100's of Azure AD Connect service messages in event log after reboot

Question

We are running in Hybrid mode using Azure AD Connect ver 1.5.29.0 Running on a Windows 2019 Server Version 1809
The service is running fine until I reboot and then my System event log fills up with 100's of messages over the course of 15 - 30 seconds with the following events:
Event: 7031
Description: The Microsoft Azure AD Sync service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
Event: 7000
Description: The Microsoft Azure AD Sync service failed to start due to the following error:
The service did not start due to a logon failure.
Event: 7038
Description: The ADSync service was unable to log on as SCIINC\AAD_0315e1ea987c with the currently configured password due to the following error:
The user name or password is incorrect.
I know the username and password work because when i restart the service it stops and restarts with no issues.
I have changed the services to Automatic (Delayed Start) - Same issue.
I have removed and reinstalled Azure AD Connect and still have the same issue.
We monitor these services because I want to know if there is an issue so I get 100s of messages each time the server is rebooted.
Any assistance would be greatly appreciated.

Answer 1

That error usually occurs if you have at some point changed the service account password, which might explain why the credentials still work but are failing later.

The documentation mentions that there are two things that need to be done when you change the service account password.

First, you need to change the password under the Windows Service Control Manager. Until this issue is resolved you will see following errors:

If you try to start the Synchronization Service in Windows Service Control Manager, you receive the error "Windows could not start the Microsoft Azure AD Sync service on Local Computer". Error 1069: The service did not start due to a logon failure."

Under Windows Event Viewer, the system event log contains an error with Event ID 7038 and message “The ADSync service was unable to log on as with the currently configured password due to the following error: The user name or password is incorrect."

Second, under specific conditions, if the password is updated, the Synchronization Service can no longer retrieve the encryption key via DPAPI. Without the encryption key, the Synchronization Service cannot decrypt the passwords required to synchronize to/from on-premises AD and Azure AD. You will see errors such as:

Under Windows Service Control Manager, if you try to start the Synchronization Service and it cannot retrieve the encryption key, it fails with error “Windows could not start the Microsoft Azure AD Sync on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -21451857952.”

Under Windows Event Viewer, the application event log contains an error with Event ID 6028 and error message “The server encryption key cannot be accessed.”

To ensure that you do not receive these errors, follow the procedures in Abandoning the ADSync service account encryption key when changing the password.

If you haven't done so already I would try following the troubleshooting guide for this error and try those two steps.

Answer 2

@PaulHackett-1507

This looks like a duplicate issue. I'll go ahead and close out this thread and we can continue the conversation on the below Q&A thread.

https://learn.microsoft.com/en-us/answers/questions/33592/index.html