Azure AD Password Sync – “no recent synchronization” – Event ID 611 – “replication access was denied”

Active Directory, Azure AD, Azure AD Connect, Azure AD Sync, Office 365 One comment

Issue

Azure AD Connect (v1.1.614.0) Password Synchronisation has stopped working.

In the Office 365 Admin Centre, DirSync Status shows no recent password synchronisation.

DirSync-norecentsync

Dirsync-futherinfo

The following error is flagged on the Azure AD Connect Server.

Event ID: 611 (Log: Application, Source: Directory Synchronization)
Level: Error
Computer: AADC01v.x500.co.uk
Description: Password synchronization failed for domain: x500.co.uk.
Details: Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)

Cause

The following permissions were missing from the local Azure AD sync account.  Both are required to allow the account to read password hashes from local AD.

Replicating Directory Changes
Replicating Directory Changes All

Resolution

Assign the missing permissions by using the ACL editor as below, or you could use ADSIedit.

Open the Active Directory Users and Computers snap-in.
On the View menu, click Advanced Features.
Right-click the domain object, e.g. “x500.co.uk”, click Properties.
On the Security tab, click Add.
In the Select Users, Computers, or Groups dialog box, select the local Azure AD sync account, and then click Add.
Click OK to return to the Properties dialog box.
Click the local Azure AD sync account.
Click to select the Replicating Directory Changes and Replicating Directory Changes All check box.

AddACLs

Click Apply, and then click OK.
Close the snap-in.

Restart the Microsoft AD Azure Sync Service and this will resolve the issue.

You will see Event ID 650 (Provision credentials batch start), and 656 (Password Change Request) events logged.

After a short wait, in the Office 365 Admin Centre, DirSync Status shows recent password synchronisation.

DirSync-Good

DirSync_Good_Advanced

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s