Azure AD Connect Sync Service not running errors usually trace back to the ADSync Windows service, its account rights, or connectivity issues.
Why Azure AD Connect Sync Service Not Running Hurts Your Setup
When the azure ad connect sync service not running alert lands in your inbox, the impact reaches far beyond a single warning.
Azure AD Connect (now called Microsoft Entra Connect) sits between your on-premises Active Directory and Microsoft Entra ID.
The Microsoft Azure AD Sync service (ADSync) moves password hashes, group membership, and identity changes on a schedule, so cloud sign-ins line up with your on-prem directory.
Once the ADSync service stops, new users may not show up in Microsoft 365, group changes can stall, and password updates no longer reach the cloud.
That can cause failed sign-ins, confused users, and extra work for admins who end up making manual fixes in multiple places.
In short, keeping this sync service running steadily is part of keeping hybrid identity predictable and low-friction for everyone.
The good news: most cases of Azure AD Connect Sync Service not running come down to a handful of familiar roots—stopped services, missing rights on the ADSync account, network or proxy blocks, or a broken dependency such as the wrong .NET runtime version.
Once you walk those areas in a structured way, the sync engine usually comes back to life without a rebuild of the server.
Quick Checks When Azure AD Connect Sync Service Not Running Errors Appear
Before you dive into deeper repair steps, a short health check often reveals an obvious cause.
These checks help you confirm whether the ADSync service is truly down, stuck in the middle of a restart, or blocked by something simple on the server.
- Confirm The Service Status — Open services.msc, search for Microsoft Azure AD Sync (ADSync), and see if the status shows Running, Stopped, or Starting.
- Check The Server Load — Open Task Manager and see whether CPU or memory sits pegged. A busy domain controller or connector server can delay or stall service starts.
- Verify The Sync Host — Make sure you are checking the box that actually hosts Azure AD Connect, not a random member server with only tools installed.
- Look For Recent Changes — Think about patches, group policy updates, antivirus rollouts, or password changes on service accounts that landed around the time the alert began.
- Review Azure Portal Alerts — In Microsoft 365 admin or Entra ID, review health alerts for the sync client. The messages often quote the same issue your email alert mentions and can hint at the root cause.
During this pass, jot down exact error text from any pop-up or alert.
Those strings often match known issues documented by Microsoft and can speed up the rest of your troubleshooting.
Start The Microsoft Azure AD Sync Service Safely
Once you have confirmed that the Microsoft Azure AD Sync service is stopped, the next step is a clean start attempt.
Many azure ad connect sync service not running cases resolve as soon as ADSync starts and stays up for more than a few minutes.
- Start The ADSync Service — In services.msc, right-click Microsoft Azure AD Sync and choose Start. Watch for any error banner that appears.
- Set Startup To Automatic — Open the service Properties dialog and set Startup type to Automatic so the service comes up during every boot.
- Restart The Connect Wizard — Launch the Microsoft Entra Connect wizard and confirm that the usual welcome screen appears instead of an error about the sync service not running.
- Force A Delta Sync — Open an elevated PowerShell window on the sync server and run
Start-ADSyncSyncCycle -PolicyType Deltato confirm that a run completes without errors.
If the service starts and then stops again after a short period, you often face either a logon failure on the ADSync account or a missing right such as Log on as a service.
In that case, the next section gives you a focused path through service account checks.
Fix ADSync Service Account Logon And Permission Problems
The ADSync Windows service runs under a special account.
On many setups this is the virtual account NT SERVICE\ADSync; on some older or custom builds, it might be a domain service account created by the setup wizard.
If that account loses rights or its password drifts out of sync, the service refuses to start and throws logon errors.
- Check The Log On Tab — In the ADSync service Properties, open the Log On tab and confirm which account the service uses. That name will guide the rest of your checks.
- Review Group Policy Rights — Using secpol.msc or domain Group Policy, ensure the ADSync account has Log on as a service, Log on locally, and Log on as a batch job rights on the sync server.
- Reset A Domain Service Account Password — If you use a domain account and see “logon failure” errors, reset the password in Active Directory Users and Computers, then update the same password in the service Log On tab and restart the service.
- Confirm The Account Is Active — Make sure the service account isn’t disabled, locked, or restricted by conditional access or security baselines that landed recently.
- Scan For GPO Overwrites — If the Log on as a service entry is greyed out in Local Security Policy, a domain GPO controls it. Edit the GPO instead of the local policy and add the ADSync account there.
When you correct these rights, restart the Microsoft Azure AD Sync service once again.
If it finally stays on, run another delta sync cycle and confirm that users and groups update in Entra ID within the usual window.
