the highest memory on the server. You may use the Task Manager or execute the following PowerShell Command: get-process | Sort-Object -Descending WS | Select-Object -First 10 If there are unexpected processes consuming high memory, stop the processes using the following PowerShell command: stop-process -ProcessName [name of the process] |
Password Hash Synchronization has stopped working | Password Hash Synchronization has stopped. As a result passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Entra ID Sync Services: Any synchronization operations that are currently running will be interrupted. You can choose to perform below steps when no synchronization operation is in progress.
|
Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached | The export operation to Microsoft Entra ID has failed. There were more objects to be deleted than the configured threshold. As a result, no objects were exported. |
|
Alerts for Active Directory Federation Services
Alert Name | Description | Remediation |
---|---|---|
Test Authentication Request (Synthetic Transaction) failed to obtain a token | The test authentication requests (Synthetic Transactions) initiated from this server has failed to obtain a token after five retries. This may be caused due to transient network issues, AD DS Domain Controller availability or a mis-configured AD FS server. As a result, authentication requests processed by the federation service may fail. The agent uses the Local Computer Account context to obtain a token from the Federation Service. | Ensure that the following steps are taken to validate the health of the server.
If the service name can't be resolved, refer to the FAQ section for instructions of adding a HOST file entry of your AD FS service with the IP address of this server. This will allow the synthetic transaction module running on this server to request a token |
The proxy server can't reach the federation server | This AD FS proxy server is unable to contact the AD FS service. As a result, authentication requests processed by this server will fail. | Perform the following steps to validate the connectivity between this server and the AD FS service.
|
The SSL Certificate is about to expire | The TLS/SSL certificate used by the Federation servers is about to expire within 90 days. Once expired, any requests that require a valid TLS connection will fail. For example, for Microsoft 365 customers, mail clients won't be able to authenticate. | Update the TLS/SSL certificate on each AD FS server.
For AD FS 2.0 in Windows Server 2008R2:
For AD FS in Windows Server 2012 R2 and later versions: |
AD FS service isn't running on the server | Active Directory Federation Service (Windows Service) isn't running on this server. Any requests targeted to this server will fail. | To start the Active Directory Federation Service (Windows Service):
|
DNS for the Federation Service may be misconfigured | The DNS server could be configured to use a CNAME record for the AD FS farm name. It is recommended to use A or AAAA record for AD FS in order for the Windows Integrated Authentication to work seamlessly within your corporate network. | Ensure that the DNS record type of the AD FS farm <Farm Name> isn't CNAME. Configure it to be an A or AAAA record. |
AD FS Auditing is disabled | AD FS Auditing is disabled for the server. AD FS Usage section on the portal won't include data from this server. | If AD FS Audits aren't enabled, follow these instructions:
After following these steps, AD FS Audit Events should be visible from the Event Viewer. To verify:
If you've followed these instructions before, but still seeing this alert, it's possible that a Group Policy Object is disabling AD FS auditing. The root cause can be one of the following:
|
AD FS SSL certificate is self-signed | You're currently using a self-signed certificate as the TLS/SSL certificate in your AD FS farm. As a result, mail client authentication for Microsoft 365 will fail | Update the TLS/SSL certificate on each AD FS server.
Install the new TLS/SSL certificate on each server in the local machine certificate store.
