Troubleshooting

Troubleshooting » Troubleshoot password hash synchronization with Azure AD Connect sync

Password sync: Troubleshoot password hash synchronization with Azure AD Connect sync

Password hash synchronization between Active Directory (AD) and Azure AD may be hindered due to multiple reasons. The synchronization issues can be troubleshot and the reasons behind these issues can be figured out using the troubleshooting task or manual methods. Mentioned below are some common synchronization issues along with their corresponding troubleshooting steps.

Issue 1. None of the passwords are synchronized:

This issue can be fixed by following the steps below:

  1. Run Windows PowerShell as an Administrator on the Azure AD Connect server with the Run as Administrator option.
  2. Run Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.
  3. Start the Azure AD Connect wizard.
  4. Go to Additional Tasks > Troubleshoot, and click Next.
  5. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.
  6. In the main menu, select Troubleshoot password hash synchronization.
  7. In the sub-menu, select Password hash synchronization does not work at all.

Below is the list of errors that may arise once the above steps are performed:

  1. Password hash synchronization feature isn't enabled

    how-to-troubleshoot-password-hash-sync-with-azure-ad-1

    This error will appear if password hash synchronization hasn't been enabled using the Azure AD Connect wizard.

  2. Password hash synchronization is not supposed to work within staging mode

    how-to-troubleshoot-password-hash-sync-with-azure-ad-2

    This error may appear if the Azure AD Connect server is in staging mode, and as a result, password hash synchronization is temporarily disabled.

  3. This error may appear if the Azure AD Connect server is in staging mode, and as a result, password hash synchronization is temporarily disabled.

    how-to-troubleshoot-password-hash-sync-with-azure-ad-3

    Each on-premises Active Directory connector has its own password hash synchronization channel. When a password hash synchronization channel is created and there are no password changes to be synchronized, a heartbeat event is generated every 30 minutes under the Windows Application Event Log. The cmdlet searches for heartbeat events for each AD connector in the past three hours and if no heartbeat event is found, this error is returned.

  4. AD Connector account had a password sync permission problem for the domain at:

    how-to-troubleshoot-password-hash-sync-with-azure-ad-4

    If the domain account that is used by the AD connector to synchronize password hashes does not have the necessary permissions, this error is returned.

  5. Password synchronization agent had a problem to resolve a domain controller in the domain at:

    how-to-troubleshoot-password-hash-sync-with-azure-ad-5

    If the domain account used by the Active Directory connector to synchronize password hashes has an incorrect username or password, the error is returned.

Issue 2: One of the objects is not synchronizing passwords

This issue can be resolved as follows:

  1. Run Windows PowerShell as an Administrator on the Azure AD Connect server with the Run as Administrator option.
  2. Run Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.
  3. Start the Azure AD Connect wizard.
  4. Go to Additional Tasks > Troubleshoot, and click Next.
  5. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.
  6. In the main menu, select Troubleshoot password hash synchronization.
  7. In the sub-menu, select Password hash synchronization does not work at all.
  8. Enter the information on the object that is not being synchronized as requested.

Any of the following errors may arise as the information is entered.

  1. The object in the AAD connector space has not yet been exported. This password is not supposed to be synchronized. The target AAD connector space object has an export error.

    how-to-troubleshoot-password-hash-sync-with-azure-ad-6

    This error occurs because there is no corresponding object for this AD domain object in the Azure AD tenant. This might happen if the object has not been exported which is why password hash synchronization has failed for this object.

  2. Password is set with the user must change password at next logon option enabled. Temporary password not supposed to be synchronized.

    how-to-troubleshoot-password-hash-sync-with-azure-ad-7

    This error occurs if the 'User must change password at next logon' option has been enabled.

  3. The password hash synchronization agent does not have any password change history for the specified object. Password history is purged once in a week.

    how-to-troubleshoot-password-hash-sync-with-azure-ad-8

    Azure AD Connect stores the results of password hash synchronization attempts on an object for a maximum of seven days. If there are no results available for the selected Active Directory object, the above warning is returned.

The above steps are only for troubleshooting these issues using the troubleshooting task. For manual troubleshooting click here.

Setting up Azure AD Connect password hash synchronization is a complex process. Its configuration and troubleshooting involve multiple steps and commands. ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers password synchronization feature to synchronize passwords between AD and Azure AD. Enabling this feature involves minimal steps as listed below.

Prerequisites

Before you configure password synchronization for Office 365 or Azure, you need to install the Windows Azure AD module for Windows PowerShell on the server in which ADSelfService Plus is deployed.

Important: Install the Password Sync Agent to synchronize native password changes and resets.

Steps to enable password synchronization between AD and Azure AD using ADSelfService Plus:

  • Log into the ADSelfService Plus admin console with admin credentials.
  • Navigate to Application > Add New Application.
  • Select the Office 365 / Azure accounts application.
  • Enter the Application Name and Description.
  • Enter the Domain name of your Office 365 / Azure account
  • In the Assign Policies field, select the policies for which password sync needs to be enabled.

Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Only user accounts that come under these policies can have their passwords synchronized with Azure AD.

  • Select the Enable Password Sync option.
  • Enter the Username and Password of Office 365 / Azure account
  • Click Add Application.

Benefits of password synchronization using ADSelfService Plus:

  1. Password synchronization with major enterprise applications including Azure AD/Office 365, AD LDS, Salesforce.
  2. Synchronize custom password policies created using the Password Policy Enforcer feature.
  3. Synchronize native password resets made from the Active Directory Users and Computers console and password changes made in the Ctrl+Alt+Del screen.
  4. Enable password synchronization for users belonging to specific OU's and groups.

Simplify password management with ADSelfService Plus.

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.