You may encounter a condition in which Azure Active Directory synchronization stops working, for example in an environment that is using directory synchronization for Office 365.

The Operations view of the Synchronization Service Manager (miisclient.exe) will display a status of “stopped-extension-dll-exception” for operations on the Windows Azure Active Directory Connector.

azure-ad-sync-stopped-extension-dll-exception-01

The Application event log of the directory synchronization server may log the following entries:

Log Name:      Application
Source:        Directory Synchronization
Date:          26/02/2015 10:34:00 AM
Event ID:      0
Description:
Update your password and try again. GetAuthState() failed with -2147186688 state.
HResult:0. Contact Technical Support.  (0x80048831)

Log Name:      Application
Source:        Directory Synchronization
Date:          26/02/2015 10:34:00 AM
Event ID:      109
Description:
Failure while importing entries from Windows Azure Active Directory. Exception:
Microsoft.Online.Coexistence.ProvisionException:  Update your password and try
again. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException:
GetAuthState() failed with -2147186688 state. HResult:0.

A likely cause of this issue is an expired password for the account used to connect to Azure Active Directory. To determine which user account is used look in the Management Agents view of the Synchronization Service Manager (miisclient.exe), open the Properties of the Windows Azure Active Directory Connector and select the Connectivity settings.

azure-ad-sync-stopped-extension-dll-exception-02

If you know the expired password you can login to the Office 365 portal with that username and password, and follow the prompts to update the expired password. Then return to the Synchronization Service Manager and update the configuration with the new password.

If you would like to set a non-expiring password for the account you can configure this using the Azure Active Directory PowerShell Module.

Install the Azure AD PowerShell module if you have not already installed it. Open a PowerShell console and connect to Azure AD, entering your admin credentials when prompted.

PS C:\> Connect-MsolService

Configure the account to have a non-expiring password. When you do this for an account with an expired password the existing password will begin working again as well.

PS C:\> Set-MsolUser -UserPrincipalName o365admin@office365bootcamp.net -PasswordNeverExpires $true

The next directory synchronization operations should complete successfully.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Flash

    Dear Bob, THANK YOU, the TLS enable worked for me.
    THANK YOU!

  2. Gino

    Thank’s a lot! Fixed my Problem.

  3. Terry H.

    TLS 1.2 requirement for version 2.3.20 was my issue.

    Amusing how this article is solving a problem it wasn’t written for. Heh

    1. John A.

      Thanks! I also got this issue, solved by enabling TLS 1.2 (not what was mentionned in this article)

      1. Avatar photo
        Tony Redmond

        Probably because TLS 1.2 is now required pretty well everywhere in Microsoft 365…

  4. hamed

    Thank you so much , you fixed my issue

  5. Bob J

    I just had this exact error when I upgraded AzureAdConnect from 2.3.8 to 2.3.20 (July 2024). I tried everything but my solution was: “TLS 1.2 enforcement for Microsoft Entra Connect”.
    Link: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-tls-enforcement#powershell-script-to-check-tls-12

    1. Run the PowerShell script to check the current TLS 1.2 settings.
    2. Run the PowerShell script to enforce TLS 1.2.
    3. Reboot

    Afterwards, the “Stopped-Extension-DLL-Exception” error during exports disappeared and AAD sync was successful.
    Hope this helps someone.

    1. Bas

      Awesome, had the same issue after upgrading to 2.3.20.

      Thanks!

    2. Josh Pillow

      Bob, you were a lifesaver. I just upgraded today and ran into this exact scenario and nothing worked except for your suggestion. Thank you!

    3. Janis

      Thank You.
      enabling TLS1.2 also fixed the no-start-ma issue

    4. Adog

      Yeah this wasthe problem after upgrading to 2.3.20.0
      I was thinking it was DNS, or account passwords so i reset them and repaired the connector…as i had no issues before the update…

      thank you BOB!

    5. Mike

      Thank you!!! My sync broke after I updated my Entra ID Connect Sync and it took me a week to find your post. This fixed my issue, Thanks!!!

    6. Phil

      This resolved it for me after upgrading to the latest version. Thanks for the Info

    7. Doug

      Thanks a million! TLS 1.2 was my issue

    8. Subhash Debnath

      Hi Bob,
      Thanks for sharing the link it helps me resolve the issue.

  6. Matthew

    Thank you SO VERY MUCH – blood pressure returning – cannot thank you enough for this article!

  7. Nuno Alexandre

    Setting an admin user as the Azure AD Connector account is a really bad practice, this idea is completely outdated and is more than 6 years old! Pratical365 should be more careful in updating their articles as this information is completely ancient and misleading.
    You should let AADConnect manage its connector accounts which will create a special service account in AD/Azure AD.
    AADConnect includes a cmdlet to reset the Azure AD Connector account and password (for many years now) – Add-ADSyncAADServiceAccount
    Also, on the latest release (1.6), AADConnect also includes a cmdlet to reset the On-premises AD DS Connector account and password – Add-ADSyncADDSConnectorAccount

    1. Avatar photo
      Tony Redmond

      You’re correct that this is an old article. And old articles don’t get updated very often. In fact, if you look across most blogs, you’ll find very few instances where articles are systematically updated on an ongoing basis. There’s too much work to do to keep on going back to review text periodically to detect when changes occur and authors are not paid for this effort. Which is why you should treat any article that’s more than a few months old with caution and always test the assertions made to ensure that they report what you see with the latest software.

  8. Jim D

    This is the first post that comes up on a web search for Stopped-Extension-DLL-Exception, so here’s another reason for this error: your firewall is blocking autologon.microsoftazuread-sso.com

    See if you can get to that link from your Azure AD Connect server.

  9. Blair Tryba

    In my case, turns out it was because the Sync Service user account had Multi-Factor authentication turned on.

    Looks like it got turned on when the rest of the user accounts had multi-factor enabled in bulk.

    Disabling Multi-Factor Authentication for the Sync user account (found under the Properties > Connectivity) worked for me

    1. E.R.

      This was it for me!

      I just configured Conditional Access with required MFA and selected ‘All users’.
      This was the problem as you stated.

      Thanks!

  10. R Artes

    Thanks, it only took me 2 days to find this post. I followed your instructions, worked first time. Great job!!!

  11. Binary

    Hi Paul,
    After changing password also I am getting stopped-extension-dll-exception error. do i need to wait after resetting password?
    Any other steps is required?

      1. Binary

        Changing password of cloud Admin which was configured under Synchronization Service Manager. Also I made sure check box is not checked to change password in next login.

        1. Avatar photo
          Paul Cunningham

          I can’t see your environment or what you’ve done. You have to explain exactly what you’re doing, every step, for me to understand your scenario. Changing it where/how?

  12. DG

    Problem solved! This is the first website I come to when searching for anything O365 or Exchange.. thanks for the time you put into this website.

  13. Robert

    First hit on Google Search and it worked. Thanks for the help

  14. Jansen

    I have spent hours trying to fix this after the password expired and changed. Thanks for this article!

  15. Hanno

    Thanks for posting this. Was pulling my hair out over this as none of the other solutions worked.

  16. ajhstn

    Ah great work, thanks so much! fixed my problem!

Leave a Reply