Article ID: 2855271 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article contains information to help you troubleshoot common issues that you may encounter when you use the Azure Active Directory Sync tool together with password synchronization. It covers the following topics:

Before you start troubleshooting

Before you perform the troubleshooting steps in this article, make sure that you have the latest version of the Directory Sync tool installed. To install the latest version of the Directory Sync tool, go to Install or upgrade the Directory Sync tool.

For more information about the release history for the Directory Sync tool, go to
Microsoft Azure Active Directory Sync tool - Version Release History.

Troubleshoot password synchronization

User can't sign in to Office 365, Azure, or Windows Intune 

The following are scenarios in which a user is unable to sign in to a Microsoft cloud service such as Office 365, Azure, or Windows Intune. They include information about how to troubleshoot each scenario.
Scenario 1: A user's password isn't syncing after password synchronization is enabled
Have the user change his or her password.
Scenario 2: The "User must change password at next logon" check box is selected for the user's account
To resolve this issue, follow these steps:
  1. Do one of the following:
    • In the user account properties in Active Directory Users and Computers, clear the User must change password at next logon check box.
    • Have the user change their computer password on the local computer.
  2. Wait up to two minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD). 
Scenario 3: The user changed their password in the cloud service portal
To resolve this issue, follow these steps:
  1. Have the user change their computer password on the local computer.
  2. Wait up to five minutes for the change to sync between the on-premises AD DS and Azure AD. 
Scenario 4: Users do not appear to be syncing to Azure AD
Possible causes of this issue are duplicate user names or email addresses.

To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in the on-premises AD DS. You can install IdFix at the following Microsoft website:
IdFix DirSync Error Remediation Tool
For more info about how to troubleshoot this issue, see the following Microsoft Knowledge Base article:
2643629 One or more objects don't sync when using the Azure Active Directory Sync tool

Directory synchronization is running but passwords aren't synced

To resolve this issue, enable password synchronization. To do this, start the Azure Active Directory Sync Tool Configuration Wizard, and then on the Password Synchronization page, select the Enable Password Synchronization check box.

You're changing from a single-sign on (SSO) solution to password synchronization

To resolve this issue, see the following Microsoft TechNet wiki article:
How To Switch From Single Sign-On To Password Sync

Event ID messages in Event Viewer

The following tables list event ID messages in the Application log that are related to password synchronization.
Informational (no action required)
Collapse this tableExpand this table
Event IDDescriptionCause
650Provision credentials batch start. Count: 1Password synchronization starts retrieving updated passwords from the on-premises AD DS.
651Provision credentials batch end. Count: 1Password synchronization finishes retrieving updated passwords from the on-premises AD DS.
653Provision credentials ping start.Password synchronization starts informing Azure AD that there are no passwords to be synced. This occurs every 30 minutes if no passwords have been updated in the on-premises AD DS. 
654Provision credentials ping end.Password synchronization finishes informing Azure AD that there are no passwords to be synced. This occurs every 30 minutes if no passwords were updated in the on-premises AD DS.
656Password Change Request - Anchor : H552hI9GwEykZwof74JeOQ==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08Password synchronization indicates that a password change was detected and tries to sync it to Azure AD. This identifies the user or users whose password changed and will be synced. Each batch contains at least one user and at most 50 users.
657Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success.Users whose password successfully synced.
657Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Failed.Users whose password didn't sync.
Informational (may require action)
Collapse this tableExpand this table
Event IDDescriptionCauseMore information
0The following password changes failed to synchronized and have scheduled for retry.

DN = CN=Eli McLean,OU=Cloud Objects,DC=contoso,DC=local
User or users whose password wasn't synced
  • Configure directory synchronization
  • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
115Access to Windows Azure Active Directory has been denied. Contact Technical Support. Azure Active Directory credentials were updated through Forefront Identity Manager (FIM).Run the Azure Active Directory Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
657Password Change Result - Anchor : B0H+OD3LM0GEnYODwdPhpg==, Result : failed, Extended Error : User or users whose password wasn't synced
  • Configure directory synchronization
  • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
Error (action required)
Collapse this tableExpand this table
Event IDDescriptionCauseMore information
0The user name or password is incorrect. Verify your user name, and then type your password again. Azure Active Directory credentials were updated through Forefront Identity Manager (FIM).Run the Azure Active Directory Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
611Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges.
Windows 2003 server domain controllers handle certain scenarios unexpectedly. 2867278 Password hash synchronization for Azure AD stops working and Event ID 611 is logged 
611Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
611Password synchronization failed for domain: Contoso.com
System.ArgumentOutOfRangeException: Not a valid Win32
This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
611Password synchronization failed for domain: Contoso.com.
System.ArgumentException: An item with the same key has already been added.
This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
652Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 07e93e8a-cf2d-4f67-9e95-53169c4875e0 Server Name: BL2GR1BBA003. ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault).Password synchronization failed when retrieving updated passwords from the on-premises AD DS.
  • Configure directory synchronization
  • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
652Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionRetryException: An error occurred. Error Code: 81. Error Description: Windows Azure Active Directory is currently busy. This operation will be retried automatically.This was a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807To resolve this issue, update to latest version of the Azure Active Directory Sync tool.
655Failed credential provisioning ping. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 0744fa31-1d9b-453a-83d8-c2555d843802 Server Name: BL2GR1BBA005. ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault).Password synchronization failed to inform Azure AD that there are no passwords to be synced. This occurs every 30 minutes.
  • Configure directory synchronization
  • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool
655The user name or password is incorrect. Verify your user name, and then type your password again.Azure Active Directory credentials were updated through FIM.Run the Azure Active Directory Configuration Wizard again. See the following Microsoft Knowledge Base article:
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM
6900The server encountered an unexpected error while processing a password change notification:

 "The user name or password is incorrect. Verify your user name, and then type your password again.
Azure Active Directory credentials were updated through FIM.Run the Azure Active Directory Configuration Wizard again. See the following Microsoft Knowledge Base article: 
2962509 Password hash synchronization stops working after you update Azure Active Directory credentials in FIM

MORE INFORMATION

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2855271 - Last Review: July 9, 2014 - Revision: 15.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a o365e o365m o365022013 hybrid KB2855271

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com