Azure AD Password Sync – “no recent synchronization” – Event ID 611 – “the operation was aborted because the client side timeout limit was exceeded”

Active Directory, Azure AD, Azure AD Connect, Azure AD Sync, Office 365 Leave a comment

Issue

Azure AD Connect (v1.1.614.0) Password Synchronisation has stopped working.

In the Office 365 Admin Centre, DirSync Status shows no recent password synchronisation.

DirSync-norecentsync

Dirsync-futherinfo

The following error is flagged on the Azure AD Connect Server.

Event ID: 611 (Log: Application, Source: Directory Synchronization)
Level: Error
Computer: AADC01v.x500.co.uk
Description: Password synchronization failed for domain: x500.co.uk.
Details: System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Online.PasswordSynchronization.DirectoryAttributeSearcher.<GetObjectAttributes>d__8.MoveNext()
at Microsoft.Online.PasswordSynchronization.DirectoryAttributeSearcher.<GetObjectAttributes>d__0.MoveNext()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.BuildPasswordBatch(IEnumerable`1 changeObjects, IList`1& passwordChanges, IList`1& retryObjects)
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.BuildPasswordBatch(IList`1 changeSetObjects)
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)

Resolution

Change the LdapClientIntegrity registry value to 0.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LdapClientIntegrity

ldapclientintegrity

Restart the Microsoft AD Azure Sync Service and this will resolve the issue.

You will see Event ID 4643 (Password sync started for management agent “x500.co.uk”), and 904 (Starting sync scheduler thread) events logged.

After a short wait, in the Office 365 Admin Centre, DirSync Status shows recent password synchronisation.

DirSync-Good

DirSync_Good_Advanced

LdapClientIntegrity

LdapClientIntegrity controls whether the LDAP client automatically attempts to negotiate a signed or integrity-validated session when a bind is performed.  Signing protects the session by detecting attempts to alter LDAP traffic during an LDAP connection to the network.

The following settings are possible:

0: Do not automatically use signing.

1: Automatically use signing against supported servers, but permit fallback to a non-signed session if unable to establish signing.

2: Always use signing, and fail to bind if unable to establish signing.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s