Password hash synchronization for Azure AD stops working and event ID 611 is logged

Applies to: Cloud Services (Web roles/Worker roles)Azure Active DirectoryMicrosoft Intune

PROBLEM


You notice that password hash synchronization for Microsoft Azure Active Directory stops working after several days. Additionally, in Event Viewer, you see that the following event ID 611 error is logged in the Application log:
Password synchronization failed for domain: Contoso.COM.

SOLUTION


Install the latest version of the Azure Active Directory Synchronization tool. To do this, go to the following Microsoft website:

MORE INFORMATION


You may see one or more of the following error details for Event ID 611.
 
Event ID Description Cause More information

611

Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges. Windows Server 2003 domain controllers handle certain scenarios unexpectedly. Update to the latest version of Azure AD Connect to resolve this issue.

611

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress). This is a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. Update to the latest version of Azure AD Connect to resolve this issue.

611

System.ArgumentOutOfRangeException: Not a valid Win32 FileTime. This is a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. Update to the latest version of Azure AD Connect to resolve this issue.

611

System.ArgumentException: An item with the same key has already been added. This is a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. Update to the latest version of Azure AD tool to resolve this issue.

611

Password synchronization failed for domain: Contoso.com. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)

at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)

at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()

at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()

at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()

at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext).
AD DS Connector Account is mssing the following extended permissions on AD:
 
Replicating Directory Changes
Replicating Directory Changes All
Update to the latest version of Azure AD Connect, and follow the article "Azure AD Connect: Configure AD DS Connector Account Permissions" on how to add the correct Active Directory permissions.

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.