By Chris King – Senior Technical Engineer

August 1, 2017

Office 365 administrators should be aware that the latest Azure AD Connect in-place updates may not automatically copy over the setting to sync passwords to Office 365 Azure AD. If AD Connect is configured to upgrade automatically or if manual upgrades are performed, the configuration wizard may need to be run again and password sync re-enabled if password sync failures are encountered.

Also covered are instructions to disable Azure AD Connect automatic updates and best practices for future-proofing AD connect from unexpected failures due to credentials issues. Skip the next section to get straight to the fixes.

*I have confirmed this is happening with versions 1.1.561.0 and 1.1.557.0, so one can only assume it is happening with 1.1.558.0 as well. I have seen this on Server 2008r2 and 2012r2.

Background:

Last week I had a customer reach out to me for assistance with an Azure AD Connect password synchronization issue in their environment. They had the bright red warning on their Office 365 home page stating that there had been no recent password synchronizations in a few days.

In a case like this I would normally steer a customer toward troubleshooting anything that might be keeping the AD Connect service or service account from reading their Active Directory Domain Services objects. Reasons might include:

Deletion of (or password expiration of) the local AD Connect service account



Changing of the local AD Connect service account password without updating this info in the miisclient.exe Sync Service Manager (mysteriously hidden in C:\Program Files\Microsoft Azure AD Sync\UIShell > Run as Administrator > Connectors > Double-click the Connector of Type: “Active Directory Domain Services” > Connect to Active Directory Forest > enter updated credentials)

Local AD Connect service account has somehow lost membership/permissions necessary (This gets murky fast, but in most cases I simply cover all bases and create the AD Connect service account prior to installation and add it to Domain Admins, Enterprise Admins, and Organization Management Groups since most of my work involves Hybrid Exchange or ADFS (permissions info here)

VPN/Network down or something else is keeping the AD Connect server from reaching the AD DS server(s)

Azure AD Connect service has failed in general and needs to be restarted (services.msc > Microsoft Azure AD Sync > Restart)

Unfortunately, none of the above solved this customer’s issue so I offered to log in. Generally re-running a configuration tool is not something I jump to during troubleshooting, but updates are usually considered. With contemporary installations of AD connect, you simply download the latest version from the website and run an in-place upgrade (link here). It used to be a tedious exercise, but now settings from the existing configuration are copied over and the endeavor takes just a few minutes. At least that’s how it’s supposed to work.

After upgrading this customer’s AD Connect I noticed that the installation did NOT carry over the password sync setting like it normally does. This should NOT happen! I re-ran the configuration wizard and checked the box for password sync and suddenly everything was working. I didn’t think much of it until later, when two more customers contacted me with these issues and the common threads were (a) AD Connect had just been updated and (b) password sync setting were not carried over. On Monday I reported this to Partner Support at Microsoft. I continued getting support request from customers throughout the week so I compiled this article from my support messages.

The fix: Re-Enable Password Synchronization Via AD Connect Configuration Wizard

What you will need:

Admin Privileges to manage AD Connect in your environment

Office 365 Global Administrator credentials

Procedure:

Log into the AD Connect server Run the AD Connect Configuration Wizard (Azure AD Connect shortcut on the desktop or C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe) Hit the green Configure button Highlight “Customize Synchronization Options” and hit Next Enter your Office 365 Global Admin credentials Once validated, proceed by hitting Next until you land on the “Optional Features” page. On this page check the “Password Synchronization” checkbox. Hit Next until you see the “Ready to Configure” page. On this page make sure the checkbox for “Start the synchronization process when configuration completes” is checked, and hit Configure. Log into your Office 365 tenant and check the DirSync status box to make sure password sync is now functional. It may take a few minutes and a few page refreshes before this propagates.

AD Connect Automatic Updates

This is where I learned something new. I was completely unaware that contemporary installations of Azure AD Connect are set to automatically upgrade by default. This a fundamentally bad idea on Microsoft’s part and I would like to take this opportunity to scold them for changing it. As an Admin I would never have allowed automatic updates to occur against something as important Identity Management had I known, so I will be disabling this for all future customers.

Luckily there is a very simple PowerShell command that you can run on the AD Connect server to disable automatic updates (upgrades). As always, you’ll want to right-click the PowerShell icon and “Run As Administrator”:

Import-Module ADSync

Set-ADSyncAutoUpgrade -AutoUpgradeState Disabled

To re-enable:

Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled

Future-proof Your Global Admin Account Credentials

It is also a good idea to take this time to log into your tenant and check your password expiration settings for the Global Admin service account that you are using for the login mentioned in the instructions above. Just like with the local AD service account, if the cloud Global Admin account changes, it can cause disruptions in AD Connect service, so you do not want the password to expire:

For global password expiration policy settings (all O365 cloud users) go to Settings > Security & Privacy > Password Policy and set them to not expire. This will disable password expiration for all cloud users in your tenant, but will not affect synchronized users, as your local AD DS password policy is authoritative for those users.

If you want to leave your cloud user expiration policy intact but still set the Global Admin service account to not expire, you can do that via Office 365 Remote Powershell:

Set-MsolUser -UserPrincipalName globaladmin@yourdomain.com -PasswordNeverExpires $true