For AD FS 2.0 in Windows Server 2008R2: For AD FS in Windows Server 2012 R2 or later versions: |
The trust between the proxy server and federation server isn't valid | The trust between the federation server proxy and the Federation Service couldn't be established or renewed. | Update the Proxy Trust Certificate on the proxy server. Re-Run the Proxy Configuration Wizard. |
Extranet Lockout Protection Disabled for AD FS | The Extranet Lockout Protection feature is DISABLED on your AD FS farm. This feature protects your users from brute force password attacks from the internet and prevents denial of service attacks against your users when AD DS account lockout policies are in effect. With this feature enabled, if the number of failed extranet login attempts for a user (login attempts made via WAP server and AD FS) exceeds the 'ExtranetLockoutThreshold' then AD FS servers will stop processing further login attempts for ‘ExtranetObservationWindow' We highly recommend you enable this feature on your AD FS servers. | Run the following command to enable AD FS Extranet Lockout Protection with default values. Set-AdfsProperties -EnableExtranetLockout $true If you've AD lockout policies configured for your users, ensure that the 'ExtranetLockoutThreshold' property is set to a value below your AD DS lockout threshold. This ensures that requests that have exceeded the threshold for AD FS are dropped and never validated against your AD DS servers. |
Invalid Service Principal Name (SPN) for the AD FS service account | The Service Principal Name of the Federation Service account isn't registered or isn't unique. As a result, Windows Integrated Authentication from domain-joined clients may not be seamless. | Use [SETSPN -L ServiceAccountName] to list the Service Principals. Use [SETSPN -X] to check for duplicate Service Principal Names. If SPN is duplicated for the AD FS service account, remove the SPN from the duplicated account using [SETSPN -d service/namehostname] If SPN isn't set, use [SETSPN -s {Desired-SPN} {domain_name}{service_account}] to set the desired SPN for the Federation Service Account. |
The Primary AD FS Token Decrypting certificate is about to expire | The Primary AD FS Token Decrypting certificate is about to expire in less than 90 days. AD FS can't decrypt tokens from trusted claims providers. AD FS can't decrypt encrypted SSO cookies. The end users won't be able to authenticate to access resources. | If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate. If you manage your certificate manually, follow the below instructions. Obtain a new Token Decrypting Certificate.
|
The Primary AD FS Token Signing certificate is about to expire | The AD FS token signing certificate is about to expire within 90 days. AD FS can't issue signed tokens when this certificate isn't valid. | Obtain a new Token Signing Certificate.
|
AD FS SSL certificate isn't found in the local certificate store | The certificate with the thumbprint that is configured as the TLS/SSL certificate in the AD FS database was not found in the local certificate store. As a result, any authentication request over the TLS will fail. For example mail client authentication for Microsoft 365 will fail. | Install the certificate with the configured thumbprint in the local certificate store. |
The SSL Certificate expired | The TLS/SSL certificate for the AD FS service has expired. As a result, any authentication requests that require a valid TLS connection will fail. For example: mail client authentication won't be able to authenticate for Microsoft 365. | Update the TLS/SSL certificate on each AD FS server.
For AD FS 2.0 in Windows Server 2008R2:
For AD FS in Windows Server 2012 R2 or later versions: Refer to: Managing SSL Certificates in AD FS and WAP |
The Required end points for Microsoft Entra ID (for Microsoft 365) aren't enabled | The following set of end points required by the Exchange Online Services, Microsoft Entra ID, and Microsoft 365 aren't enabled for the federation service: |
Enable the required end points for the Microsoft Cloud Services on your federation service. For AD FS in Windows Server 2012R2 or later versions |
The Federation server was unable to connect to the AD FS Configuration Database | The AD FS service account is experiencing issues while connecting to the AD FS configuration database. As a result, the AD FS service on this computer may not function as expected. | |
Required SSL bindings are missing or not configured | The TLS bindings required for this federation server to successfully perform authentication are misconfigured. As a result, AD FS can't process any incoming requests. | For Windows Server 2012 R2 Open an elevated admin command prompt and execute the following commands:
|
The Primary AD FS Token Signing certificate has expired | The AD FS Token Signing certificate has expired. AD FS can't issue signed tokens when this certificate isn't valid. | If Auto-certificate rollover is enabled, AD FS will manage updating the Token Signing Certificate. If you manage your certificate manually, follow the below instructions.
|
Proxy server is dropping requests for congestion control | This proxy server is currently dropping requests from the extranet due to a higher than normal latency between this proxy server and the federation server. As a result, certain portion of the authentication requests processed by the AD FS Proxy server can fail. | |
The AD FS service account is denied access to one of the certificate's private keys. | The AD FS service account doesn't have access to the private key of one of the AD FS certificates on this computer. | Ensure that the AD FS service account is provided access to the TLS, token signing, and token decryption certificates stored in the local computer certificate store.
