Issue with Logging into AAD DS using accounts originally synced from AD

Question

Hi All.

I've got an issue getting users logged on in AAD DS which are synced from AD on premise -> AAD -> AADS.

I have AD connect setup and added the items and ran the script here: https://learn.microsoft.com/en-gb/azure/active-directory-domain-services/tutorial-configure-password-hash-sync and left it for a few days to sync but unfortunately it's not worked, I can't login to AAD DS with any account that originated in the on premise AD

I have followed all the troubleshooting steps I could find but have not been able to find a solution.

The On Prem DC has an up to date version of AD Connect and the script seem to go through fine and has been left for a few days.

Checking the connector I can see that in the global parameters Force Full password sync is in there:
GlobalParameters : {Connector.GroupFilteringGroupDn : , Connector.DeviceContainerDn : CN=RegisteredDevices,DC=[REDACTED], Microsoft.Synchronize.ForceFullPasswordSync

ADDS from the Azure portal looks like it's syncing correctly.

I'm pretty stuck so any help is appreciated, Is there anyway I can check visibly if the Hashes have hit AAD and AADS?

Answer 1

Hi Alfredo,

It was a user Forest and the password was reset, Turns out the password hash syncing was fine and I did have everything configured correctly, but that wasn't the end of it.

I managed to track down the issues. When Azure File Services queries AADS It's checks against the pre-windows-2000 UPN instead of the normal UPN so that why it was failing to login.

And to make things even more confusing AAD DS does something weird when it syncs over existing accounts from AD -> AAD -> AADS.

It adds the regular username in I.E Joe.Bloggs in the UPN but for the Pre-windows-2000 username it changes it by appending some (not all) of the tenant name at the end of the username. ie. Joe.Bloggs_Compa

For any new accounts it doesn't add that extra bit on.

I Just had to make sure to check the Pre-2000 username in AADS and then login to Azure FS with that instead of the normal UPN.

It was an absolute nightmare to figure out what was going on but I have it working now.

Thanks for your help anyways.

Answer 2

Hello @ATROC , during the initial configuration of AADDS you need to configure the forest as type "User" instead of "Resource". Also you will need to change passwords after AADS is enabled.

Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.