Troubleshoot password hash sync issues with Azure AD Connect sync - Microsoft Inside (2023)

This topic provides steps on how to troubleshoot password hash synchronization issues. If passwords are not syncing as expected, it may be for some or all users.

To deploy Azure Active Directory (Azure AD) Connect using version 1.1.614.0 or later, use the troubleshooting tasks in the Password hashing troubleshooting guide:

• If you're having issues with your passwords being out of sync, seePasswords are out of sync: use troubleshooting tasks to resolve the issueUnite.

• If you have questions about individual items, please refer to theObject not synchronizing passwords: use troubleshooting tasks to resolve the issueUnite.

For 1.1.524.0 or later deployments, there is a diagnostic cmdlet available to troubleshoot password hash synchronization issues:

• If you're having issues with your passwords being out of sync, seePasswords are out of sync: Troubleshoot with the Diagnostic cmdletsUnite.

• If you have questions about individual items, please refer to theObject Not Synchronizing Passwords: Troubleshooting Using the Diagnostic cmdletsUnite.

For older versions of the Azure AD Connect app:

• If you're having issues with your passwords being out of sync, seePasswords not syncing - Manual Troubleshooting StepsUnite.

• If you have questions about individual items, please refer to theObject not synchronizing passwords: manual troubleshooting stepsUnite.

Passwords are out of sync: use troubleshooting tasks to resolve the issue

You can use troubleshooting tasks to find out why passwords are not synced.

Run troubleshooting tasks

To solve the problem of out-of-sync passwords:

1. Open a new Windows PowerShell session on the Azure AD Connect serverrun as administratorchoose.

2. runningSet Execution Policy RemoteSignedthisSet Unlimited Execution Policy.

3. Start the Azure AD Connect wizard.

4. navigationAdditional taskspage, selectI'm solving problemsthen clickNext.

5. On the troubleshooting page, clickemissionLaunch the Troubleshoot menu in PowerShell.

6. From the main menu, chooseTroubleshoot password hash synchronization issues.

7. In the submenu, choosePassword hash sync doesn't work at all.

Understand the results of your troubleshooting efforts

The troubleshooting task performs the following checks:

• Verify that password hash synchronization is enabled for your Azure AD tenant.

• Verify that the Azure AD Connect server is not in staging mode.

• For each existing on-premises Active Directory connection (corresponding to an existing Active Directory forest):

  • Verify that password hash synchronization is enabled.

  • It looks for Heartbeat Sync Password Hash events in the Windows Application Event Log.

  • For each Active Directory domain under the internal Active Directory connector:

    • Verify that the domain is reachable from the Azure AD Connect server.

    • Verify that the Active Directory Domain Services (AD DS) account used by the internal Active Directory connector has the correct username, password, and permissions required for password hash synchronization.

The following image illustrates the cmdlet output for a single domain on-premises Active Directory topology:

The remainder of this section describes the specific results returned by the task and the corresponding questions.

Password hash synchronization is not enabled

If you have not enabled password hash synchronization using the Azure AD Connect wizard, the following error is returned:

Azure AD Connect server is in staging mode

If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled and returns the following error:

No password hash sync events

Each Active Directory internal link has its own password hash synchronization channel. When a password hash sync channel is created and there are no password changes to sync, a heartbeat event (EventId 654) is generated in the Windows Application event log every 30 minutes. For each local Active Directory slot, the cmdlet searches for corresponding heartbeat events within the last three hours. If no heartbeat event is detected, the following error is returned:

AD DS account does not have correct permissions

If the AD DS account used by the internal Active Directory connection to synchronize password hashes does not have appropriate permissions, the following error is returned:

Incorrect AD DS account username or password

If the username or password of the AD DS account that the internal Active Directory connection uses to synchronize password hashes is incorrect, the following error is returned:

Object not synchronizing passwords: use troubleshooting tasks to resolve the issue

You can use troubleshooting tasks to determine why objects are not synchronizing passwords.

Run-diagnostic cmdlets

To address a specific user object:

1. Open a new Windows PowerShell session on the Azure AD Connect serverrun as administratorchoose.

2. runningSet Execution Policy RemoteSignedthisSet Unlimited Execution Policy.

3. Start the Azure AD Connect wizard.

4. navigationAdditional taskspage, selectI'm solving problemsthen clickNext.

5. On the troubleshooting page, clickemissionLaunch the Troubleshoot menu in PowerShell.

6. From the main menu, chooseTroubleshoot password hash synchronization issues.

7. In the submenu, choosePasswords for specific user accounts are not synced.

Understand the results of your troubleshooting efforts

The troubleshooting task performs the following checks:

• Check the status of Active Directory objects in Active Directory domains, Metaverse, and Azure AD domains.