Open Certificates(Local Computer)/Personal/Certificates.For all the certificates that are used by AD FS:
|
The AD FS SSL certificate doesn't have a private key | AD FS TLS/SSL certificate was installed without a private key. As a result any authentication request over the SSL will fail. For example, mail client authentication for Microsoft 365 will fail. | Update the TLS/SSL certificate on each AD FS server.
For AD FS 2.0 in Windows Server 2008R2:
For AD FS in Windows Server 2012 R2 or later versions: |
The Primary AD FS Token Decrypting certificate has expired | The Primary AD FS Token Decrypting certificate has expired. AD FS can't decrypt tokens from trusted claims providers. AD FS can't decrypt encrypted SSO cookies. The end users won't be able to authenticate to access resources. | If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate. If you manage your certificate manually, follow the below instructions.
|
Alerts for Active Directory Domain Services
Alert Name | Description | Remediation |
---|---|---|
Domain controller is unreachable via LDAP ping | Domain Controller isn't reachable via LDAP Ping. This can be caused due to Network issues or machine issues. As a result, LDAP Pings will fail. | netdom query fsmo on the affected Domain Controller. |
Active Directory replication error encountered | This domain controller is experiencing replication issues, which can be found by going to the Replication Status Dashboard. Replication errors may be due to improper configuration or other related issues. Untreated replication errors can lead to data inconsistency. | See additional details for the names of the affected source and destination DCs. Navigate to Replication Status dashboard and look for the active errors on the affected DCs. Select on the error to open a blade with more details on how to remediate that particular error. |
Domain controller is unable to find a PDC | A PDC isn't reachable through this domain controller. This will lead to impacted user logons, unapplied group policy changes, and system time synchronization failure. | netdom query fsmo on the affected Domain Controller. |
Domain controller is unable to find a Global Catalog server | A global catalog server isn't reachable from this domain controller. It will result in failed authentications attempted through this Domain Controller. | Examine the alerts list for any Domain Controller isn't advertising alerts where the impacted server might be a GC. If there are no advertising alerts, check the SRV records for the GCs. You can check them by running: nltest /dnsgetdc: [ForestName] /gc It should list the DCs advertising as GCs. If the list is empty, check the DNS configuration to ensure that the GC has registered the SRV records. The DC is able to find them in DNS. For troubleshooting Global Catalogs, see Advertising as a Global Catalog Server. |
Domain controller unable to reach local sysvol share | Sysvol contains important elements from Group Policy Objects and scripts to be distributed within DCs of a domain. The DC won't advertise itself as DC and Group Policies won't be applied. | See How to troubleshoot missing sysvol and Netlogon shares |
Domain Controller time is out of sync | The time on this Domain Controller is outside of the normal Time Skew range. As a result, Kerberos authentications will fail. | net stop w32time then net start w32time on the affected Domain Controller. w32tm /resync on the affected Domain Controller. |
Domain controller isn't advertising | This domain controller isn't properly advertising the roles it's capable of performing. This can be caused by problems with replication, DNS misconfiguration, critical services not running, or because of the server not being fully initialized. As a result, domain controllers, domain members, and other devices won't be able to locate this domain controller. Additionally, other domain controllers might not be able to replicate from this domain controller. | Examine alerts list for other related alerts such as: Replication is broken. Domain controller time is out of sync. Netlogon service isn't running. DFSR and/or NTFRS services aren't running. Identify and troubleshoot related DNS problems: Log on to affected Domain controller. Open System Event Log. If events 5774, 5775 or 5781 are present, see Troubleshooting Domain Controller Locator DNS Records Registration Failure Identify and troubleshoot related Windows Time Service Issues: Ensure Windows Time service is running: Run 'net start w32time' on the affected Domain Controller. Restart Windows Time Service: Run 'net stop w32time' then 'net start w32time' on the affected Domain Controller. |
GPSVC service isn't running | If the service is stopped or disabled, settings configured by the admin won't be applied and applications and components won't be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is disabled. | Run net start gpsvc on the affected Domain Controller. |
