排查对象不与 Azure Active Directory 同步的问题Troubleshoot an object that is not synchronizing with Azure Active Directory

如果对象未能按照预期同步到 Azure Active Directory (Azure AD),则可能存在多种原因。If an object is not syncing as expected with Azure Active Directory (Azure AD), it can be because of several reasons. 如果收到了来自 Azure AD 的错误电子邮件,请改为参阅排查同步期间发生的错误If you have received an error email from Azure AD, read Troubleshooting errors during synchronization instead. 但是,如果要解决的问题所涉及的对象不在 Azure AD 中,则应使用本文作为参考。But if you are troubleshooting a problem where the object is not in Azure AD, this article is for you. 本主题介绍如何在本地组件 Azure AD Connect 同步中查找错误。It describes how to find errors in the on-premises component Azure AD Connect synchronization.

Important

对于 1.1.749.0 或更高版本的 Azure AD Connect 部署,请使用向导中的故障排除任务来排查对象同步问题。For Azure AD Connect deployment with version 1.1.749.0 or higher, use the troubleshooting task in the wizard to troubleshoot object syncing issues.

同步过程Synchronization process

在调查同步问题之前,先了解一下 Azure AD Connect 同步过程:Before we investigate syncing issues, let’s understand the Azure AD Connect syncing process:

Azure AD Connect 同步过程示意图

术语Terminology

  • CS: 连接器空间,数据库中的一个表CS: Connector space, a table in a database
  • MV: Metaverse,数据库中的一个表MV: Metaverse, a table in a database

同步步骤Synchronization steps

同步过程包括以下步骤:The syncing process involves following steps:

  1. 从 AD 导入: 将 Active Directory 对象引入 Active Directory CS。Import from AD: Active Directory objects are brought into the Active Directory CS.

  2. 从 Azure AD 导入: 将 Azure AD 对象引入 Azure AD CS。Import from Azure AD: Azure AD objects are brought into the Azure AD CS.

  3. 同步: 入站同步规则和出站同步规则按优先数字从低到高的顺序运行。Synchronization: Inbound synchronization rules and outbound synchronization rules are run in the order of precedence number, from lower to higher. 要查看同步规则,可以从桌面应用程序转到“同步规则编辑器”。To view the synchronization rules, go to the Synchronization Rules Editor from the desktop applications. 入站同步规则将数据从 CS 引入 MV。The inbound synchronization rules bring in data from CS to MV. 出站同步规则将数据从 MV 移到 CS。The outbound synchronization rules move data from MV to CS.

  4. 导出到 AD: 同步后,对象将从 Active Directory CS 导出到 Active Directory。Export to AD: After syncing, objects are exported from the Active Directory CS to Active Directory.

  5. 导出到 Azure AD: 同步后,对象将从 Azure AD CS 导出到 Azure AD。Export to Azure AD: After syncing, objects are exported from the Azure AD CS to Azure AD.

故障排除Troubleshooting

若要查找错误,请按以下顺序查看几个不同位置的内容:To find the errors, look at a few different places, in the following order:

  1. 操作日志:查找导入和同步期间同步引擎识别的错误。The operation logs to find errors identified by the synchronization engine during import and synchronization.
  2. 连接器空间:查找缺少的对象和同步错误。The connector space to find missing objects and synchronization errors.
  3. Metaverse:查找与数据相关的问题。The metaverse to find data-related problems.

在开始这些步骤之前,启动 Synchronization Service ManagerStart Synchronization Service Manager before you begin these steps.

操作Operations

应在 Synchronization Service Manager 中的“操作”选项卡处开始进行故障排除。The Operations tab in Synchronization Service Manager is where you should start your troubleshooting. 此选项卡显示最新操作的结果。This tab shows the results from the most recent operations.

Synchronization Service Manager 的屏幕截图,其中已选择“操作”选项卡

“操作”选项卡的上半部分按时间顺序显示所有运行。The top half of the Operations tab shows all runs in chronological order. 默认情况下,操作日志保留最后七天的相关信息,但可以使用计划程序来更改此设置。By default, the operations log keeps information about the last seven days, but this setting can be changed with the scheduler. 查找所有未显示成功状态的运行。Look for any run that does not show a success status. 可以单击标题来更改排序。You can change the sorting by clicking the headers.

