process of DirectoryLink and troubleshooting steps.
If Installation of DirectoryLink fails:
- Make sure that your environment meets our requirements. Domain controller requirements:
- Windows Server 2003 Service Pack 2 or later, Windows 2008 Server Core;
- .NET Framework 3.5 with SP1;
- Outbound network connection is opened on port 443 (SSL).
- Make sure that you have Administrative permissions. Run the installation again by right-clicking the file and choosing "Run as Administrator".
- Reinstall DirectoryLink. To do this, navigate to Start > Control Panel > Add/Remove programs, uninstall DirectoryLink, reboot the DC and run installation again.
If you receive the following errors during the installation process:
- Red X with no error message appears when running the installation file. The problem may occur on Terminal services or any other workstation where running Setup executables is restricted. You can try .msi installer.
- Cannot access remote DirectoryLink service error. Verify that you can access https://controlpanel.msoutlookonline.net URL from the local machine. Outbound connections on port 443 must be opened to this URL. You may also run telnet controlpanel.msoutlookonline.net 443 or tracert controlpanel.msoutlookonline.net
Note: starting with version 3.0, check the following URL as well:
- Security errors. Check the local time on the DC and ensure that it is synchronized with a valid time source and that it is not out of sync. Read the Microsoft article on How to configure an authoritative time server in Windows Server. The errors are like the following two:
- Password is incorrect.
- System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
- Proxy Authentication Required. The error appears after choosing OU for sync and there is no Proxy in your network.
- Check LAN settings on DC, navigate to Internet Explorer Tools > Internet Options > Connections > LAN settings. There should be no proxy.
- Run "proxycfg.exe /?". This will list current proxy settings.
- Check registry: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings and HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
If ProxyEnable is set to 0x00000000 (0), then it is disabled.
- Export HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings registry settings from a DC where there is no error and import it to a problematic DC.
If it is none of the above,
- Look for any errors/warnings that appeared in the Application log during installation. Navigate to Start > right-click My Computer > Manage > System Tools > Event Viewer > Application to view logs.
The server is not operational
System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
- This error means that Microsoft AD services are not running on DC. You can get these errors after reboot, when DirectoryLink service started before Microsoft AD services. After Microsoft AD services are started the error goes away.
TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond [server_IP]:443
The HTTP request to https://controlpanel.msoutlookonline.net/WebServices/AdSyncDataService/SyncDataService.svc has exceeded the
allotted timeout of 00:00:57.3740000. The time allotted to this operation may have been a portion of a longer timeout
- The above error usually indicates temporary network issues and does not affect the synchronization process.
- In case you notice delays in synchronization, you need to check firewall settings and verify that connections to the server are not blocked.
If synchronization doesn’t work for a specific user
- Check the AdSync service state on all DC’s. To view it’s state navigate to Start > right-click My Computer > Manage > Services and Applications> Services. AdSync service should be in "Running" state.
- Is the user linked?
- Is the property in the list of properties that are supported?
- UPN: the domain must be added to CONTROL PANEL.
- Country and State values should match the ones listed in dropdown on the Mailboxes General properties page in Control Panel. Other values will not be imported.
- Each field has its length limitation. If some properties were imported, but cut in length, that means they didn't match the field length requirements.
- Verify the property is chosen for synchronization in CONTROL PANEL > Services > DirectoryLink > Settings.
Password will not synchronize
If password is not synchronized for one of the users, try the following troubleshooting steps:
- Check if the password meets password requirements
- Unlink user in the CONTROL PANEL > wait 5 minutes > link user again in CONTROL PANEL > change password in the local Active Directory > allow 15 minutes for propagation > login to OWA.
- Check that each DC's "Notification Packages" registry contains "PasswordFilter" line and manually add this line to the key if it's not in the list. Once you add the line to the key you must restart the DC. See more details below:
- Start > Run > type cmd and hit Enter > type regedit and hit enter;
- Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control > click on LSA > double-click on Notification Packages > make sure there is a line "PasswordFilter".
- Check that c:\windows\system32\passwordfilter.dll exists.
- Stop the ADSync service on all Domain Controllers > wait 5 minutes > restart the service > reset password > wait for 15 minutes > login to OWA.
Provide Support with the following information for troubleshooting:
- Results of any tests/checks.
- Errors/warnings from application log.
- Click this link from the domain controller and submit the results:
- The time (and time zone) and date when the last attempt to make changes happened.
- The user, the property and the value you wanted to synchronize at the specified time.
- Also you may include msinfo32 information. On each domain controller, go to Start > Run and type "msinfo32". In the System Information window, click File > Save and save it as an .NFO file.