Azure Directory Sync Credential Errors

jpletcher1
jpletcher1 used Ask the Experts™
on
I had setup Directory Sync from our on-premise AD to our Azure AD a while back.  I made sure to set the Azure AD account that I use for sync to never expire.  Recently it seems like sync stopped working because user authentication for new users was not working and there were errors in event viewer stating "Synchronization failed to start for Active Directory Connector because of credential problems. Run the Windows Azure Active Directory Sync tool Configuration Wizard again to update credentials for synchronization."  I re-ran the Directory Sync configuration using the same settings and users for both the Azure and on-premise side.  It all ran through fine and everything is syncing again it appears.  

The only thing I can think is that the on-premise account that I used had the password changed.  However, when you are running the configuration utility, it states that this credential is not saved.  To me that means it is used initially and then not needed on-going.  Do I have that correct?  

Also, I noticed in event viewer that after I completed the Directory Sync Configuration there was an informational entry stating "Creating Domain Account (MSOL_cae84bd459e) and then a following warning entry referring to "Resetting password for domain\MSOL_cae84bd459e."
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
You are correct that the on-premises account information you entered is not saved. It is used to create a new service account that is exclusively for the use of dirsync. And while it tries to set up the account with all of the settings it needs, group policies do still apply. If you have settings, particularly if you messed with "enforced" or have odd delegations, it may not be able to prevent the local on-prem password policies from overriding what it tries to set. Without the specific error though, I don't know if the problem was your on-prem account or with the Azure account. Those credentials *are* saved and used. A special account is not created on the Azure side.

Author

Commented:
This is the error I was receiving:

Synchronization failed to start for Active Directory Connector because of credential problems. Run the Windows Azure Active Directory Sync tool Configuration Wizard again to update credentials for synchronization.
K B

Commented:
Account could have been locked out.
The resetting password event "Resetting password for domain\MSOL_cae84bd459e" event is by design and is separate from the issue you were having.
Are you are positive sync was broken?  Did you run the Azure PowerShell as an administrator to run "Start-OnlineCoexistanceSync". All else I would point to an account lockout somehow.

EDIT: I am seeing this is the AZURE side account. Is that account a dirsynced account?

Yes. The on-prem credentials are forever used. So if it changed, yes it would break dirsync
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Author

Commented:
Can you two explain

Cliff states - You are correct that the on-premises account information you entered is not saved

KB states - The on-prem credentials are forever used. So if it changed, yes it would break dirsync

I know in the setup of dirsync it does state what Cliff is saying, but it seemed to break around the time I changed my domain admin password, which I used in the original setup beings it did say that the credential was not saved.  

If the on-prem credential is used ongoing, why the wording in the setup of "this credential is not saved" ?
K B

Commented:
Are you speaking about when you choose which OUs are synced?  this is true.. this is not during the intial setup of DirSync (where the creds are saved)

Author

Commented:
I'm talking about when I run the "Windows Azure Active Directory Sync Configuration".  There is a part that asks for an on-prem user account that has Enterprise Admin credentials but states these credentials are not saved.

I setup which OUs to sync with msiisclient.exe and on that I think I only have to enter the Azure account.
K B

Commented:
I have always kept the credentials enabled.  Perhaps they are not saved as you say.  Did you check the logs when it happened?

Author

Commented:
Unfortunately the logs had overwritten after just a few days and we didn't notice syncing was down for a week or two.  So I'll have to up that logging and watch it this time.
K B

Commented:
my lab is down now as I am racking and stacking them into new boxes.. once it is up i will change the dirsync password and let you know.

Author

Commented:
Were you able to verify this in your lab?  What account do most people use for this?  The domain administrator account?
K B

Commented:
apologies for the delay .. i am rushing to get my lab back up and running.

