If everything works fine with AD sync running the AD Connect Tool and suddenly it stops working and nothing seems to be wrong. It could be to many deletes in the local AD.
A feature of the AZure AD Connect Tool is the deletion threshold. This feature is designed to protect you from accidental delets and changes to your on-premises directory which would effect a large number of users.
The EventViewer should actually generate events and the admins should get an e-mail like:
At Sunday, 18 December 2015 12:11:41 GMT the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for Altitude365 [altitude365.onmicrosoft.com]. A total of 653 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects.
We need you to provide confirmation that these deletions should be processed before we will proceed.
Please see Preventing Accidental Deletions for more information about the error listed in this email message.
The Azure Active Directory Team
The sync scheduler runs every 3 hours, the value is the number of deletes seen within 3 hours.
Unfortunately this might not always generate an error in event viewer only this in the miis client:
You can check if the deletions are unexpected. To find out which objects are about to be deleted:
- Start Synchronization Service from the Start Menu.
- Go to Connectors, Select the Connector with type Azure Active Directory.
- Under Actions to the right, select Search Connector Space.
- In the pop-up under Scope select Disconnected Since and pick a time in the past. Click on Search. This will provide a view of all objects about to be deleted. By clicking on each item, you can get additional information about the object. You can also click on Column Setting to add additional attributes to be visible in the grid. Just looking at a few You will get the idea if this is intentional or not.
Well if this change is an intentional change then temporarily disable the threshold. To temporarily disable this feature and go through with the deletions,
- Open PowerShell on Azure AD Connect server.
- Run “Import-Module ADSync”.
- Run the PowerShell cmdlet: Disable-ADSyncExportDeletionThreshold
- Trigger another sync or just run the Export run profile in the miisclient.exe.
- To re-enable the protection run the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold
I’v been working with some organizations, schools for example, that on a regular basis have this major changes. You need to adjust this setting according to your organizations needs.
This can be done by running the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold -DeletionThreshold <value>