Jan 4, 2023
Azure AD Connect Health– Implementing and Managing Identity Synchronization with Azure AD
You can see the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16.
Figure 4.16 – Azure AD Connect Health
While the Azure AD Connect Health agent for sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:
• Azure AD Connect Health Agent for DS: https://go.microsoft.com/fwlink/?LinkID=820540
• Azure AD Connect Health Agent for AD FS: https://go.microsoft.com/fwlink/?LinkID=518973
If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.
Azure AD Connect Health for sync
The core health product, Azure AD Connect Health for sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.
You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) on the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth).
Figure 4.17 – Azure AD Connect Health sync errors
Selecting an error type will allow you to drill down into individual errors. In the example in Figure 4.18, Azure AD Connect Health has detected two objects with the same address:
Figure 4.18 – Azure AD Connect Health error details
You can use this information to identify and troubleshoot on-premises objects.
Azure AD Connect Health for Directory Services
Microsoft recommends deploying Azure AD Connect Health for Directory Services agents on all domain controllers you want to monitor, or at least one for each domain.
The Azure AD Connect Health agent deployment is relatively straightforward, asking only for a credential to complete the installation. Once the installation has completed, you can review details about your domain controller health in the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth.
On the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view the details.
Figure 4.19 – Azure AD Connect Health AD DS services
The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations.
Figure 4.20 – The Azure AD Connect Health for AD Directory Services details page
Errors that are detected here should be resolved in your on-premises Active Directory environment.