“状态”列包含最重要的信息,并显示最严重的运行问题。The Status column contains the most important information and shows the most severe problem for a run. 下面是按调查优先级顺序显示的最常见状态的快速摘要(其中 * 表示多个可能的错误字符串)。Here's a quick summary of the most common statuses in order of investigation priority (where * indicates several possible error strings).

状态Status 注释Comment
stopped-*stopped-* 运行无法完成。The run could not finish. 例如,如果远程系统已关闭且无法访问,则可能发生此问题。This might happen, for example, if the remote system is down and cannot be contacted.
stopped-error-limitstopped-error-limit 有 5,000 个以上的错误。There are more than 5,000 errors. 运行因错误数量过多而自动停止。The run was automatically stopped due to the large number of errors.
completed-*-errorscompleted-*-errors 运行已完成,但发生应调查的错误(数量少于 5,000 个)。The run finished, but there are errors (fewer than 5,000) that should be investigated.
completed-*-warningscompleted-*-warnings 运行已完成,但某些数据并未处于预期的状态。The run finished, but some data is not in the expected state. 如果遇到错误,则此消息通常只是一种征兆。If you have errors, this message is usually only a symptom. 在解决错误之前,请不要调查警告。Don't investigate warnings until you have addressed errors.
successsuccess 没有问题。No issues.

选择某一行时,“操作”选项卡的底部将更新以显示该运行的详细信息。When you select a row, the bottom of the Operations tab is updated to show the details of that run. 在底部的最左侧,可能会显示标题为“步骤 #”的列表。On the far-left side of this area, you might have a list titled Step #. 仅当林中有多个域,而且每个域都以一个步骤表示时,才会显示此列表。This list appears only if you have multiple domains in your forest and each domain is represented by a step. 可以在“分区”标题下方找到域名。The domain name can be found under the heading Partition. 在“同步统计信息”标题下,可以找到有关已处理更改次数的详细信息。Under the Synchronization Statistics heading, you can find more information about the number of changes that were processed. 选择链接获取已更改对象的列表。Select the links to get a list of the changed objects. 如果有对象发生错误,这些错误会显示在“同步错误”标题下。If you have objects with errors, those errors show up under the Synchronization Errors heading.

“操作”选项卡上的错误Errors on the Operations tab

出现错误时,Synchronization Service Manager 将以链接形式显示出错的对象和错误本身,单击这些链接可获取更多信息。When you have errors, Synchronization Service Manager shows both the object in error and the error itself as links that provide more information.

Synchronization Service Manager 中的错误屏幕截图Screenshot of errors in Synchronization Service Manager
首先选择错误字符串。Start by selecting the error string. (在上图中,错误字符串为 sync-rule-error-function-triggered。)随后会先看到对象概述。(In the preceding figure, the error string is sync-rule-error-function-triggered.) You are first presented with an overview of the object. 若要查看实际的错误,请选择“堆栈跟踪”。To see the actual error, select Stack Trace. 此跟踪提供错误的调试级别信息。This trace provides debug-level information for the error.

右键单击“调用堆栈信息”框,单击“全选”,然后选择“复制”。Right-click the Call Stack Information box, click Select All, and then select Copy. 然后复制堆栈,并在偏爱的编辑器(例如记事本)中查看此错误。Then copy the stack and look at the error in your favorite editor, such as Notepad.

如果错误来自 SyncRulesEngine,则调用堆栈信息首先会列出对象上的所有属性。If the error is from SyncRulesEngine, the call stack information first lists all attributes on the object. 向下滚动,直到看到 InnerException => 标题为止。Scroll down until you see the heading InnerException =>.

Synchronization Service Manager 的屏幕截图,其中显示了 InnerException = > 标题下的错误信息

标题后面的行显示错误。The line after the heading shows the error. 在上图中,错误来自 Fabrikam 创建的自定义同步规则。In the preceding figure, the error is from a custom synchronization rule that Fabrikam created.

如果错误中未提供足够的信息,请查看数据本身。If the error does not give enough information, it's time to look at the data itself. 选择包含对象标识符的链接,继续对连接器空间导入的对象进行故障排除。Select the link with the object identifier and continue troubleshooting the connector space imported object.

