Password hash synchronization for Microsoft Entra ID stops working and event ID 611 is logged
Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2867278
Symptoms
Password hash synchronization for Microsoft Entra ID stops working after several days. Additionally, in Event Viewer, the following event ID 611 error is logged in the Application log:
Password synchronization failed for domain:
Contoso.com.
Resolution
Install the latest version of the Microsoft Entra Synchronization tool. For more information, see Install or upgrade the Directory Sync tool.
More information
You may see one or more of the following error details for Event ID 611.
| Description | Cause | More information |
|---|---|---|
| Microsoft.Online.PasswordSynchronization. SynchronizationManagerException: Recovery task failed. ---> Microsoft.Online.PasswordSynchronization. DirectoryReplicationServices.DrsException: RPC Error 8439: The distinguished name specified for this replication operation is invalid. There was an error calling _IDL_DRSGetNCChanges. |
Windows Server 2003 domain controllers handle certain scenarios unexpectedly. | Update to the latest version of Microsoft Entra Connect to resolve this issue. |
| Microsoft.Online.PasswordSynchronization. DirectoryReplicationServices.DrsException: RPC Error 8593: The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is related to a domain rename that is in progress). |
It's a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. | Update to the latest version of Microsoft Entra Connect to resolve this issue. |
| System.ArgumentOutOfRangeException: Not a valid Win32 FileTime. | It's a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. | Update to the latest version of Microsoft Entra Connect to resolve this issue. |
| System.ArgumentException: An item with the same key has already been added. | It's a known issue that was fixed in Azure Active Directory Sync tool build 1.0.6455.0807. | Update to the latest version of Microsoft Entra tool to resolve this issue. |
Password synchronization failed for domain: Contoso.com. Details:Microsoft.Online.PasswordSynchronization. DirectoryReplicationServices.DrsException: RPC Error 8453: Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.at Microsoft.Online.PasswordSynchronization. DirectoryReplicationServices.DrsRpcConnection.OnGetChanges( ReplicationState syncState) at Microsoft.Online.PasswordSynchronization. DirectoryReplicationServices.DrsConnection.GetChanges( ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization. RetryUtility.ExecuteWithRetry[T](Func 1 operation, Func1 shouldAbort, RetryPolicyHandler retryPolicy)at Microsoft.Online.PasswordSynchronization. DeltaSynchronizationTask.SynchronizeCredentialsToCloud() at Microsoft.Online.PasswordSynchronization. PasswordSynchronizationTask.SynchronizeSecrets() at Microsoft.Online.PasswordSynchronization. SynchronizationExecutionContext.SynchronizeDomain() at Microsoft.Online.PasswordSynchronization. SynchronizationManager.SynchronizeDomain( SynchronizationExecutionContext syncExecutionContext). |
AD DS Connector Account is missing the following extended permissions on AD:
|
Update to the latest version of Microsoft Entra Connect, and follow the article "Microsoft Entra Connect: Configure AD DS Connector Account Permissions" on how to add the correct Active Directory permissions. |
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for