The other day I was working with a customer of mine who is trying to implement the Password Sync feature of the new Azure Active Directory Sync tool. But despite having everything configured as expected, the Password Sync was not working. I checked the Application event log for the events 656 & 657 but no luck. I was at a loss at this moment so decided to Disable\Re-Enable the Password Sync feature hoping that it will log some event in the Application log. Fortunately there are some PowerShell commands available to do with this without having to rerun the whole configuration wizard.
PS C:\> Import-Module adsync PS C:\> Set-ADSyncAADPasswordSyncConfiguration -SourceConnector cloud365.in -TargetConnector “omnath.onmicrosoft.com – A AD” -Enable $false Password Hash Sync Configuration for source “cloud365.in” updated. PS C:\> Set-ADSyncAADPasswordSyncConfiguration -SourceConnector cloud365.in -TargetConnector “omnath.onmicrosoft.com – A AD” -Enable $true Password Hash Sync Configuration for source “cloud365.in” updated. PS C:\>
Log Name: Application Source: Directory Synchronization Date: 12/20/2014 9:55:48 PM Event ID: 611 Task Category: None Level: Information Keywords: Classic User: N/A Computer: ADFS.cloud365.in Description: Password synchronization failed for domain: cloud365.in. Details: Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
After digging down for sometime , I discovered that the Azure AD Sync was configured with a normal user account to lookup the local Active Directory.
If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:
- Replicating Directory Changes
- Replicating Directory Changes All
Both permissions are required to enable the account to read password hashes from your on-premises AD DS.
You have to follow the below steps to grant the above permissions on the root domain (Cloud365.in).
1. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
2. On the Users or Groups page, click Add. This has to be the service account you used to configure the Azure AD Sync at the first place.
3. On the Tasks to Delegate page, select create a custom task to delegate, and then click Next.
4. On the Active Directory Object Type page, select this folder, existing objects in this folder, and creation of new objects in this folder, and then click next.
5. On the Permissions page, in the Permissions box, select “Replicating Directory Changes” & “Replicating Directory Changes All” and then click Next.
6. Click Finish.
Now, I rebooted the AAD Sync server and bingo ! It worked like a charm. This time it logged the event 657 in the Application log as expected indicating that the Password from local Active Directory successfully got synced with Azure AD.
Log Name: Application Source: Directory Synchronization Date: 12/20/2014 11:30:48 PM Event ID: 657 Task Category: None Level: Information Keywords: Classic User: N/A Computer: ADFS.cloud365.in Description: Password Change Result – Anchor : Pi4+TeNDBkqewz2WDB12yg==, Dn : CN=Exchange Online User,OU=Exchange Online,DC=cloud365,DC=in, Result : Success.
It’s worth mentioning that I have seen issues where despite having all the necessary rights on the Service Account used to configure Azure AD Sync, the password sync doesn’t work. Well, fortunately Microsoft came up with a script to force the Password Sync. You can find the script here