Share via

Azure ADSync service not starting - Invalid user and password

Eric Logsdon 81 Reputation points
2024-07-11T14:55:36.2433333+00:00

We are running AD servers in prem on Windows Server 2022. We have a VNET in Azure that has a third AD server. Azure ADSync Service (V2.3.8.0) runs on one of the AD servers on prem.

This morning, I received this e-mail:

You’re receiving this email because we have detected a critical alert on one of your AadSyncService instances.

Title Password Hash Synchronization heartbeat was skipped in last 120 minutes.

Description Password Hash Synchronization has not connected with Microsoft Entra ID in the last 120 minutes. As a result passwords will not be synchronized with Microsoft Entra ID. Please refer to: Troubleshoot Password Hash Synchronization

Raised July 11, 2024 2:54 UTC

Recommended action

Restart Microsoft Entra Sync Services:

Please note that any synchronization operations that are currently running will be interrupted. You can choose to perform below steps when no synchronization operation is in progress.

  1. Click Start, click Run, type Services.msc, and then click OK.
  2. Locate Microsoft Entra Sync, right-click it, and then click Restart.

If FIPS compliance is enabled for your machine(s), please disable password hash sync to remediate this alert. Password hash sync is currently not supported for FIPS compliant machines.

To check health of your services monitored by Microsoft Entra Connect Health, visit the Microsoft Entra Connect Health Portal.

If you no longer wish to receive these notifications, read the instructions for updating your settings. Only global administrators can change settings.

We are not set to be FIPS compliant, so I restarted the Sync Service (it was showing as running). The restart failed with an event 7038

The ADSync service was unable to log on as Domain\MSAUser with the currently configured password due to the following error:

The user name or password is incorrect.

Most of the information I've found says to uninstall and reinstall ADSync Services. Is this the best course of action or is there something else I should look at. Since sync is not working at all right now, I'm a little nervous.

Thanks in advance,

Eric.

Microsoft Entra

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 36,161 Reputation points Microsoft Employee
    2024-07-11T22:15:08.23+00:00

    Hi @Eric Logsdon ,

    Please ensure that the password is set up on the Service Account and the service account is added to the "logon as service" group policy. You can update the service account password under Domain Controller > AD Users and Computers > the OU/Container where the Service account is located >Right click the account (and reset the password if needed).

    If Microsoft Entra Sync is installed at a Domain Controller, it is possible that the ADSync service is failing to start at some reboot operations due to performance issues and not having all dependencies ready when the service tries to start. A possible workaround is to set ADSync service to Automatic (Delayed Start).

    If these steps do not work I would recommend opening a support ticket to share your specific logs and troubleshoot further.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments