Svr 2016 AD/Office 365 not syncing

I am experiencing an issue where my Server 2016 Active Directory and Office 365 aren't syncing.

When I sign onto the Office 365 Portal with any of the Global Admin accounts the DirSync Status says the Last directory sync was 6 hours ago and that there has been no recent Password sync (see the screenshot).

When I run the Start-ADSyncSyncCycle -PolicyType Initial Power Shell command (while logged into Office 365) within either the Microsoft Azure Active Directory Module for Windows PowerShell or the Windows PowerShell I receive the errors shown below.

I have closed, relaunched PowerShell as an administrator and then relogged into Office 365 within both the Microsoft Azure Active Directory Module for Windows PowerShell and the Windows PowerShell and have rebooted the server and continue to receive this error when trying to sync Active Directory and Office 365.

What can be done to fix this issue?

PS C:\Users\Administrator\Desktop> $UserCredential = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Users\Administrator\Desktop> Connect-MsolService -Credential $UserCredential
PS C:\Users\Administrator\Desktop> Connect-MsolService
PS C:\Users\Administrator\Desktop>
PS C:\Users\Administrator\Desktop> Start-ADSyncSyncCycle -PolicyType Initial
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50034: To sign into this application the
account must be added to the domain.onmicrosoft.com directory.
Trace ID: 5673b8f9-19a2-4a95-a1cd-1ac0c55f2800
Correlation ID: 81cd8d21-8498-434e-b4ae-dcdcd2e87a96
Timestamp: 2018-01-27 04:09:53Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1
.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
   at Microsoft.Online.Coexistence.ProvisionHelper.GetADALToken(String userName, String userPassword, MSOInstance
adalServiceResource)
   at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken(String userName, String userPassword, MSOInstance
adalServiceResource)
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.TypeD
ependencies.ProvisionHelperGetSecurityToken(ProvisionHelper provisionHelper, String userName, SecureString
userPassword)
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initi
alizeProvisionHelper()
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initi
alize()
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCo
mpanyConfiguration(Boolean includeLicenseInformation)
   at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
   at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
   at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char**
syncSettingsSerialized, Char** errorString)
        ErrorCode: invalid_grant
        StatusCode: 400 ---> System.InvalidOperationException:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50034: To sign into this application the
account must be added to the domain.onmicrosoft.com directory.
Trace ID: 5673b8f9-19a2-4a95-a1cd-1ac0c55f2800
Correlation ID: 81cd8d21-8498-434e-b4ae-dcdcd2e87a96
Timestamp: 2018-01-27 04:09:53Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1
.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
   at Microsoft.Online.Coexistence.ProvisionHelper.GetADALToken(String userName, String userPassword, MSOInstance
adalServiceResource)
   at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken(String userName, String userPassword, MSOInstance
adalServiceResource)
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.TypeD
ependencies.ProvisionHelperGetSecurityToken(ProvisionHelper provisionHelper, String userName, SecureString
userPassword)
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initi
alizeProvisionHelper()
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initi
alize()
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCo
mpanyConfiguration(Boolean includeLicenseInformation)
   at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
   at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
   at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char**
syncSettingsSerialized, Char** errorString)
        ErrorCode: invalid_grant
        StatusCode: 400
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchedulerSettings(String&
settingsDeserialized, String& errorString)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyncScheduler.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input,
PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1
output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell
powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName,
InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.SchedulerPowerShellAdapter.GetCurrentSche
dulerSettings()
   at Microsoft.MetadirectoryServices.Scheduler.Scheduler.StartSyncCycle(String overridePolicy, Boolean
interactiveMode)
   at SchedulerUtils.StartSyncCycle(SchedulerUtils* , Char* policyType, Int32 interactiveMode, Char** errorString)
At line:1 char:1
+ Start-ADSyncSyncCycle -PolicyType Initial
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Microsoft.Ident...ADSyncSyncCycle:StartADSyncSyncCycle) [Start-ADSyncSyncCy
   cle], InvalidOperationException
    + FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException: Microsoft.IdentityModel.Clients.
   ActiveDirectory.AdalServiceException: AADSTS50034: To sign into this application the account must be added to the
  domain.onmicrosoft.com directory.
Trace ID: 5673b8f9-19a2-4a95-a1cd-1ac0c55f2800
Correlation ID: 81cd8d21-8498-434e-b4ae-dcdcd2e87a96
    Timestamp: 2018-01-27 04:09:53Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Reque
   st.
   at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext(
   )
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d
   __0`1.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
       at Microsoft.Online.Coexistence.ProvisionHelper.GetADALToken(String userName, String userPassword, MSOInstance
   adalServiceResource)
       at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken(String userName, String userPassword, MSOInsta
   nce adalServiceResource)
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   TypeDependencies.ProvisionHelperGetSecurityToken(ProvisionHelper provisionHelper, String userName, SecureString us
  erPassword)
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   InitializeProvisionHelper()
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   Initialize()
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   GetCompanyConfiguration(Boolean includeLicenseInformation)
   at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
   at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
       at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Ch
   ar** syncSettingsSerialized, Char** errorString)
        ErrorCode: invalid_grant
        StatusCode: 400 ---> System.InvalidOperationException: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServic
   eException: AADSTS50034: To sign into this application the account must be added to the domain.onmicrosoft.com di
  rectory.
Trace ID: 5673b8f9-19a2-4a95-a1cd-1ac0c55f2800
Correlation ID: 81cd8d21-8498-434e-b4ae-dcdcd2e87a96
    Timestamp: 2018-01-27 04:09:53Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Reque
   st.
   at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext(
   )
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d
   __0`1.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
       at Microsoft.Online.Coexistence.ProvisionHelper.GetADALToken(String userName, String userPassword, MSOInstance
   adalServiceResource)
       at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken(String userName, String userPassword, MSOInsta
   nce adalServiceResource)
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   TypeDependencies.ProvisionHelperGetSecurityToken(ProvisionHelper provisionHelper, String userName, SecureString us
  erPassword)
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   InitializeProvisionHelper()
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   Initialize()
       at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
   GetCompanyConfiguration(Boolean includeLicenseInformation)
   at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
   at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
       at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Ch
   ar** syncSettingsSerialized, Char** errorString)
        ErrorCode: invalid_grant
        StatusCode: 400
       at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchedulerSettings(String&
   settingsDeserialized, String& errorString)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyncScheduler.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
       at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncIn
   voke)
       at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isS
   ync)
       at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCol
   lection`1 output, PSInvocationSettings settings)
       at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollectio
   n`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
       at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell power
   Shell)
       at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, Initial
   SessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
       at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.SchedulerPowerShellAdapter.GetCurren
   tSchedulerSettings()
       at Microsoft.MetadirectoryServices.Scheduler.Scheduler.StartSyncCycle(String overridePolicy, Boolean interactiv
   eMode)
       at SchedulerUtils.StartSyncCycle(SchedulerUtils* , Char* policyType, Int32 interactiveMode, Char** errorString)
   ,Microsoft.IdentityManagement.PowerShell.Cmdlet.StartADSyncSyncCycle

PS C:\Users\Administrator\Desktop>


O-365-AD-sync.pngDirectory-sync-status
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You don't need to connect to office 365 in powershell to sync. And doing so doesn't help in troubleshooting. AADConnect creates a separate account just for syncing.  Based on the error  either that account got deleted on one or both ends, or the password got changed. Rerun in the AADConnect setup wizard will fix that up.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT GuyNetwork EngineerAuthor Commented:
What are the steps to rerun the AADConnect setup wizard?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.