You may encounter a condition in which Azure Active Directory synchronization stops working, for example in an environment that is using directory synchronization for Office 365.
The Operations view of the Synchronization Service Manager (miisclient.exe) will display a status of “stopped-extension-dll-exception” for operations on the Windows Azure Active Directory Connector.
The Application event log of the directory synchronization server may log the following entries:
Log Name: Application Source: Directory Synchronization Date: 26/02/2015 10:34:00 AM Event ID: 0 Description: Update your password and try again. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support. (0x80048831) Log Name: Application Source: Directory Synchronization Date: 26/02/2015 10:34:00 AM Event ID: 109 Description: Failure while importing entries from Windows Azure Active Directory. Exception: Microsoft.Online.Coexistence.ProvisionException: Update your password and try again. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException: GetAuthState() failed with -2147186688 state. HResult:0.
A likely cause of this issue is an expired password for the account used to connect to Azure Active Directory. To determine which user account is used look in the Management Agents view of the Synchronization Service Manager (miisclient.exe), open the Properties of the Windows Azure Active Directory Connector and select the Connectivity settings.
If you know the expired password you can login to the Office 365 portal with that username and password, and follow the prompts to update the expired password. Then return to the Synchronization Service Manager and update the configuration with the new password.
If you would like to set a non-expiring password for the account you can configure this using the Azure Active Directory PowerShell Module.
Install the Azure AD PowerShell module if you have not already installed it. Open a PowerShell console and connect to Azure AD, entering your admin credentials when prompted.
PS C:\> Connect-MsolService
Configure the account to have a non-expiring password. When you do this for an account with an expired password the existing password will begin working again as well.
PS C:\> Set-MsolUser -UserPrincipalName email@example.com -PasswordNeverExpires $true
The next directory synchronization operations should complete successfully.
Thank you SO VERY MUCH – blood pressure returning – cannot thank you enough for this article!
Setting an admin user as the Azure AD Connector account is a really bad practice, this idea is completely outdated and is more than 6 years old! Pratical365 should be more careful in updating their articles as this information is completely ancient and misleading.
You should let AADConnect manage its connector accounts which will create a special service account in AD/Azure AD.
AADConnect includes a cmdlet to reset the Azure AD Connector account and password (for many years now) – Add-ADSyncAADServiceAccount
Also, on the latest release (1.6), AADConnect also includes a cmdlet to reset the On-premises AD DS Connector account and password – Add-ADSyncADDSConnectorAccount
You’re correct that this is an old article. And old articles don’t get updated very often. In fact, if you look across most blogs, you’ll find very few instances where articles are systematically updated on an ongoing basis. There’s too much work to do to keep on going back to review text periodically to detect when changes occur and authors are not paid for this effort. Which is why you should treat any article that’s more than a few months old with caution and always test the assertions made to ensure that they report what you see with the latest software.
This is the first post that comes up on a web search for Stopped-Extension-DLL-Exception, so here’s another reason for this error: your firewall is blocking autologon.microsoftazuread-sso.com
See if you can get to that link from your Azure AD Connect server.
In my case, turns out it was because the Sync Service user account had Multi-Factor authentication turned on.
Looks like it got turned on when the rest of the user accounts had multi-factor enabled in bulk.
Disabling Multi-Factor Authentication for the Sync user account (found under the Properties > Connectivity) worked for me
This was it for me!
I just configured Conditional Access with required MFA and selected ‘All users’.
This was the problem as you stated.
Thanks, it only took me 2 days to find this post. I followed your instructions, worked first time. Great job!!!
After changing password also I am getting stopped-extension-dll-exception error. do i need to wait after resetting password?
Any other steps is required?
Changing which password?
Changing password of cloud Admin which was configured under Synchronization Service Manager. Also I made sure check box is not checked to change password in next login.
I can’t see your environment or what you’ve done. You have to explain exactly what you’re doing, every step, for me to understand your scenario. Changing it where/how?
Problem solved! This is the first website I come to when searching for anything O365 or Exchange.. thanks for the time you put into this website.
First hit on Google Search and it worked. Thanks for the help
I have spent hours trying to fix this after the password expired and changed. Thanks for this article!
Thanks for posting this. Was pulling my hair out over this as none of the other solutions worked.
Ah great work, thanks so much! fixed my problem!