Common Symptoms And Fast Fixes
This compact view links the most common service-start errors to the first action you should take on the server.
| Symptom | Likely Cause | First Action |
|---|---|---|
| ADSync service shows Stopped and won’t start | Missing service rights or bad password on service account | Fix Log on as a service rights and reset the account password if needed |
| Service stuck on Starting for a long time | High CPU, I/O, or a hung dependency | Check Task Manager, Event Viewer, and restart the server during a maintenance window |
| Sync wizard shows “sync service is not running” | ADSync service never started or stopped quickly after launch | Start the service in services.msc and review recent Application log errors |
Deal With Network, Proxy, And Dependency Issues Blocking Sync
Sometimes the ADSync service starts, but Azure AD Connect Sync Service Not Running alerts still appear because the engine can’t reach Microsoft endpoints or a required component refuses to load.
A few targeted checks around connectivity and dependencies can clear these stubborn cases.
- Test Basic Internet Reachability — From the sync server, open a browser and reach sign-in pages such as
https://login.microsoftonline.com. If this fails, fix outbound access first. - Review Proxy Settings — If your setup uses an outbound proxy, confirm that the ADSync service account can reach Entra ID endpoints. Sometimes a proxy rule allows user sessions but blocks service accounts.
- Open Required Ports — Check firewalls between the sync server and the internet. TLS ports such as 443 to Microsoft cloud endpoints must remain open for sync to work.
- Check .NET Runtime Version — Newer Entra Connect builds need a current .NET runtime. If the server runs an older version, install the required build (for many current releases, .NET 4.7.1 or later) and reboot.
- Scan Antivirus And EDR Policies — Security tools sometimes block the ADSync executable or its folders. Add approved exclusions for the Azure AD Connect program path when you see blocked process events.
After any network or dependency change, restart the Microsoft Azure AD Sync service and repeat a delta sync run.
If connectivity was the missing piece, your next sync cycle should complete cleanly and fresh events should appear in the Azure AD Connect logs.
Use Logs And The Microsoft Entra Connect Troubleshooter
When the quick actions above don’t fully clear the issue, logs and built-in tools provide deeper insight without heavy manual digging.
Microsoft ships a troubleshooting task inside newer Entra Connect builds that walks common object and service issues through an automated menu.
- Run The Entra Connect Troubleshooter — Launch the Microsoft Entra Connect wizard, choose Additional tasks, pick Troubleshoot, and start the troubleshooting PowerShell menu to test object sync and connectivity.
- Review Application And System Logs — In Event Viewer on the sync server, filter recent events for ADSync, .NET runtime, and Service Control Manager around the time the service stopped.
- Read Azure AD Connect Sync Logs — Use the Synchronization Service Manager or log files in the program folder to spot repeating connector errors, credential issues, or schema mismatches.
- Check For Recent Upgrades — If you recently upgraded Entra Connect, match the installed version against Microsoft’s release notes and verify that all post-upgrade steps finished correctly.
- Correlate With Cloud Alerts — Align local log timestamps with alerts in Entra ID to confirm whether a specific sync cycle failed or the service never launched during that time window.
This deeper view helps you separate one-time glitches from ongoing faults such as a broken connector, a mismatched attribute, or a recurring credential problem.
Once you understand the pattern, the actual repair usually comes down to adjusting a connector, updating a password, or correcting one policy.
Keep Azure AD Connect Sync Healthy Over The Long Term
Getting the service running again is only half the battle.
To lower the chance of another Azure AD Connect Sync Service Not Running alert next week, treat the sync host like any other core infrastructure role and give it steady care.
- Track Version And Patch Levels — Keep Microsoft Entra Connect, Windows Server, and .NET patched to supported builds so the sync engine stays aligned with cloud requirements.
- Limit Extra Roles On The Sync Server — Avoid piling other heavy workloads on the same box. A lean sync server faces fewer resource clashes and restart surprises.
- Document Service Accounts And Rights — Record which account runs ADSync, which groups it belongs to, and which rights it holds so future admins don’t remove something by accident.
- Monitor With Alerts You Trust — Keep email or dashboard alerts in place for sync failures, heartbeat skips, and service stops so you can react early instead of hearing from users first.
- Plan Change Windows — Schedule major updates, antivirus changes, or GPO overhauls during times when a brief sync outage has the least impact on sign-ins.
When you treat the sync host as a steady, well-documented part of your identity stack, most azure ad connect sync service not running problems stay rare and predictable.
Then your directory changes flow on their schedule, users see consistent access, and you spend more time shaping identity strategy instead of chasing surprise outages.