Password hash synchronization for Azure AD stops working and event ID 611 is logged
Original product version: Cloud Services (Web roles/Worker roles), Azure Active Directory, Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2867278
Password hash synchronization for Microsoft Azure Active Directory stops working after several days. Additionally, in Event Viewer, the following event ID 611 error is logged in the Application log:
Password synchronization failed for domain:
Install the latest version of the Azure Active Directory Synchronization tool. For more information, see Install or upgrade the Directory Sync tool.
You may see one or more of the following error details for Event ID 611.
SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.
DirectoryReplicationServices.DrsException: RPC Error 8439: The distinguished name specified for this replication operation is invalid. There was an error calling
|Windows Server 2003 domain controllers handle certain scenarios unexpectedly.||Update to the latest version of Azure AD Connect to resolve this issue.|
DirectoryReplicationServices.DrsException: RPC Error 8593: The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is related to a domain rename that is in progress).
|It's a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.||Update to the latest version of Azure AD Connect to resolve this issue.|
|System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.||It's a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.||Update to the latest version of Azure AD Connect to resolve this issue.|
|System.ArgumentException: An item with the same key has already been added.||It's a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.||Update to the latest version of Azure AD tool to resolve this issue.|
|Password synchronization failed for domain:
DirectoryReplicationServices.DrsException: RPC Error 8453: Replication access was denied. There was an error calling
DirectoryReplicationServices.DrsRpcConnection.OnGetChanges( ReplicationState syncState)
DirectoryReplicationServices.DrsConnection.GetChanges( ReplicationState replicationState)
SynchronizationManager.SynchronizeDomain( SynchronizationExecutionContext syncExecutionContext).
AD DS Connector Account is missing the following extended permissions on AD:
|Update to the latest version of Azure AD Connect, and follow the article "Azure AD Connect: Configure AD DS Connector Account Permissions" on how to add the correct Active Directory permissions.