Skip to main content

Azure Active Directory Connect Password Sync Issues

By May 22, 2017September 16th, 2020Blog, Microsoft, Office 365, Virtualization
Azure Active Directory

Azure Active Directory Issue:

If you get “Last synced more than 3 days ago” in your DirSync Status via O365 portal, we’ve got a fix.

Azure Active Directory Password Sync Status

You may notice Event 611, Directory Synchronization and RPC Error 8453: Replication access was denied in the Application log.

Azure Active Directory Synchronization and RPC Error

The Resolution:

This is a well-known fix for the following issue; please ensure you’ve added these rights before running the script provided below.

In order to synchronize credentials, the Azure Active Directory Domain Services connector (management agent) account needs both of the following extended rights assigned on each in-scope domain naming context/partition:

  • Replicating Directory Changes
  • Replicating Directory Changes All

Here’s a screenshot of the permissions assignment using the Active Directory Domain Services (AD DS) Users and Computers MMC snap-in.

Azure Active Directory Permissions Assignment

Once you’ve ensured your account rights are set as shown above, run the following on your Azure AD Connect Server. Be sure to update the domain values below for your environment.

$adConnector  = “”
$aadConnector = “ – AAD”
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Now let’s force a sync. Open Windows Azure Active Directory Module for Windows PowerShell as an Administrator. Once open, run the following commands for delta or full.

Delta Sync


Azure Active Directory Delta Sync

Full Sync

“Start-ADSyncSyncCycle initial”

Azure Active Directory Full Sync

Full log for reference:

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error

8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState

at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1

operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)

at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()

at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()

at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()

at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext


Brandon Stuart, PEI

Leave a Reply