We are running a multi-forest trusted environment (3 forests, 1 domain each) that uses one AD Connect to a single Microsoft 365 tenant.
We've recently encountered an issue where passwords are not sync'ing either way between on-prem and AAD.
Checking the Event Logs on the ADConnect domain controller we see a Password Hash Synchronization problem with one of the domains. The other two domains are working properly with no errors.
The 611 Event Viewer error we're getting is:
Password hash synchronization failed for domain: [omitted.domain2], domain controller hostname: <not available>, domain controller IP address: <not available>. Details:
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: [omitted.domain2]. Error: An exception occurred while attempting to resolve the hostname/ipaddress 10.20.0.12. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: An exception occurred while attempting to resolve the hostname/ipaddress 10.20.0.12. ---> System.Net.Sockets.SocketException: No such host is known
The domain that's encountering the PHS errors was recently configured with IP addresses of domain controllers (10.20.0.12 in the above error excerpt) and to "Only use preferred domain controllers" in 'Connectors -> On-prem connector -> Configure Directory Partitions -> Domain controller connection settings' in the Syncrhonization Service Manager, but we've changed it back to 'auto' (unticked "Only use preferred domain controllers" and removed the IP addresses).
The error is still occurring even after reverting back to the 'auto' configuration.
We have not configured the domain controller IP addresses anywhere else within AD Connect.
How do we resolve this error?
We're not sure where to go from here to get the passwords sync'ing between on-prem and AAD.