DFSR and/or NTFRS services aren't running | If both DFSR and NTFRS services are stopped, Domain Controllers won't be able to replicate sysvol data. sysvol Data will be out of consistency. |
|
Netlogon service isn't running | Logon requests, registration, authentication, and locating of domain controllers will be unavailable on this DC. | Run 'net start netlogon' on the affected Domain Controller |
W32Time service isn't running | If Windows Time Service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. | Run 'net start win32Time' on the affected Domain Controller |
ADWS service isn't running | If Active Directory Web Services service is stopped or disabled, client applications, such as Active Directory PowerShell, won't be able to access or manage any directory service instances that are running locally on this server. | Run 'net start adws' on the affected Domain Controller |
Root PDC isn't Syncing from NTP Server | If you don't configure the PDC to synchronize time from an external or internal time source, the PDC emulator uses its internal clock and is itself the reliable time source for the forest. If time isn't accurate on the PDC itself, all computers will have incorrect time settings. | On the affected Domain Controller, open a command prompt. Stop the Time service: net stop w32time w32tm /config /manualpeerlist: time.windows.com /syncfromflags:manual /reliable:yes Note: Replace time.windows.com with the address of your desired external time source. Start the Time service: net start w32time |
Domain controller is quarantined | This Domain Controller isn't connected to any of the other working Domain Controllers. This may be caused due to improper configuration. As a result, this DC isn't being used and won't replicate from/to anyone. | Enable inbound and outbound replication: Run 'repadmin /options ServerName -DISABLE_INBOUND_REPL' on the affected Domain Controller. Run 'repadmin /options ServerName -DISABLE_OUTBOUND_REPL' on the affected Domain Controller. Create a new replication connection to another Domain Controller:
|
Outbound Replication is Disabled | DCs with disabled Outbound Replication won't be able to distribute any changes originating within itself. | To enable outbound replication on the affected Domain Controller, follow these steps: Select Start, select Run, type cmd and then select OK. Type the following text, and then press ENTER: repadmin /options -DISABLE_OUTBOUND_REPL |
Inbound Replication is Disabled | DCs with disabled Inbound Replication won't have the latest information. This condition can lead to logon failures. | To enable inbound replication on the affected Domain Controller, follow these steps: Select Start, select Run, type cmd and then select OK. Type the following text, and then press ENTER: repadmin /options -DISABLE_INBOUND_REPL |
LanmanServer service isn't running | If this service is disabled, any services that explicitly depend on it will fail to start. | Run 'net start LanManServer' on the affected Domain Controller. |
Kerberos Key Distribution Center service isn't running | If KDC Service is stopped, users won't be able to authentication through this DC using the Kerberos v5 authentication protocol. | Run 'net start kdc' on the affected Domain Controller. |
DNS service isn't running | If DNS Service is stopped, computers and users using that server for DNS purposes will fail to find resources. | Run 'net start dns' on the affected Domain Controller. |
DC had USN Rollback | When USN rollbacks occur, modifications to objects and attributes aren't inbound replicated by destination domain controllers that have previously seen the USN. Because these destination domain controllers believe they are up to date, no replication errors are reported in Directory Service event logs or by monitoring and diagnostic tools. USN rollback may affect the replication of any object or attribute in any partition. The most frequently observed side effect is that user accounts and computer accounts that are created on the rollback domain controller don't exist on one or more replication partners. Or, the password updates that originated on the rollback domain controller don't exist on replication partners. | There are two approaches to recover from a USN rollback: Remove the Domain Controller from the domain, following these steps:
Evaluate whether valid system state backups exist for this domain controller. If a valid system state backup was made before the rolled-back domain controller was incorrectly restored, and the backup contains recent changes that were made on the domain controller, restore the system state from the most recent backup. You can also use the snapshot as a source of a backup. Or you can set the database to give itself a new invocation ID using the procedure in the section "To restore a previous version of a virtual domain controller VHD without system state data backup" in this article |