连接器空间对象属性Connector space object properties

如果操作选项卡中未显示任何错误,请跟踪从 Active Directory 到 Metaverse 再到 Azure AD 的连接器空间对象。If the Operations tab shows no errors, follow the connector space object from Active Directory to the metaverse to Azure AD. 在此路径中,应能找到问题所在。In this path, you should find where the problem is.

搜索 CS 中的对象Searching for an object in the CS

在 Synchronization Service Manager 中,依次选择“连接器”、“Active Directory 连接器”、“搜索连接器空间”。In Synchronization Service Manager, select Connectors, select the Active Directory Connector, and select Search Connector Space.

在“范围”框中,选择“RDN”(如果想要搜索 CN 属性)或“DN 或定位点”(如果想要搜索 distinguishedName 属性)。In the Scope box, select RDN when you want to search on the CN attribute, or select DN or anchor when you want to search on the distinguishedName attribute. 输入一个值并选择“搜索”。Enter a value and select Search.

连接器空间搜索的屏幕截图

如果找不到要查找的对象,则可能已通过基于域的筛选基于 OU 的筛选对其进行筛选。If you don't find the object you're looking for, it might have been filtered with domain-based filtering or OU-based filtering. 若要验证是否已按预期方式配置了筛选,请参阅 Azure AD Connect 同步:配置筛选To verify that the filtering is configured as expected, read Azure AD Connect sync: Configure filtering.

可以通过选择 Azure AD 连接器执行另一种有用的搜索。You can perform another useful search by selecting the Azure AD Connector. 在“范围”框中选择“挂起的导入”,然后选中“添加”复选框。In the Scope box, select Pending Import, and then select the Add check box. 此搜索提供 Azure AD 中不能与本地对象相关联的所有已同步对象。This search gives you all synced objects in Azure AD that cannot be associated with an on-premises object.

连接器空间搜索中孤立对象的屏幕截图

这些对象是由其他同步引擎或具有不同筛选配置的同步引擎创建的。Those objects were created by another synchronization engine or a synchronization engine with a different filtering configuration. 不再管理这些孤立对象。These orphan objects are no longer managed. 查看此列表并考虑使用 Azure AD PowerShell cmdlet 删除这些对象。Review this list and consider removing these objects by using the Azure AD PowerShell cmdlets.

CS 导入CS import

打开 CS 对象时,顶部会出现多个选项卡。When you open a CS object, there are several tabs at the top. “导入”选项卡显示导入后暂存的数据。The Import tab shows the data that is staged after an import.

“连接器空间对象属性”窗口的屏幕截图,其中已选择“导入”选项卡

“旧值”列显示当前存储在 Connect 中的数据,而“新值”列显示从源系统收到但尚未应用的数据。The Old Value column shows what currently is stored in Connect, and the New Value column shows what has been received from the source system and has not been applied yet. 如果对象出现错误,则不会处理更改。If there is an error on the object, changes are not processed.

仅当对象出现问题时,“连接器空间对象属性”窗口中才会显示“同步错误”选项卡。The Synchronization Error tab is visible in the Connector Space Object Properties window only if there is a problem with the object. 有关详细信息,请参阅如何排查“操作”选项卡中显示的同步错误For more information, review how to troubleshoot sync errors on the Operations tab.

“连接器空间对象属性”窗口中“同步错误”选项卡的屏幕截图

CS 沿袭CS lineage

“连接器空间对象属性”窗口中的“沿袭”选项卡显示连接器空间对象与 Metaverse 对象关联的方式。The Lineage tab in the Connector Space Object Properties window shows how the connector space object is related to the metaverse object. 可以看到连接器上次从连接的系统导入更改的时间,以及应用哪些规则以便在 Metaverse 中填充数据。You can see when the connector last imported a change from the connected system and which rules applied to populate data in the metaverse.

“连接器空间对象属性”窗口中“沿袭”选项卡的屏幕截图

在上图中,“操作”列显示了一个操作为“预配”的入站同步规则。In the preceding figure, the Action column shows an inbound synchronization rule with the action Provision. 这表示只要此连接器空间对象存在,就会保留 Metaverse 对象。That indicates that as long as this connector space object is present, the metaverse object remains. 如果同步规则列表显示包含“预配”操作的出站同步规则,则删除 Metaverse 对象时,也会删除此对象。If the list of synchronization rules instead shows an outbound synchronization rule with a Provision action, this object is deleted when the metaverse object is deleted.

