Password Sync: No Recent Syncronization

KB ID 0001640

Problem

I recently migrated the server that was running my Azure AD Connector. It was showing no errors post migration so I thought no more about it. A few days later I logged in to Office 365 and saw this;

AAD Connect Status
Azure AD Connect
Password sync: no recent synchronization

Solution

Apparently this can suddenly happen if you are running an old version of AAD Connect. But I checked and mine was brand new, (I’d only just installed it remember). A quick look in the Event Viewer pointed me in the right direction.

Event ID 611

Log Name: Application
Source: Directory Synchronization
Date: xx/xx/xxxx xx:xx:xx
Event ID: 611
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {server-name}
Description:
Password hash synchronization failed for domain: pnl.com, domain controller hostname: PNL-MGMT.pnl.com, domain controller IP address: 192.168.100.3. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

 

I’ve highlighted the important part, RPC Error 8453: Replication access was denied. So we have a permissions/rights problem. As I’d set a new user up for the AAD connector software, I checked their rights and found out I was missing the following;

Ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.

  • Replicating Directory Changes: Allow
  • Replicating Directory Changes All: Allow

Then I forced an AAD sync, and waited a few minutes, the problem then disappeared.

Related Articles, References, Credits, or External Links

NA

Forcing Azure AD Connect Sync

KB ID 0001590

Problem

If you are using Azure AD Connect, (AAD Connect) to sync your on-premise Active Directory with Azure AD (i.e. for Office 365), then there may be times when you need to manually ‘force a replication’ because by default it’s going to take 30 minutes between each normal ‘delta replication’

Solution

If you are directly on the server that’s running Azure AD connect, then use the following PowerShell. If you Don’t know which server is running AD connect the see the following link;

Locate Your Azure AD Connect Server

Firstly you need to add in the correct module, (you only have to do this once). Though the module should be already installed on the Sync server, let’s not tempt fate and check. (You can also use Get-Module to view installed modules).

[box]

Import-Module ADSync

[/box]

Note: If you get an error you may need to run Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Then to Manually Force a Synchronisation;

[box]

To Perform a FULL Sync
Start-ADSyncSyncCycle -PolicyType Initial
To Perform a (Normal) Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

[/box]

You can view the Sync settings with;

[box]

Get-ADSyncScheduler

[/box]

But I don’t like that, I prefer to watch synchronisations going on on the ‘Syntonisation Service Manager’ console, you can spot and troubleshoot errors in here also 🙂

Note: To Troubleshoot Sync errors, see the procedure I use in the following post;

Azure AD Connect: Correct Or Remove Duplicate Values

Force an Azure AD Connect Synchronisation From Another Server

Use the following syntax;

[box]

Invoke-Command -ComputerName AD-Connect-Server-Name -ScriptBlock { 
Import-Module ADSync 
Start-ADSyncSyncCycle -PolicyType Delta 
}

[/box]

Disable and Enable Azure AD Sync

[box]

Disable
Set-ADSyncScheduler -SyncCycleEnabled $False
Enable
Set-ADSyncScheduler -SyncCycleEnabled $True	

[/box]

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values

AAD Contains Another Object With The Same DN