You may encounter a condition in which Azure Active Directory synchronization stops working, for example in an environment that is using directory synchronization for Office 365.

The Operations view of the Synchronization Service Manager (miisclient.exe) will display a status of “stopped-extension-dll-exception” for operations on the Windows Azure Active Directory Connector.

azure-ad-sync-stopped-extension-dll-exception-01

The Application event log of the directory synchronization server may log the following entries:

Log Name:      Application
Source:        Directory Synchronization
Date:          26/02/2015 10:34:00 AM
Event ID:      0
Description:
Update your password and try again. GetAuthState() failed with -2147186688 state.
HResult:0. Contact Technical Support.  (0x80048831)

Log Name:      Application
Source:        Directory Synchronization
Date:          26/02/2015 10:34:00 AM
Event ID:      109
Description:
Failure while importing entries from Windows Azure Active Directory. Exception:
Microsoft.Online.Coexistence.ProvisionException:  Update your password and try
again. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException:
GetAuthState() failed with -2147186688 state. HResult:0.

A likely cause of this issue is an expired password for the account used to connect to Azure Active Directory. To determine which user account is used look in the Management Agents view of the Synchronization Service Manager (miisclient.exe), open the Properties of the Windows Azure Active Directory Connector and select the Connectivity settings.

azure-ad-sync-stopped-extension-dll-exception-02

If you know the expired password you can login to the Office 365 portal with that username and password, and follow the prompts to update the expired password. Then return to the Synchronization Service Manager and update the configuration with the new password.

If you would like to set a non-expiring password for the account you can configure this using the Azure Active Directory PowerShell Module.

Install the Azure AD PowerShell module if you have not already installed it. Open a PowerShell console and connect to Azure AD, entering your admin credentials when prompted.

PS C:\> Connect-MsolService

Configure the account to have a non-expiring password. When you do this for an account with an expired password the existing password will begin working again as well.

PS C:\> Set-MsolUser -UserPrincipalName o365admin@office365bootcamp.net -PasswordNeverExpires $true

The next directory synchronization operations should complete successfully.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Nuno Alexandre

    Setting an admin user as the Azure AD Connector account is a really bad practice, this idea is completely outdated and is more than 6 years old! Pratical365 should be more careful in updating their articles as this information is completely ancient and misleading.
    You should let AADConnect manage its connector accounts which will create a special service account in AD/Azure AD.
    AADConnect includes a cmdlet to reset the Azure AD Connector account and password (for many years now) – Add-ADSyncAADServiceAccount
    Also, on the latest release (1.6), AADConnect also includes a cmdlet to reset the On-premises AD DS Connector account and password – Add-ADSyncADDSConnectorAccount

    1. Tony Redmond

      You’re correct that this is an old article. And old articles don’t get updated very often. In fact, if you look across most blogs, you’ll find very few instances where articles are systematically updated on an ongoing basis. There’s too much work to do to keep on going back to review text periodically to detect when changes occur and authors are not paid for this effort. Which is why you should treat any article that’s more than a few months old with caution and always test the assertions made to ensure that they report what you see with the latest software.

  2. Jim D

    This is the first post that comes up on a web search for Stopped-Extension-DLL-Exception, so here’s another reason for this error: your firewall is blocking autologon.microsoftazuread-sso.com

    See if you can get to that link from your Azure AD Connect server.

  3. Blair Tryba

    In my case, turns out it was because the Sync Service user account had Multi-Factor authentication turned on.

    Looks like it got turned on when the rest of the user accounts had multi-factor enabled in bulk.

    Disabling Multi-Factor Authentication for the Sync user account (found under the Properties > Connectivity) worked for me

    1. E.R.

      This was it for me!

      I just configured Conditional Access with required MFA and selected ‘All users’.
      This was the problem as you stated.

      Thanks!

  4. R Artes

    Thanks, it only took me 2 days to find this post. I followed your instructions, worked first time. Great job!!!

  5. Binary

    Hi Paul,
    After changing password also I am getting stopped-extension-dll-exception error. do i need to wait after resetting password?
    Any other steps is required?

      1. Binary

        Changing password of cloud Admin which was configured under Synchronization Service Manager. Also I made sure check box is not checked to change password in next login.

        1. Paul Cunningham

          I can’t see your environment or what you’ve done. You have to explain exactly what you’re doing, every step, for me to understand your scenario. Changing it where/how?

  6. DG

    Problem solved! This is the first website I come to when searching for anything O365 or Exchange.. thanks for the time you put into this website.

  7. Robert

    First hit on Google Search and it worked. Thanks for the help

  8. Jansen

    I have spent hours trying to fix this after the password expired and changed. Thanks for this article!

  9. Hanno

    Thanks for posting this. Was pulling my hair out over this as none of the other solutions worked.

  10. ajhstn

    Ah great work, thanks so much! fixed my problem!

Leave a Reply