“连接器空间对象属性”窗口中“沿袭”选项卡上的沿袭窗口屏幕截图

在上图中还可以看到,在“PasswordSync”列中,入站连接器空间可进行密码更改,因为有一个同步规则的值为 TrueIn the preceding figure, you can also see in the PasswordSync column that the inbound connector space can contribute changes to the password since one synchronization rule has the value True. 此密码将通过出站规则发送到 Azure AD。This password is sent to Azure AD through the outbound rule.

在“沿袭”选项卡中,可以选择 Metaverse 对象属性转到 Metaverse。From the Lineage tab, you can get to the metaverse by selecting Metaverse Object Properties.

预览Preview

“连接器空间对象属性”窗口的左下角提供了“预览”按钮。In the lower-left corner of the Connector Space Object Properties window is the Preview button. 选择此按钮会打开“预览”页,在其中可以同步单个对象。Select this button to open the Preview page, where you can sync a single object. 如果你正在对某些自定义同步规则进行故障排除,并且想要在单个对象上查看更改的效果,则此页非常有用。This page is useful if you are troubleshooting some custom synchronization rules and want to see the effect of a change on a single object. 可以选择“完全同步”或“增量同步”。还可以选择“生成预览”,这只会在内存中保留更改。You can select a Full sync or a Delta sync. You can also select Generate Preview, which only keeps the change in memory. 或者,可以选择“提交预览”,这会更新 Metaverse 并暂存对目标连接器空间的所有更改。Or select Commit Preview, which updates the metaverse and stages all changes to target connector spaces.

“预览”页的屏幕截图,其中已选择“开始预览”

在预览中,可以检查对象,并查看哪个规则应用到了特定的属性流。In the preview you can inspect the object and see which rule applied for a particular attribute flow.

“预览”页的屏幕截图,其中显示了“导入属性流”

日志Log

在“预览”按钮的旁边,选择“日志”按钮会打开“日志”页。Next to the Preview button, select the Log button to open the Log page. 在此处可以查看密码同步状态和历史记录。Here you can see the password sync status and history. 有关详细信息,请参阅排查 Azure AD Connect 同步的密码哈希同步问题For more information, see Troubleshoot password hash synchronization with Azure AD Connect sync.

Metaverse 对象属性Metaverse object properties

通常,最好从源 Active Directory 连接器空间开始搜索。It's usually better to start searching from the source Active Directory connector space. 但是也可以从 metaverse 开始搜索。But you can also start searching from the metaverse.

搜索 MV 中的对象Searching for an object in the MV

在 Synchronization Service Manager 中选择“Metaverse 搜索”,如下图所示。In Synchronization Service Manager, select Metaverse Search, as in the following figure. 创建一个查找用户的查询。Create a query that you know finds the user. 搜索公共属性,例如 accountName (sAMAccountName) 和 userPrincipalNameSearch for common attributes, such as accountName (sAMAccountName) and userPrincipalName. 有关详细信息,请参阅 Sync Service Manager Metaverse 搜索For more information, see Sync Service Manager Metaverse search.

Synchronization Service Manager 的屏幕截图,其中已选择“Metaverse 搜索”选项卡

在“搜索结果”窗口中,单击对象。In the Search Results window, click the object.

如果未找到该对象,表示它尚未进入 Metaverse。If you did not find the object, it has not yet reached the metaverse. 继续在 Active Directory 连接器空间中搜索对象。Continue to search for the object in the Active Directory connector space. 如果在 Active Directory 连接器空间中找到该对象,则可能存在阻止对象进入 Metaverse 的同步错误,或者可能应用了同步规则范围筛选器。If you find the object in the Active Directory connector space, there could be a sync error that is blocking the object from coming to the metaverse, or a synchronization rule scoping filter might be applied.

在 MV 中找不到对象Object not found in the MV

如果 Active Directory CS 中存在该对象,但 MV 中不存在该对象,则表示应用了范围筛选器。If the object is in the Active Directory CS but not present in the MV, a scoping filter is applied. 若要查看范围筛选器,请转到桌面应用程序菜单并选择“同步规则编辑器”。To look at the scoping filter, go to the desktop application menu and select Synchronization Rules Editor. 通过调整下面的筛选器来筛选适用于该对象的规则。Filter the rules applicable to the object by adjusting the filter below.

