User Tools

Site Tools

AD Sync Troubleshooting

When AD Sync is not performing as intended (and you have verified that the service is running), please check the logs to see if any errors are present.

AD Sync may be installed on a domain controller running any version of Windows Server from 2003 R2 to 2016. However, if you have Windows Server 2012 or later domain controllers, you must raise the domain functionality level to Windows Server 2008 or later. If you do not, you will experience AD Sync instability.

AD Sync DC Status

If you are running version 11.0 or higher of the AD Sync service, you can check to see which domain controllers have recently checked in with CloudPortal Services Manager (CPSM). To do so, log into CPSM with the AD Sync credentials (for example,, hover over AD Sync, and click on AD Sync Server Monitor.

AD Sync Log Files


The log files for AD Sync are stored in C:\Program Files\AD Sync\Logs by default. If the installation directory was changed during setup, replace the path as appropriate.

The listener domain controller will have a daily log file noting all changes. Other domain controllers will only have log files if they have processed password changes on that day.

Common Errors and Solutions

Error Details
AD Sync Upload failed to start: Failed to get Customer 'EA': Response is not xml This error typically indicated that AD Sync has lost connectivity to CPSM. Please verify that you can access from the domain controller.
Failed to get user 'jprince': Administrator's password is not valid or has expired The AD Sync account password in CPSM has been changed. You may either change it back to the original password or re-install AD Sync on all domain controllers with the new password.
Failed to update user 'jprince': Customer 'EA' does not have domain '' This error means CPSM does not have a record of the domain listed in the user's UPN. Typically this is because the user's UPN has not been updated to match the primary SMTP address in Active Directory. It can also occur if you have recently requested a new domain to be added to CPSM but have not restarted AD Sync since the addition.
Failed to update user 'co'malley': An invalid username was specified CPSM will only accept letters, numbers, periods, underscores, and hyphens in usernames. In this example, Charles O'Malley's username will need to be updated to comalley instead of co'malley
Failed to process queue: Queue item is already removed This error indicates a corruption of the AD Sync queue. To resolve this, stop the AD Sync service, rename the latest log file (see above), rename the Queue folder (by default, this is located at C:\Program Files\AD Sync\Queue), create a new Queue folder, start the AD Sync service, and then check logs after a few minutes to verify the problem is resolved.
Failed to upload user 'kfletcher': Could not find the manager with the username 'jprince' This is due to a manager being removed before updating the Manager field in the affected user. To resolve this, correct the Manager field in the affected user and wait for it to sync.
Account not in scope The affected account is a member of an excluded group in the AD Sync configuration. It should be noted that per the installation instructions, no excluded groups should be specified. To resolve this issue, open the adsync.exe.config file (by default, this is in C:\Program Files\AD Sync) and remove any groups listed, including unnamed SIDs, in the ExcludeGroups section. Restart AD Sync.
Failed to update user 'jorlando': A unique UPN must be specified The affected account has a userPrincipalName attribute that matches an object already synchronized to CDS. Check to make sure an existing non-AD Sync'd user doesn't already have this UPN before continuing.