Azure Active Directory Issue:
If you get “Last synced more than 3 days ago” in your DirSync Status via O365 portal, we’ve got a fix.
You may notice Event 611, Directory Synchronization and RPC Error 8453: Replication access was denied in the Application log.
The Resolution:
This is a well-known fix for the following issue; please ensure you’ve added these rights before running the script provided below.
In order to synchronize credentials, the Azure Active Directory Domain Services connector (management agent) account needs both of the following extended rights assigned on each in-scope domain naming context/partition:
- Replicating Directory Changes
- Replicating Directory Changes All
Here’s a screenshot of the permissions assignment using the Active Directory Domain Services (AD DS) Users and Computers MMC snap-in.
Once you’ve ensured your account rights are set as shown above, run the following on your Azure AD Connect Server. Be sure to update the domain values below for your environment.
$adConnector = “domain.com”
$aadConnector = “domain.com – AAD”
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
Now let’s force a sync. Open Windows Azure Active Directory Module for Windows PowerShell as an Administrator. Once open, run the following commands for delta or full.
Delta Sync
“Start-ADSyncSyncCycle”
Full Sync
“Start-ADSyncSyncCycle initial”
Full log for reference:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error
8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState
syncState)
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState
replicationState)
at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1
operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext
syncExecutionContext)
Brandon Stuart, PEI
