question

JesseSanchez-6631 avatar image
0 Votes"
JesseSanchez-6631 asked ·

Azure AD Sync Connect issue with permission error 8344

Hello,

We currently installed Azure AD Sync connect and everything seems to be synching well except for a 8344 "Insufficient access rights to perform the operation". We did a custom install where it only syncs a specific OU / group.

-We are doing only PW Hash Synchronization
-Users are getting their pws synced for the few that we are doing, pw changes, take effect too,
-During AD Forest account we selected create a new ad account
-We used users are represented only once across all directories
-Let azure manage the source anchor was selected

Again all the passwords are synching good but when I open Synchronization service manager I get the above error. When I click on the user error I see it has a change under "ms-ds-consistencyGuid" which I believe is the change it is having issue writing back to our active directory. Is there an easy way to fix this?

EDIT:
Finally it is fixed! After I started checking the security permissions for the root domain I noticed the OU for our users didn't have the security permissions for the MSOL service account at all.

The users OU had inheritance disabled. After I enabled inheritance for that particular OU, the permissions instantly appeared for the service account and the problem was fixed.

azure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Did you also give the AADConnect account:

Replicate Directory Changes
Replicate Directory Changes All


at the root for the Password Hash Sync requirement?


If you add the account to Domain Admins as a test, I assume it works yes?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
3 Votes"
AndyDavid answered ·

Check the security inheritance on the user.
29703-image.png
29704-image.png




If that isnt the issue did you enable writeback permission if you enabled SSPR?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

Did you enable any other options?

Note that group filtering is not supported except for pilot testing.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering




image.png (134.8 KiB)
image.png (234.8 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

User security inheritance was the issue. Kudo's

0 Votes 0 ·
JesseSanchez-6631 avatar image
0 Votes"
JesseSanchez-6631 answered ·

So I checked the three users I am having the issue with and they already have enabled inheritance so that's not the issue.
I also do not have any other option besides password hash synching. I do not have write back enabled and I do not have SSPR in azure enabled. Understood on the group filtering, we are testing to make sure everything works perfectly before we synch everyone.

As a test I temporarily added the service account to the admin group and it added the ms-ds-consistencyguid to the users with previous errors. I then added 3 new users to synch, removed admin to the service account and it went back to giving me the permission issue. Is it possible I have to give write permission to the azure ad account for ms-ds-consistencyguid?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Yes:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#using-ms-ds-consistencyguid-as-sourceanchor

For this feature to work, the AD DS account used to synchronize with on-premises Active Directory must be granted write permission to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JesseSanchez-6631 avatar image
0 Votes"
JesseSanchez-6631 answered ·

Thanks for the article. I'm trying to give permission to the service account with the below powershell script:

$accountName = "domain\MSOL_nnnnnnn" $ForestDN = "DC=do,DC=domain,DC=local" $cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'" Invoke-Expression $cmd | Out-Null

however when I try to run it in powershell where I have azure ad connect it tells me At line:1 char:41 $accountName =domain\MSOL_nnnnn" etc etc unexpected token $ForestDN in expression or statement and same for Invoke-Expression.

I have only used powershell a few times so not sure if I am supposed to run it line by line or save it to a script file and then run it?

Any help would be appreciated.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered ·

I would use the built-in functionality in AADConnect Powershell:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#configure-ms-ds-consistency-guid-permissions

 Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] 
 [<CommonParameters>]
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JesseSanchez-6631 avatar image
0 Votes"
JesseSanchez-6631 answered ·

I did the command and unfortunately still having the permission issue. I'm not sure what else to try.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do you see the account and permissions it has via ADUC?

and by that I mean , if you open up ADUC and look at the security tab, do you see the account and the permissions it has in the forest?
Per that article:

Allow AD DS Connector Account Read/Write property Descendant User objects

If not, you can always add manually at the forest/domain/OU root and give it those permissions.

Make sure you arent blocking inheritance at the OU level as well.

Also, lets go back to your command above that you say wasn't working:

Try this:
Line by Line in Powershell


this is the account that will be used by Azure AD Connect Sync to manage objects in the directory.


 $accountName = "DOMAINNAME\USERNAME" 
 $ForestDN = "DC=DOMAINNAME,DC=com"

 $cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"

 Invoke-Expression $cmd





0 Votes 0 ·
JesseSanchez-6631 avatar image
0 Votes"
JesseSanchez-6631 answered ·

Yes I can see the security permissions it has on the forest.
I was also able to add the write permission using powershell successfully but still having the permission issue.
-I also reset the MSOL_ pw and reinstalled the client to match the new pw.
-The Microsoft Azure AD Sync service was changed to logon as the MSOL_ service account
-Added the MSOL_ account locally to administrators group and ADSyncAdmins where AD connect is installed.
-Temporarily turned off windows firewall to test
After all those changes I still keep getting the permission issue when its trying to export back to our AD and add the ms-ds-consistencyguid attribute.



30202-msol-permission.png



msol-permission.png (21.8 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JesseSanchez-6631 avatar image
0 Votes"
JesseSanchez-6631 answered ·

Yes that account has Replicate directory changes and replicate directory changes all. I don't understand the part about "At the root of Password Hash Sync requirement"?

Yes if I add the service account to domain admin it will clear the permission errors.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Root meaning "Forest Root"


Ok, so that is good then. At least we know its's working and the perms are really the issue.

So no blocked inheritance on any OU or any account itself? If you create a new account, does the problem continue or if you give the AADConnect account specific permissions on an AD Account?

Is this a single domain forest?

0 Votes 0 ·
JesseSanchez-6631 avatar image
2 Votes"
JesseSanchez-6631 answered ·

Finally it is fixed! After I started checking the security permissions for the root domain I noticed the OU for our users didn't have the MSOL at all.

The users OU had inheritance disabled. After I enabled inheritance for that particular OU the problem is fixed.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.