Issue
Azure AD Connect (v1.1.614.0) Password Synchronisation has stopped working.
In the Office 365 Admin Centre, DirSync Status shows no recent password synchronisation.
The following error is flagged on the Azure AD Connect Server.
Event ID: 611 (Log: Application, Source: Directory Synchronization)
Level: Error
Computer: AADC01v.x500.co.uk
Description: Password synchronization failed for domain: x500.co.uk.
Details: Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Cause
The following permissions were missing from the local Azure AD sync account. Both are required to allow the account to read password hashes from local AD.
Replicating Directory Changes
Replicating Directory Changes All
Resolution
Assign the missing permissions by using the ACL editor as below, or you could use ADSIedit.
Open the Active Directory Users and Computers snap-in.
On the View menu, click Advanced Features.
Right-click the domain object, e.g. “x500.co.uk”, click Properties.
On the Security tab, click Add.
In the Select Users, Computers, or Groups dialog box, select the local Azure AD sync account, and then click Add.
Click OK to return to the Properties dialog box.
Click the local Azure AD sync account.
Click to select the Replicating Directory Changes and Replicating Directory Changes All check box.
Click Apply, and then click OK.
Close the snap-in.
Restart the Microsoft AD Azure Sync Service and this will resolve the issue.
You will see Event ID 650 (Provision credentials batch start), and 656 (Password Change Request) events logged.
After a short wait, in the Office 365 Admin Centre, DirSync Status shows recent password synchronisation.
thanks fixed my issue
LikeLike