• Verify that there is a synchronization rule that enables password hash synchronization and is applied to Active Directory objects.

• Attempts to retrieve and display the result of the last attempt to synchronize an object's password.

The following image illustrates the cmdlet output when troubleshooting password hash synchronization for a single object:

The rest of this section describes the specific results returned by the cmdlets and the corresponding problems.

Active Directory objects are not exported to Azure AD

Password hash synchronization for this on-premises Active Directory account failed because there is no matching object in the Azure AD tenant. returns the following error:

The user has a temporary password

Currently, Azure AD Connect does not support ad-hoc password synchronization with Azure AD. Passwords are considered temporary ifChange password at next loginThis option is set to a local Active Directory user. returns the following error:

The results of the last password sync attempt are not available

By default, Azure AD Connect stores the results of password hash synchronization attempts for 7 days. If no results are available for the selected Active Directory object, the following warning will be returned:

Passwords are out of sync: Troubleshoot with the Diagnostic cmdlets

you can use itcall-ADSyncDiagnosticscmdlet to find out why passwords are not synced.

Run-diagnostic cmdlets

To solve the problem of out-of-sync passwords:

1. Open a new Windows PowerShell session on the Azure AD Connect serverrun as administratorchoose.

2. runningSet Execution Policy RemoteSignedthisSet Unlimited Execution Policy.

3. runningADSyncDiagnostics Input Module.

4. runningInvocar-ADSyncDiagnostics-PasswordSync.

Object Not Synchronizing Passwords: Troubleshooting Using the Diagnostic cmdlets

you can use itcall-ADSyncDiagnosticsCmdlet to determine why an object is not synchronizing passwords.

Run-diagnostic cmdlets

To fix passwords not syncing for users:

1. Open a new Windows PowerShell session on the Azure AD Connect serverrun as administratorchoose.

2. runningSet Execution Policy RemoteSignedthisSet Unlimited Execution Policy.

3. runningADSyncDiagnostics Input Module.

4. Run the following cmdlets:

   调用-ADSyncDiagnostics -PasswordSync -ADConnectorName- proper name

   For example:

   调用-ADSyncDiagnostics-PasswordSync-ADConnectorName“contoso.com”-DistinguishedName“CN=TestUserCN=Users，DC=contoso，DC=com”

Passwords not syncing - Manual Troubleshooting Steps

Follow the steps below to determine why your passwords are not syncing:

1. connection server enabledscene mode? Servers in staging mode do not synchronize any passwords.

2. run scriptGet the status of password sync settingsUnite. Gives you an overview of password sync settings.

   

3. If the feature is not enabled in Azure AD or the sync channel status is not enabled, run the connection setup wizard. chooseCustomize sync optionsand uncheck Sync passwords. This change temporarily disables that functionality. Then run the wizard again and enable password sync again. Run the script again to verify that the settings are correct.

4. Look for errors in the event log. Look for the following events that indicate a problem:

   • Source: "Directory Sync" ID: 0, 611, 652, 655 If you see these events, you are experiencing connectivity issues. Event log messages contain information from the forest in which you are experiencing problems.

5. If you don't see a heartbeat or if nothing else works, runEnable full synchronization of all passwords.run the script only once.

6. See Troubleshoot Object Out of Sync Passwords.

connection problem

Do you have an Azure AD connection?

Does the account have the necessary permissions to read password hashes across domains? If you installed Connect using the Express installer, the permissions should already be correct.

If you used a custom installation, set permissions manually by doing the following:

1. To find the account used by Active Directory Connector, start theManage Sync Services.

2. I canpaper clipThen locate the Active Directory forest you encountered.

3. Select the link and click thecharacteristic.

4. I canLog in to the Active Directory forest.

   
   Make a note of the username and domain where the account is located.

5. they startActive Directory for Users and ComputersThen make sure the account you found above has the following permissions on the root of all domains in the forest:

   • redo directory changes
   • Copy all directory changes

6. Can I use Azure AD Connect to access domain controllers? If Connection Server cannot connect to all domain controllers, configure themUse only your preferred domain controllers.

   

7. back toManage Sync ServicesyesDirectory partition configuration.

8. choose your domain nameSelect directory partition, select itOnly use preferred domain controllerscheck box, then clickset up.

9. In the list, enter the domain controllers that Connect should use for password synchronization. The same directory is also used for import and export. Follow these steps for all your domains.

