I have been participating to O365 project for last month and face a strange situation after Exchange Hybrid configuration was enabled from AAD Connect.
First of all everything was configured as planned
- Sync scope
- Delegations to sync account (read/write operations to all synced objects)
- Sync had been running without any errors last four (4) months
My customer has two (2) AAD Connect servers, one is as active and one is at staging mode. Exchange Hybrid configuration was performed first at staging server without any errors. Then moved to active server (which was turned at staging mode before) and performed Exchange Hybrid config with wizard. Everything went fine until export profile to on-premises AD started (when adding Exchange Hybrid to AAD Connect configuration it adds multiple attributes to mailusers depending of Exchange version) and we got 5000 errors to AADC which is the “stopped limit”.
All permission issues had same error code 8433 which lead me to possible AD permission inheritance problem. I triple checked all the permission & inheritance and everything seemed to be right, weird? The next thing to do was “Microsoft Azure AD Sync” service restart and immediately the service was restarted AAD Connect was able to update all necessary objects with X500 proxyAddress attribute.
I haven’t seen this kind of behavior before and assume that kerberos token of sync service account was not updated properly with authentication process until service was restarted. Worth to mention is that delegations to on-premises AD were made day before AAD Configuration was changed.
Link to permission issue docs
How to increase that 5000 error limit. I haven’t found any article. Please help.
I’m quite curious, what would be the scenario where you need to increase the error limit? Here is a link to deletion threshold configuration https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes
All you need to do is open regedit on the dirsync server machine, locate the “HKLM\System\CurrentControlSet\Services\FIMSynchronizationService\Parameters” key and create the ErrorLimit DWORD value (If you are using AADSync, the key will be located under he following instead: HKLM\System\CurrentControlSet\Services\ADSync\Parameters). The default value of 0 will increase the error limit to 100000, which should give you plenty of freedom. Afterwards, restart the FIMSynchronizationService and run another sync. This time, when the 5000 limit is reached, the MIIS client will stop listing new errors, but the sync process will not stop. I have not found a way to increase the ‘display limit’ past the 5000 mark though.