如何解析 Azure AD Connect 事件 ID 611 错误: 密码同步失败. The following error is flagged on the Azure AD Connect Server.
Event ID: 611 (Log: Application, Source: Directory Synchronization)
Level: Error
Computer: AAD.contoso.com
Description: Password synchronization failed for domain: contoso.com.
Details: Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at
Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy) at
Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud() at
Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets() at
Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain() at
Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)Permissions were missing from the local Azure AD sync account.
- 复制目录更改
- 复制目录全部更改
解决
使用 ACL 编辑器分配缺少的权限.
- 打开 Active Directory Users and Computers 管理单元;
- 上安全 选项卡, 点击添加;
- 在选择用户, 电脑, 或团体 对话框, 选择本地 Azure AD sync account, 然后单击添加;
- 点击好的 返回到特性对话框;
- 单击本地 Azure AD sync account;
- 单击以选择复制目录更改和复制目录全部更改 复选框;
- 点击申请, 然后单击好的;
- 关闭 Active Directory Users and Computers 管理单元.
重新启动 这微软 AD Azure 同步 服务,这将解决问题.
笔记: 您将看到事件 ID 650 (供应凭证批量启动), 和 656 (Password Change Request) 记录的事件.
