question

SimonDankau-5762 avatar image
0 Votes"
SimonDankau-5762 asked sikumars commented

Azure AD Connect RPC Error 611

Hi there,

we synchronize our users in our domain to Microsoft 365.
The synchronization of the users works perfectly. However, the majority of users cannot log into M365 with their password.

After a bit of research, I found out that the following error occurs with password hash synchronization:

Password Hash Synchronization agent is continuously getting failures for domain "my.bkrnet.de"
Please check 611 error events in the application event logs for details
The latest 611 error event for the domain "my.bkrnet.de" is generated at: 08/24/2021 08:44:45 UTC

Password Hash Synchronization agent is continuously getting RPC errors from domain "my.bkrnet.de"
Please setup reliable preferred domain controllers. Please see "Connectivity problems" section at https://go.microsoft.com/fwlink/?linkid=847231
Please check 611 error events in the application event logs for details
The latest RPC error event for the domain "my.bkrnet.de" is generated at: 08/24/2021 08:44:45 UTC

After checking the Event Viewer, it reveals that the error message 611 contains the following error:
Password hash synchronization failed for domain: my.bkrnet.de, domain controller hostname: bkr-idm1.my.bkrnet.de, domain controller IP address: 10.11.21.70. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8420 : The naming context was not found. There was an error calling IDL_DRSGetNCChanges.
bei Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnReplicateSingleObject(DsName directoryName)
bei Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.ReplicateSingleObject(Guid objectGuid, String distinguishedName)
bei Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.<>c
DisplayClass55_0.<BuildPasswordBatch>b_1(IDrsConnection c)
bei Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
bei Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.BuildPasswordBatch(IEnumerable`1 changeObjects, IList`1& passwordChanges, IList`1& retryObjects)
bei Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.BuildPasswordBatch(IList`1 changeSetObjects)
bei Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
bei Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
bei Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
bei Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.

<forest-info>
<partition-name>my.bkrnet.de</partition-name>
<connector-id>4192dfb8-5c6f-4201-8b3b-99974a11614a</connector-id>
</forest-info>

The settings from Azure AD Connect for user authentication is PTA with password hash synchronization.
The domain user for the settings has the necessary authorizations on the domain controller.

Unfortunately I can get with the error "RPC Error 8420: The naming context could not be found." do not start much. There are no other real reports on this error.


Regards
Simon

azure-ad-connectazure-ad-password-hash-sync
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonDankau-5762 avatar image
0 Votes"
SimonDankau-5762 answered sikumars commented

Hello,

after some time and testing the issue is resolved. The microsoft support did help me last week. The problem with the RPC errors was not resolved. We changed the settings from the Azure AD Connect. Before we had PTA with Password Hash synchronisation. The support said, that the PTA with the Hash synchronisation does not always work and can generate a lot of RPC errors. So we changed the seetings just to do PTA and after a few full imports the login with most of the users worked perfectly fine. Out of the round about 2500 users there are still a few who still have some problems, but that can be resolved through changing the passsword in the local AD.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for sharing your findings.

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered JamesTran-MSFT commented

Hello @SimonDankau-5762,

Thanks for reaching out.

Are the domain controllers reachable by Azure AD Connect? looking at above error it seems to be connectivity problem between Azure AD connect and domain controller hostname: bkr-idm1.my.bkrnet.de for domain: my.bkrnet.de.

If the Azure AD Connector server cannot connect to all domain controllers, configure Only use preferred domain controller as shown below from the Connectors properties of on-premises Active Directory forest you are troubleshooting, try pointing to different domain controller hostname and see if that isolate the issue.

126044-image.png

If you see no heartbeat or if nothing else worked, run Trigger a full sync of all passwords. Run this script only once.

See the Troubleshoot one object that is not synchronizing passwords section.

Here are detailed guidance for troubleshooting Connectivity problems . Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (90.3 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @sikumars-msft,

thank you for your fast answer.

The domain controllers are reachable. I already configured the preferred domain controller.

     Password Hash Synchronization agent has never successfully completed synchronizing passwords from this directory partition.
     Only Use Preferred Domain Controllers: True


             Preferred Domain Controllers:
             =============================
             Checking connectivity to the preferred domain controller "bkr-paed.my.bkrnet.de"...
             Preferred domain controller "bkr-idm1.my.bkrnet.de" is reachable


     Domain "my.bkrnet.de" is reachable

Even trying different domain controllers in our system does not work. The error remains the same. The script to resync the passwords also did not work.

0 Votes 0 ·

Thanks for the confirmation.

I hope you might have looked at this "RPC errors affecting AADConnect" article, if not I would recommend you to refer which might help you with isolate the issue.

However, this issues need more investigation and live troubleshooting for quicker resolution hence I would recommend you to contact Microsoft support. If you have a support plan, requesting you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Thanks.

0 Votes 0 ·

Thank you for the information.

I've already looked at the article you linked. Sadly, none of the information inside it could help me to isolate the issue.

Just now, i did contact the support team from Microsoft and am awaiting an answer. Hopefully they will be able to help me.

0 Votes 0 ·

Thanks for the update. Kindly share your findings here once MS support fixed the issue, which would help others in the community as well. Thanks

1 Vote 1 ·

@SimonDankau-5762
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·