Issue
Azure AD Connect (v1.1.614.0) Password Synchronisation has stopped working.
In the Office 365 Admin Centre, DirSync Status shows no recent password synchronisation.
The following error is flagged on the Azure AD Connect Server.
Event ID: 611 (Log: Application, Source: Directory Synchronization)
Level: Error
Computer: AADC01v.x500.co.uk
Description: Password synchronization failed for domain: x500.co.uk.
Details: System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Online.PasswordSynchronization.DirectoryAttributeSearcher.<GetObjectAttributes>d__8.MoveNext()
at Microsoft.Online.PasswordSynchronization.DirectoryAttributeSearcher.<GetObjectAttributes>d__0.MoveNext()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.BuildPasswordBatch(IEnumerable`1 changeObjects, IList`1& passwordChanges, IList`1& retryObjects)
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.BuildPasswordBatch(IList`1 changeSetObjects)
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
Resolution
Change the LdapClientIntegrity registry value to 0.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LdapClientIntegrity
Restart the Microsoft AD Azure Sync Service and this will resolve the issue.
You will see Event ID 4643 (Password sync started for management agent “x500.co.uk”), and 904 (Starting sync scheduler thread) events logged.
After a short wait, in the Office 365 Admin Centre, DirSync Status shows recent password synchronisation.
LdapClientIntegrity
LdapClientIntegrity controls whether the LDAP client automatically attempts to negotiate a signed or integrity-validated session when a bind is performed. Signing protects the session by detecting attempts to alter LDAP traffic during an LDAP connection to the network.
The following settings are possible:
0: Do not automatically use signing.
1: Automatically use signing against supported servers, but permit fallback to a non-signed session if unable to establish signing.
2: Always use signing, and fail to bind if unable to establish signing.