You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/concept-azure-ad-connect-sync-user-and-contacts.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,7 +56,7 @@ Having contacts representing a user in a different forest is common after a merg
56
56
For provisioning an object to Azure AD, the outbound rule **Out to AAD – Contact Join** will create a contact object if the metaverse attribute **sourceObjectType** is set to **Contact**. If this attribute is set to **User**, then the rule **Out to AAD – User Join** will create a user object instead.
57
57
It is possible that an object is promoted from Contact to User when more source Active Directories are imported and synchronized.
58
58
59
-
For example, in a GALSync topology we'll find contact objects for everyone in the second forest when we import the first forest. This will stage new contact objects in the AAD Connector. When we later import and synchronize the second forest, we'll find the real users and join them to the existing metaverse objects. We will then delete the contact object in AAD and create a new user object instead.
59
+
For example, in a GALSync topology we'll find contact objects for everyone in the second forest when we import the first forest. This will stage new contact objects in the Azure AD Connector. When we later import and synchronize the second forest, we'll find the real users and join them to the existing metaverse objects. We will then delete the contact object in Azure AD and create a new user object instead.
60
60
61
61
If you have a topology where users are represented as contacts, make sure you select to match users on the mail attribute in the installation guide. If you select another option, then you will have an order-dependent configuration. Contact objects will always join on the mail attribute, but user objects will only join on the mail attribute if this option was selected in the installation guide. You could then end up with two different objects in the metaverse with the same mail attribute if the contact object was imported before the user object. During export to Azure AD, an error will be thrown. This behavior is by design and would indicate bad data or that the topology was not correctly identified during the installation.
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/how-to-connect-health-alert-catalog.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -78,11 +78,11 @@ Azure AD Connect Health alerts get resolved on a success condition. Azure AD Con
78
78
| Active Directory replication error encountered | This domain controller is experiencing replication issues, which can be found by going to the Replication Status Dashboard. Replication errors may be due to improper configuration or other related issues. Untreated replication errors can lead to data inconsistency. | See additional details for the names of the affected source and destination DCs. Navigate to Replication Status dashboard and look for the active errors on the affected DCs. Click on the error to open a blade with more details on how to remediate that particular error.|
79
79
| Domain controller is unable to find a PDC | A PDC isn't reachable through this domain controller. This will lead to impacted user logons, unapplied group policy changes, and system time synchronization failure. | <li>Examine alerts list for related alerts that could be impacting your PDC, such as: Domain Controller isn't advertising. </li> <li>Attempt to find the PDC: Run <br> <i>netdom query fsmo </i> </br> on the affected Domain Controller.<li>Ensure network is working properly. </li> |
80
80
| Domain controller is unable to find a Global Catalog server | A global catalog server isn't reachable from this domain controller. It will result in failed authentications attempted through this Domain Controller. | Examine the alerts list for any <b>Domain Controller isn't advertising</b> alerts where the impacted server might be a GC. If there are no advertising alerts, check the SRV records for the GCs. You can check them by running: <br> <i> nltest \/dnsgetdc: [ForestName]\/gc </i> </br> It should list the DCs advertising as GCs. If the list is empty, check the DNS configuration to ensure that the GC has registered the SRV records. The DC is able to find them in DNS. <br />For troubleshooting Global Catalogs, see <ahref="/previous-versions/windows/it-pro/windows-2000-server/cc961811(v=technet.10)#ECAA">Advertising as a Global Catalog Server. </a> |
81
-
| Domain controller unable to reach local SYSVOL share | Sysvol contains important elements from Group Policy Objects and scripts to be distributed within DCs of a domain. The DC won't advertise itself as DC and Group Policies won't be applied. | See <ahref="https://support.microsoft.com/kb/2958414">How to troubleshoot missing SYSVOL and Netlogon shares </a> |
81
+
| Domain controller unable to reach local sysvol share | Sysvol contains important elements from Group Policy Objects and scripts to be distributed within DCs of a domain. The DC won't advertise itself as DC and Group Policies won't be applied. | See <ahref="https://support.microsoft.com/kb/2958414">How to troubleshoot missing sysvol and Netlogon shares </a> |
82
82
| Domain Controller time is out of sync | The time on this Domain Controller is outside of the normal Time Skew range. As a result, Kerberos authentications will fail. | <li>Restart Windows Time Service: Run <br><i>net stop w32time</i> </br> then <br><i>net start w32time </i></br> on the affected Domain Controller.</li><li>Resync Time: Run <br><i>w32tm \/resync </i></br> on the affected Domain Controller. |
83
83
| Domain controller isn't advertising | This domain controller isn't properly advertising the roles it's capable of performing. This can be caused by problems with replication, DNS misconfiguration, critical services not running, or because of the server not being fully initialized. As a result, domain controllers, domain members, and other devices won't be able to locate this domain controller. Additionally, other domain controllers might not be able to replicate from this domain controller. | Examine alerts list for other related alerts such as: Replication is broken. Domain controller time is out of sync. Netlogon service isn't running. DFSR and/or NTFRS services aren't running. Identify and troubleshoot related DNS problems: Logon to affected Domain controller. Open System Event Log. If events 5774, 5775 or 5781 are present, see <a href="/previous-versions/windows/it-pro/windows-2000-server/bb727055(v=technet.10)#ECAA">Troubleshooting Domain Controller Locator DNS Records Registration Failure</a> Identify and troubleshoot related Windows Time Service Issues: Ensure Windows Time service is running: Run '<b>net start w32time</b>' on the affected Domain Controller. Restart Windows Time Service: Run '<b>net stop w32time</b>' then '<b>net start w32time</b>' on the affected Domain Controller. |
84
84
| GPSVC service isn't running | If the service is stopped or disabled, settings configured by the admin won't be applied and applications and components won't be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is disabled. | Run <br><i>net start gpsvc </i></br> on the affected Domain Controller. |
85
-
| DFSR and/or NTFRS services aren't running | If both DFSR and NTFRS services are stopped, Domain Controllers won't be able to replicate SYSVOL data. SYSVOL Data will be out of consistency. | <li>If using DFSR:<oltype="1" > Run '<b>net start dfsr</b>' on the affected Domain Controller. </li><li>If using NTFRS:<oltype="1" >Run '<b>net start ntfrs</b>' on the affected Domain Controller. </li>|
85
+
| DFSR and/or NTFRS services aren't running | If both DFSR and NTFRS services are stopped, Domain Controllers won't be able to replicate sysvol data. sysvol Data will be out of consistency. | <li>If using DFSR:<oltype="1" > Run '<b>net start dfsr</b>' on the affected Domain Controller. </li><li>If using NTFRS:<oltype="1" >Run '<b>net start ntfrs</b>' on the affected Domain Controller. </li>|
86
86
| Netlogon service isn't running | Logon requests, registration, authentication, and locating of domain controllers will be unavailable on this DC. | Run '<b>net start netlogon</b>' on the affected Domain Controller |
87
87
| W32Time service isn't running | If Windows Time Service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. | Run '<b>net start win32Time</b>' on the affected Domain Controller |
88
88
| ADWS service isn't running | If Active Directory Web Services service is stopped or disabled, client applications, such as Active Directory PowerShell, won't be able to access or manage any directory service instances that are running locally on this server. | Run '<b>net start adws</b>' on the affected Domain Controller |
0 commit comments