Problem with AADC sync Event ID 611

Marcin Puwalski 146 Reputation points
2022-12-01T08:46:07.06+00:00

Hi,

I have a new domain with one domain controller.

I have in Azure AD about 50 users with mailboxes. I tried to sync local user to AAD and merge it with EO mailbox via SOFT merge (SMTP) but it's not working and now I have all time in Event Viewer error 611:

Password hash synchronization failed for domain: domain.local, domain controller hostname: AD01.domain.LOCAL, domain controller IP address: 192.168.150.18. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetryT
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.

<forest-info>
<partition-name>domain.local</partition-name>
<connector-id>85d5d5f8-3fe7-42ae-b065-479f097238e4</connector-id>
</forest-info>

I tried to change User sign-in from PHS to PTA and back to PHS but it does not solve the problem.
I tried to use this script but without results.

Any suggestions?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,714 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,621 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,421 questions
{count} votes

Accepted answer
  1. Givary-MSFT 33,936 Reputation points Microsoft Employee
    2022-12-01T10:29:13.647+00:00

    @Marcin Puwalski Apologies overlooked the error code, 8453 “Replication access was denied.”
    Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges tries retrieve the changes, what requires replication permission and this call is made by AAD Connect and not via DC. For this I’d say there are missing permissions: ReplicateDirectoryChanges and ReplicateDirectoryChangesAll

    Would request you to verify the required permissions are in place for the AD DS connector account, reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#:~:text=AD%20DS%20Connector%20account%20required%20permissions%20for%20express%20settings

    Refer the steps in this article https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/grant-replicating-directory-changes-permission-adma-service on how to give permissions ReplicateDirectoryChanges and ReplicateDirectoryChangesAll at the domain level.

    if this doesnt help, lets connect offline to troubleshoot the same.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.