When I run the password synchronization diagnostics with the Invoke-ADSyncDiagnostics -PasswordSync command, I get this error:
Password Hash Synchronization cloud configuration is enabled. Password Hash Synchronization agent had an error while pushing password changes to AAD tenant at: 05/12/2019 06:08:19 UTC Please make sure AAD connector account is added to AAD Tenant, and username and password for this account are valid. Please check 652 error events in the application event logs for details
I changed the passwords and am 100% sure that they are correct. If I start password synchronization for a specific user, then it passes successfully. So it's not about the account on the connector.
There is an event with code 652 in the Application log. Here it is:
Failed credential provisioning batch. Clearing affinity to the current service endpoint:. Error: Microsoft.MetadirectoryServices.UnexpectedDataException: The DN given to RDNToSourceAnchor is not valid. at Microsoft.Online.DirSync.Extension.Utilities.DNEncoding.RdnToBinary (String rdn) at Microsoft.Azure.ActiveDirectory.Connector.PasswordChangeNotificationExtension.CreateRequest (IList`1 passwords, String forestInfo) at Microsoft.Azure.ActiveDirectory.Connector.PasswordChangeNotificationExtension.SetPasswords (IList`1 allPasswords, String forestInfo).
How to fix it?