Password hash synchronization for Azure AD stops working and event ID 611 is logged

PROBLEM

You notice that password hash synchronization for Microsoft Azure Active Directory stops working after several days. Additionally, in Event Viewer, you see that the following event ID 611 error is logged in the Application log:
Password synchronization failed for domain: Contoso.COM.

SOLUTION

Install the latest version of the Azure Active Directory Synchronization tool. To do this, go to the following Microsoft website:

MORE INFORMATION

You may see one or more of the following error details for Event ID 611.

Event IDDescriptionCauseMore information
611
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Unable to open connection to domain: contoso.com. Error: An exception occurred while attempting to locate a domain controller for domain contoso.com. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommunicationException: An exception occurred while attempting to locate a domain controller for domain contoso.com. ---> System.Security.Authentication.AuthenticationException: The user name or password is incorrect.
Password hash synchronization doesn’t work for users in a federated domain.Password hash synchronization continues for users in a domain that’s not federated.
611
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8439 : The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges.
Windows Server 2003 domain controllers handle certain scenarios unexpectedly. Update to the latest version of the Directory Sync tool to resolve this issue.
611
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8593 : The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
This is a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.Update to the latest version of the Directory Sync tool to resolve this issue.
611
System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
This is a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.Update to the latest version of the Directory Sync tool to resolve this issue.
611
System.ArgumentException: An item with the same key has already been added.
This is a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807.Update to the latest version of the Directory Sync tool to resolve this issue.

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.
Properties

Article ID: 2867278 - Last Review: Dec 20, 2016 - Revision: 1

Feedback