Troubleshoot "ADSync RunDiff" Error in the AD Connector Logs

Available Languages

Download Options

PDF (751.4 KB)
View with Adobe Reader on a variety of devices

Updated:September 11, 2025

Document ID:224883

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to troubleshoot the "ADSync RunDiff" error in the Active Directory (AD) Connector logs.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco Umbrella.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Problem

You see errors similar to these in the AD Connector logs:

ADSync RunDiff error: System.Runtime.InteropServices.COMException (0x80070005): Access is denied.\x0D\x0A\x0D\x0A at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()\x0D\x0A at System.DirectoryServices.SearchResultCollection.get_InnerList()\x0D\x0A at System.DirectoryServices.SearchResultCollection.get_Count()\x0D\x0A at LDIFManager.RunDiff(St ringBuilder& sbIn, String sPath, String sDomain, String sFilter, Boolean bDropCookie, String& sError)

There are two scenarios where this issue can happen:

1. .NET 3.5.1 SP1 is not installed.

2. The user is missing replicate directory changes and read permissions. One symptom of this is if the OpenDNS_Connector user account can read the AD tree via LDIFDE, but the connector still returns "Access is denied."

Solution

To add the necessary Replicate Directory Changes and Read permissions, complete these steps:

1. Open the Active Directory Users and Computers snap-in.

2. On the View menu, select Advanced Features.

3. Right-click the domain object, and then select Properties.

4. On the Security tab, if the desired user account (OpenDNS_Connector or Cisco_connector) is not listed, select Add. If the desired user account is listed, continue to step 7.

5. In the Select Users, Computers, or Groups dialog, select the desired user account, and then select Add.

6. Select OK to return to the Properties dialog.

7. Select the desired user account.

8. Select the Replicating Directory Changes and Read check boxes from the list.

9. Select Apply >OK.

10. Close the snap-in.

Select Advanced in Security Tab