10. If the script does not show a heartbeat, enable the scriptEnable full synchronization of all passwords.

Object not synchronizing passwords: manual troubleshooting steps

You can easily solve the password hash synchronization problem by checking the state of the object.

1. existActive Directory for Users and Computers, search for the user, then authenticateUser must change password at next loginThe check box is cleared.

   

   If the checkbox is checked, the user is prompted to log in and change the password. Temporary passwords are not synced with Azure AD.

2. If the password appears correct in Active Directory, follow the user to the sync engine. By tracking users from internal Active Directory to Azure AD, you can see objects for descriptive errors.

   one. start itManage Sync Services.

   West. clickpaper clip.

   C. choose itactive directory connectionwhere the user is located

   Hey. choosesearch connection space.

   mine. herearrivalselection boxDN or anchorThen enter the full DN of the user experiencing the problem.

   

   F. Locate the user you are looking for and clickcharacteristicCheck out all the features. If the user is not in the search results, check itfilter rulesand make sure to runApply and verify changesShow users in Connect.

   Gram. To view password synchronization details for this item for the past week, clickRecord.

   

   Azure AD Connect cannot read password hashes from Active Directory if the object registry is empty. Continue troubleshooting with connection errors. If you seesuccess, see tablePassword sync log files.

   H. Select itoriginand make sure there is at least one sync rule in thepassword syncThe column isreal.By default, the sync rule name isFrom AD - user account activated.

   

   Yo. clickMetaverse Object PropertiesDisplays a list of user properties.

   

   check if it doesn't existcloud filtercurrent features. Verify that the domain attributes (domainFQDN and domainNetBios) have the expected values.

   j. clickpaper clipeyelash. Make sure you see the Active Directory and Azure AD connections in the installation.

   

   Mr. Select the row representing Azure AD, clickcharacteristicthen clickorigineyelash. Connection spatial objects must have an exit rulepassword synccolumn is set toreal.By default, the sync rule name isAAD External - User Registration.

   

Password sync log files

The status column can have the following values:

Script to help solve the problem

Get the status of password sync settings

ADSync import module $connectors = Get-ADSyncConnector $aadConnectors = $connectors | Where-Object {$_.SubType -eq "Windows Azure Active Directory (Microsoft)"}$adConnectors = $connectors | Where-Object {$_.ConnectorTypeName - eq "AD"}if ($aadConnectors -ne $null -and $adConnectors -ne $null){ if ($aadConnectors.Count -eq 1) { $features = Get-ADSyncAADCompanyFeature - Host Write-Host " in your Azure Enable password sync feature in AD directory: " $features.PasswordHashSync foreach ($adConnector in $adConnectors) { --- - ------------------------ ---------------------- ------------------ Host Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name Write-Host $pingEvents = Get-EventLog -LogName "Application" -Πηγή "Directory Synchronization" -InstanceId Chapter 654 εìν ($pingEvents -ne $null) { Write-Host "Last heartbeat event (εντός των τελευταιων 3 ωρών) Γρα " $pingEvents[0].TimeWritten } else { write warning "Δεν βρέθηκαν συμβìντα ping τις τελευταιες 3 ώρες." υγχρονισμού κωδικού πρόσβασης ΤΕΛΟΣ ------------ -- ------ ----------------- ------------------ "write host }} else { write warning "βρέθηκαν περισσότερες από μία συνδέσεις Azure AD. ενημερώστε το σενάριο για να χρησιμοποισετε την κατάλληλη σύνδεση".}}Write-Hostif ($aadConnectors -eq $null){ WriteWarning "Azure AD Connector not found. "}if ($ad connector -eq $null){ write warning "AD Connector DS not found". } write host

Enable full synchronization of all passwords

You can enable full synchronization of all passwords with the following script:

$adConnector = ""$aadConnector = ""导入模块 adsync$c = Get-ADSyncConnector -Γνομα $adConnector$p = Nέο αντικειμενο Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync，$nlobaln，$String，$String，$String，$p .Value = 1$c.GlobalParameters.Remove($p.Name)$c.GlobalParameters.Add($p)$c = Add-ADSyncConnector -Σύνδεση $cSet-ADSyncAADPasswordSyncConfiguration -SourceCargetConneConnector $adceConneConnector πισσα $falseSet-ADSyncAADPasswordSyncConfiguration -SourceConnector $ adConnector -TargetConnector $aadConnector -Habilitar $true

Next step

• Password hash synchronization using Azure AD Connect synchronization
• Azure AD Connect Sync: Customize sync options
• Integrate your on-premises identity with Azure Active Directory