Author

Commented:
Just sending a bump to bring this question back to people's feeds.  I'm not sure if KB found anything out in his lab.
MaheshArchitect
Distinguished Expert 2018

Commented:
You need below accounts while configuring AAD Sync:
1. Standard domain user account as service account for on premise active directory - You can grant password replication rights to this account if wanted to user password sync as well - password of this account is stored with AAD Sync, if this password is changed, expired, you will get DirSync failure
2. Service account must be part of local administrators group of DirSync server.
3. O365 Global administrator account to connect to O365 tenant.

Author

Commented:
The on-premise account as I understand needs to be a domain admin account, not just a standard account.  Is that not correct?

I guess the wording on the screen where you enter it says:
Provide the credentials for an account with administrator permissions on your organization's Active Directory directory service.  These credentials will be used to set the permission for the Directory Synchronization tool which will synchronize changes in your organization's Active Directory with Windows Azure Active Directory.  These credentials are not saved.

So does "account with administrator permissions on your organization's Active Directory directory service" mean a domain admin?  And what does "These credentials are not saved." mean?  It seems like when I change the password for this account it breaks everything.

Thanks for your response.
MaheshArchitect
Distinguished Expert 2018

Commented:
I don't remember to seen the screen you are referring
Can you post the screen shot please
I never used domain admins account for DirSync, I just created standard service account and granted him delegated rights on domain.com container to replicate all changes

Below links also do not show what you are talking about
http://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-2/
U do require O365 global admin account but not domain admins for local AD

The service account info (id and password) get stored in "Configure Directory partitions page where you filter which OUs can be synced to Azure
http://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-3/

What happened is that You have provided domain admins account during configuration of tool and after you changed password in AD it stopped working.

Author

Commented:
Here is the setup screen I'm referring to with the wording I mentioned before.  Please let me know your thoughts.
Capture.JPG
MaheshArchitect
Distinguished Expert 2018

Commented:
Today only I setup new Azure Ad connect for one of my client and not used any domain /enterprise admins credentials and I have used standard delegated service account

I have used latest Azure AD Connect only

Are you doing this for O365, in that case enterprise admins is not required

Only one thing different is I have logged on Azure Ad connect server with account having enterprise admins right

Author

Commented:
This is not for Office 365, it's for a custom application so we just use this DirSync to get our AD info over to Azure.  This screen shot states the credentials must be Administrator on the local AD, but then it also states the credentials are not saved.  So if they aren't saved, I'd think the password changing for the account wouldn't cause it to break, but it does.

Author

Commented:
I've requested that this question be deleted for the following reason:

I was not able to get a clear answer and I don't want to mark an answer as the resolution beings none of them were the resolution for me and I don't want anyone in the future reading this to be misled.  The screen shots I posted from the DirSync utility clearly shows my issue.   I will recreate the case and see if it catches any other eyes.

Author

Commented:
As a response to Mahesh's comment of

"Today only I setup new Azure Ad connect for one of my client and not used any domain /enterprise admins credentials and I have used standard delegated service account"

I tried to use an ordinary account to set Directory Sync up and when I do, I get this error stating the user has to be a member of the Enterprise Admins group.  See attached.

Azure Error
MaheshArchitect
Distinguished Expert 2018

Commented:
when you run the wizard 1st time, it gives you an option to select service account, have you used that wizard..?

Check below ink
https://azure.microsoft.com/en-in/documentation/articles/active-directory-aadconnect-get-started-custom/
Architect
Distinguished Expert 2018
Commented:
I got your issue
U r trying to run express wizard, where enterprise admins is required

Express settings installation
In Express settings the installation wizard will ask for Enterprise Admin credentials so your on-premises Active Directory can be configured with required permissions for Azure AD Connect. If you are upgrading from DirSync the Enterprise Admins credentials are used to reset the password for the account used by DirSync.

If you use custom installation method, I am sure you don't need enterprise admins
https://azure.microsoft.com/en-in/documentation/articles/active-directory-aadconnect-accounts-permissions/
https://azure.microsoft.com/en-in/documentation/articles/active-directory-aadconnect-get-started-custom/

Author

Commented:
That was it.  Strange that different ways to install/configure require different credentials.  Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial