If you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the Azure AD Connect sync service account password.
Azure AD Connect, as part of the Synchronization Services uses an encryption key to store the passwords of the AD DS and Azure AD service accounts. These accounts are encrypted before they are stored in the database.
The encryption key used is secured using Windows Data Protection (DPAPI). DPAPI protects the encryption key using the password of the Azure AD Connect sync service account.
If you need to change the service account password you can use the procedures in Abandoning the Azure AD Connect Sync encryption key to accomplish this. These procedures should also be used if you need to abandon the encryption key for any reason.
Issues that arise from changing the password
There are two things that need to be done when you change the service account password.
First, you need to change the password under the Windows Service Control Manager. Until this issue is resolved you will see following errors:
- If you try to start the Synchronization Service in Windows Service Control Manager, you receive the error "Windows could not start the Microsoft Azure AD Sync service on Local Computer". Error 1069: The service did not start due to a logon failure."
- Under Windows Event Viewer, the system event log contains an error with Event ID 7038 and message “The ADSync service was unable to log on as with the currently configured password due to the following error: The user name or password is incorrect."
Second, under specific conditions, if the password is updated, the Synchronization Service can no longer retrieve the encryption key via DPAPI. Without the encryption key, the Synchronization Service cannot decrypt the passwords required to synchronize to/from on-premises AD and Azure AD. You will see errors such as:
- Under Windows Service Control Manager, if you try to start the Synchronization Service and it cannot retrieve the encryption key, it fails with error “Windows could not start the Microsoft Azure AD Sync on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code **-21451857952**.”
- Under Windows Event Viewer, the application event log contains an error with Event ID 6028 and error message “The server encryption key cannot be accessed.”
To ensure that you do not receive these errors, follow the procedures in Abandoning the Azure AD Connect Sync encryption key when changing the password.
Abandoning the Azure AD Connect Sync encryption key
The following procedures only apply to Azure AD Connect build 1.1.443.0 or older.
Use the following procedures to abandon the encryption key.
What to do if you need to abandon the encryption key
If you need to abandon the encryption key, use the following procedures to accomplish this.
Abandon the existing encryption key
Abandon the existing encryption key so that new encryption key can be created:
Log in to your Azure AD Connect Server as administrator.
Start a new PowerShell session.
Navigate to folder:
$env:Program Files\Microsoft Azure AD Sync\bin\
Run the command:
Provide the password of the AD DS account
As the existing passwords stored inside the database can no longer be decrypted, you need to provide the Synchronization Service with the password of the AD DS account. The Synchronization Service encrypts the passwords using the new encryption key:
- Start the Synchronization Service Manager (START → Synchronization Service).
- Go to the Connectors tab.
- Select the AD Connector that corresponds to your on-premises AD. If you have more than one AD connector, repeat the following steps for each of them.
- Under Actions, select Properties.
- In the pop-up dialog, select Connect to Active Directory Forest:
- Enter the password of the AD DS account in the Password textbox. If you do not know its password, you must set it to a known value before performing this step.
- Click OK to save the new password and close the pop-up dialog.
Reinitialize the password of the Azure AD sync account
You cannot directly provide the password of the Azure AD service account to the Synchronization Service. Instead, you need to use the cmdlet Add-ADSyncAADServiceAccount to reinitialize the Azure AD service account. The cmdlet resets the account password and makes it available to the Synchronization Service:
- Start a new PowerShell session on the Azure AD Connect server.
- Run cmdlet
- In the pop-up dialog, provide the Azure AD Global admin credentials for your Azure AD tenant.
- If it is successful, you will see the PowerShell command prompt.
Start the Synchronization Service
Now that the Synchronization Service has access to the encryption key and all the passwords it needs, you can restart the service in the Windows Service Control Manager:
- Go to Windows Service Control Manager (START → Services).
- Select Microsoft Azure AD Sync and click Restart.