This is another one of many posts about AAD Connect failing to synchronise passwords, this time with some additional clarifications.
- The admin configured his own account in the AD-DS connector in the management agent.
- The admin changed his password over time. AD sync broke.
- A new service account has been created, dedicated for AD access, and configured the connector to use it to correct the above problem. AD sync started working again.
What didn't happen is permission wasn't granted for the new account to synchronise passwords. User properties were synchronised, but not password hashes.
There were informational 611 events in the Application event log by Directory Synchronization:
The relevant bit: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges
This is due to the fact that the connector account did not have the following permissions - see https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx:
- Replicating Directory Changes
- Replicating Directory Changes All
These permissions are granted on the domain root.
Open Active Directory Users and Computers and in the View menu enable Advanced Features.
Right-click on the domain name, Properties, Security. Add the account and grant the permissions:
Wait for the next synchronization cycle or kick one off manually. Passwords should now sync successfully.
One last thing: the account you have to give permissions to is NOT what's configured in the Microsoft Azure AD Sync service:
Instead, the permissions have to be granted to the account configured on the AD connector: