Article ID: 2855271 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article contains information to help you troubleshoot common issues that you may encounter when you use the Windows Azure Active Directory Sync tool together with password synchronization. It covers the following topics:

Before you start troubleshooting

Before you perform the troubleshooting steps in this article, make sure that you have the latest version of the Directory Sync tool installed. To install the latest version of the Directory Sync tool, go to Install or upgrade the Directory Sync tool.

For more information about the release history for the Directory Sync tool, go to
Windows Azure Active Directory Sync tool - Version Release History.

Troubleshoot password synchronization

User can't sign in to Office 365, Windows Azure, or Windows Intune

The following are scenarios in which a user is unable to sign in to a Microsoft cloud service such as Office 365, Windows Azure, or Windows Intune. They include information about how to troubleshoot each scenario.
Scenario 1: A user's password isn't syncing after password synchronization is enabled
Have the user change his or her password.
Scenario 2: The "User must change password at next logon" check box is selected for the user's account
To resolve this issue, follow these steps:
  1. Do one of the following:
    • In the user account properties in Active Directory Users and Computers, clear the User must change password at next logon check box.
    • Have the user change their computer password on the local computer.
  2. Wait up to two minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and Windows Azure Active Directory (Windows Azure AD). 
Scenario 3: The user changed their password in the cloud service portal
To resolve this issue, follow these steps:
  1. Have the user change their computer password on the local computer.
  2. Wait up to five minutes for the change to sync between the on-premises AD DS and Windows Azure AD. 
Scenario 4: Users do not appear to be syncing to Windows Azure AD
Possible causes of this issue are duplicate user names or email addresses.

To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in the on-premises AD DS. You can install IdFix at the following Microsoft website:
IdFix DirSync Error Remediation Tool
For more info about how to troubleshoot this issue, see the following Microsoft Knowledge Base article:
2643629 Individual Active Directory Domain Services objects don't sync to Windows Azure AD

Directory synchronization is running but passwords aren't synced

To resolve this issue, enable password synchronization. To do this, start the Windows Azure Active Directory Sync Tool Configuration Wizard, and then on the Password Synchronization page, select the Enable Password Synchronization check box.

You're changing from a single-sign on (SSO) solution to password synchronization

To resolve this issue, see the following Microsoft TechNet wiki article:
How To Switch From Single Sign-On To Password Sync

Event ID messages in Event Viewer

The following tables list event ID messages in the Application log that are related to password synchronization.
Informational (no action required)
Collapse this tableExpand this table
Event IDDescriptionCause
611Password synchronization failed for domain: contoso.com.

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: contoso.com. Error: An exception occurred while attempting to locate a domain controller for domain contoso.com. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: An exception occurred while attempting to locate a domain controller for domain contoso.com. ---> System.Security.Authentication
Password synchronization doesn't work for users in a federated domain.
650Provision credentials batch start. Count: 1Password synchronization starts retrieving updated passwords from the on-premises AD DS.
651Provision credentials batch end. Count: 1Password synchronization finishes retrieving updated passwords from the on-premises AD DS.
653Provision credentials ping start.Password synchronization starts informing Windows Azure AD that there are no passwords to be synced. This occurs every 30 minutes if no passwords have been updated in the on-premises AD DS.
654Provision credentials ping end.Password synchronization finishes informing Windows Azure AD that there are no passwords to be synced. This occurs every 30 minutes if no passwords were updated in the on-premises AD DS.
656Password Change Request - Anchor : H552hI9GwEykZwof74JeOQ==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08Password synchronization indicates that a password change was detected and tries to sync it to Windows Azure AD. This identifies the user or users whose password changed and will be synced. Each batch contains at least one user and at most 50 users.
657Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success.Users whose password successfully synced.
657Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Failed.Users whose password didn't sync.
Informational (may require action)
Collapse this tableExpand this table
Event IDDescriptionCauseMore information
657Password Change Result - Anchor : B0H+OD3LM0GEnYODwdPhpg==, Result : failed, Extended Error :

User or users whose password wasn't synced
  • Configure directory synchronization
  • 2643629 Individual Active Directory Domain Services objects don't sync to Windows Azure AD
0The following password changes failed to synchronized and have scheduled for retry.

DN = CN=Eli McLean,OU=Cloud Objects,DC=contoso,DC=local
User or users whose password wasn't synced
  • Configure directory synchronization
  • 2643629 Individual Active Directory Domain Services objects don't sync to Windows Azure AD
Error (action required)
Collapse this tableExpand this table
Event IDDescriptionCauseMore information
611Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges.
Windows 2003 server domain controllers handle certain scenarios unexpectedly. 2867278 Password hash synchronization for Windows Azure AD stops working and Event ID 611 is logged
611Password synchronization failed for domain: Contoso.com.

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
This was a known issue that was fixed in Windows Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Windows Azure Active Directory Sync tool.
611Password synchronization failed for domain: Contoso.com
System.ArgumentOutOfRangeException: Not a valid Win32
This was a known issue that was fixed in Windows Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Windows Azure Active Directory Sync tool.
611Password synchronization failed for domain: Contoso.com.
System.ArgumentException: An item with the same key has already been added.
This was a known issue that was fixed in Windows Azure Active Directory Sync tool build 1.0.6455.0807.To resolve this issue, update to latest version of the Windows Azure Active Directory Sync tool.
652Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 07e93e8a-cf2d-4f67-9e95-53169c4875e0 Server Name: BL2GR1BBA003. ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault).Password synchronization failed when retrieving updated passwords from the on-premises AD DS.
  • Configure directory synchronization
  • 2643629 Individual Active Directory Domain Services objects don't sync to Windows Azure AD
652Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionRetryException: An error occurred. Error Code: 81. Error Description: Windows Azure Active Directory is currently busy. This operation will be retried automatically.This was a known issue that was fixed in Windows Azure Active Directory Sync tool build 1.0.6455.0807To resolve this issue, update to latest version of the Windows Azure Active Directory Sync tool.
655Failed credential provisioning ping. Error: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for this company. Tracking ID: 0744fa31-1d9b-453a-83d8-c2555d843802 Server Name: BL2GR1BBA005. ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Password Synchronization has not been activated for this company. (Fault Detail is equal to Microsoft.Online.Coexistence.Schema.AdminWebServiceFault).Password synchronization failed to inform Windows Azure AD that there are no passwords to be synced. This occurs every 30 minutes.
  • Configure directory synchronization
  • 2643629 Individual Active Directory Domain Services objects don't sync to Windows Azure AD

MORE INFORMATION

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

Properties

Article ID: 2855271 - Last Review: February 27, 2014 - Revision: 10.0
Applies to
  • Windows Azure
  • Microsoft Office 365
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • CRM Online via Office 365 E Plans
  • Windows Azure Recovery Services
Keywords: 
o365 o365a o365e o365m o365062011 o365022013 pre-upgrade after upgrade hybrid KB2855271

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com