Skip to main content
search

Azure Active Directory Connect Password Sync Issues

By May 22, 2017September 16th, 2020Blog, Microsoft, Office 365, Virtualization
Azure Active Directory

Azure Active Directory Issue:

If you get “Last synced more than 3 days ago” in your DirSync Status via O365 portal, we’ve got a fix.

Azure Active Directory Password Sync Status

You may notice Event 611, Directory Synchronization and RPC Error 8453: Replication access was denied in the Application log.

Azure Active Directory Synchronization and RPC Error

The Resolution:

This is a well-known fix for the following issue; please ensure you’ve added these rights before running the script provided below.

In order to synchronize credentials, the Azure Active Directory Domain Services connector (management agent) account needs both of the following extended rights assigned on each in-scope domain naming context/partition:

  • Replicating Directory Changes
  • Replicating Directory Changes All

Here’s a screenshot of the permissions assignment using the Active Directory Domain Services (AD DS) Users and Computers MMC snap-in.

Azure Active Directory Permissions Assignment

Once you’ve ensured your account rights are set as shown above, run the following on your Azure AD Connect Server. Be sure to update the domain values below for your environment.

$adConnector  = “domain.com”
$aadConnector = “domain.com – AAD”
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Now let’s force a sync. Open Windows Azure Active Directory Module for Windows PowerShell as an Administrator. Once open, run the following commands for delta or full.

Delta Sync

“Start-ADSyncSyncCycle”

Azure Active Directory Delta Sync

Full Sync

“Start-ADSyncSyncCycle initial”

Azure Active Directory Full Sync

Full log for reference:

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error

8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState
syncState)

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState
replicationState)

at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1

operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)

at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()

at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()

at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()

at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext

syncExecutionContext)

Brandon Stuart, PEI

You May Also Like

Breadth Vs Depth Best PracticesBlogComplete Managed CareManaged Services
April 12, 2024

Understanding Breadth vs. Depth When Comparing MSPs and How to Decide Which to Prioritize

Anna Ross 0
Managed Services Agreements Best PracticesBlogComplete Managed CareManaged Services
April 12, 2024

What to Look for in a Managed Services Agreement

Anna Ross 0
How to leave a contract with a managed service provider Best PracticesBlogComplete Managed CareManaged Services
April 12, 2024

How to Get out of a Managed Service Contract

Stephanie Hamrick 0

Leave a Reply

Close Menu