KB ID 0001640
I recently migrated the server that was running my Azure AD Connector. It was showing no errors post migration so I thought no more about it. A few days later I logged in to Office 365 and saw this;
AAD Connect Status
Azure AD Connect
Password sync: no recent synchronization
Apparently this can suddenly happen if you are running an old version of AAD Connect. But I checked and mine was brand new, (I’d only just installed it remember). A quick look in the Event Viewer pointed me in the right direction.
Event ID 611
Log Name: Application
Source: Directory Synchronization
Date: xx/xx/xxxx xx:xx:xx
Event ID: 611
Task Category: None
Password hash synchronization failed for domain: pnl.com, domain controller hostname: PNL-MGMT.pnl.com, domain controller IP address: 192.168.100.3. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
I’ve highlighted the important part, RPC Error 8453: Replication access was denied. So we have a permissions/rights problem. As I’d set a new user up for the AAD connector software, I checked their rights and found out I was missing the following;
Ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.
- Replicating Directory Changes: Allow
- Replicating Directory Changes All: Allow
Then I forced an AAD sync, and waited a few minutes, the problem then disappeared.
Related Articles, References, Credits, or External Links