Error in Password Hash Synchronization General Diagnostics

Question

When I run the password synchronization diagnostics with the Invoke-ADSyncDiagnostics -PasswordSync command, I get this error:

Password Hash Synchronization cloud configuration is enabled.
Password Hash Synchronization agent had an error while pushing password changes to AAD tenant at: 05/12/2019 06:08:19 UTC
Please make sure AAD connector account is added to AAD Tenant, and username and password for this account are valid.
Please check 652 error events in the application event logs for details

I changed the passwords and am 100% sure that they are correct. If I start password synchronization for a specific user, then it passes successfully. So it's not about the account on the connector.

There is an event with code 652 in the Application log. Here it is:

Failed credential provisioning batch. Clearing affinity to the current service endpoint:. Error: Microsoft.MetadirectoryServices.UnexpectedDataException: The DN given to RDNToSourceAnchor is not valid.
    at Microsoft.Online.DirSync.Extension.Utilities.DNEncoding.RdnToBinary (String rdn)
    at Microsoft.Azure.ActiveDirectory.Connector.PasswordChangeNotificationExtension.CreateRequest (IList`1 passwords, String forestInfo)
    at Microsoft.Azure.ActiveDirectory.Connector.PasswordChangeNotificationExtension.SetPasswords (IList`1 allPasswords, String forestInfo).

How to fix it?

Answer

@Dmitrit Garanin

It looks like Password synchronization failed when trying to retrieve updated passwords from the on-premises AD DS after you changed the passwords.

Try the Resolution 2 mentioned in this document and then try again and let us know if it works.

-----------------------------------------------------------------------------------------

Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

Share via

Error in Password Hash Synchronization General Diagnostics

1 answer

Your answer