同步规则编辑器的屏幕快照,其中显示了入站同步规则搜索

查看上面列表中的每个规则,然后选中“作用域筛选器”。View each rule in the list from above and check the Scoping filter. 在下面的范围筛选器中,如果 isCriticalSystemObject 值为 null 或 FALSE 或为空,则表示在范围内。In the following scoping filter, if the isCriticalSystemObject value is null or FALSE or empty, it's in scope.

入站同步规则搜索中范围筛选器的屏幕截图

转到 CS 导入属性列表,查看阻止对象移到 MV 的筛选器。Go to the CS Import attribute list and check which filter is blocking the object from moving to the MV. “连接器空间”属性列表仅显示非 null 和非空属性。The Connector Space attribute list will show only non-null and non-empty attributes. 例如,如果 isCriticalSystemObject 未显示在列表中,则表示此属性的值为 null 或为空。For example, if isCriticalSystemObject doesn't show up in the list, the value of this attribute is null or empty.

在 Azure AD CS 中找不到对象Object not found in the Azure AD CS

如果该对象不在 Azure AD 的连接器空间中,但在 MV 中,请查看相应连接器空间的出站规则的范围筛选器,并检查是否由于 MV 属性不符合条件而筛选掉了该对象。If the object is not present in the connector space of Azure AD but is present in the MV, look at the scoping filter of the outbound rules of the corresponding connector space, and find out if the object is filtered out because the MV attributes don't meet the criteria.

要查看出站作用域筛选器,请通过调整下面的筛选器为对象选择适用的规则。To look at the outbound scoping filter, select the applicable rules for the object by adjusting the filter below. 查看每个规则并查看相应的 MV 属性值。View each rule and look at the corresponding MV attribute value.

同步规则编辑器中出站同步规则搜索的屏幕快照

Metaverse 属性MV Attributes

在“属性”选项卡上可以查看值,以及这些值是由哪些连接器提供的。On the Attributes tab, you can see the values and which connectors contributed them.

“Metaverse 对象属性”窗口的屏幕截图,其中已选择“属性”选项卡

如果对象不同步,请提出有关 Metaverse 中的以下属性的问题:If an object is not syncing, ask the following questions about attribute states in the metaverse:

  • 属性 cloudFiltered 是否存在并设置为 TrueIs the attribute cloudFiltered present and set to True? 如果是,则已根据基于属性的筛选中的步骤对其进行筛选。If it is, it has been filtered according to the steps in attribute-based filtering.
  • 属性 sourceAnchor 是否存在?Is the attribute sourceAnchor present? 如果不存在,是否拥有帐户资源林拓扑?If not, do you have an account-resource forest topology? 如果对象被标识为链接的邮箱(属性 msExchRecipientTypeDetails 的值为 2),则由具有已启用的 Active Directory 帐户的林提供 sourceAnchorIf an object is identified as a linked mailbox (the attribute msExchRecipientTypeDetails has the value 2), the sourceAnchor is contributed by the forest with an enabled Active Directory account. 请确保已正确导入和同步主帐户。Make sure the master account has been imported and synced correctly. 主帐户必须在对象的连接器中列出。The master account must be listed among the connectors for the object.

MV 连接器MV connectors

“连接器”选项卡显示所有具有对象表示形式的连接器空间。The Connectors tab shows all connector spaces that have a representation of the object.

“Metaverse 对象属性”窗口的屏幕截图,其中已选择“连接器”选项卡

应当具有连接到以下项的连接器:You should have a connector to:

  • 其中表示了用户的每个 Active Directory 林。Each Active Directory forest the user is represented in. 此表示形式可以包括 foreignSecurityPrincipalsContact 对象。This representation can include foreignSecurityPrincipals and Contact objects.
  • Azure AD 中的某个连接器。A connector in Azure AD.

如果缺少连接到 Azure AD 的连接器,请查看 MV 属性,以验证有关预配到 Azure AD 的条件。If you're missing the connector to Azure AD, review the section on MV attributes to verify the criteria for provisioning to Azure AD.

在“连接器”选项卡中也可以转到连接器空间对象From the Connectors tab you can also go to the connector space object. 选择一行,然后单击“属性”。Select a row and click Properties.

后续步骤Next steps