Issue: The password sync for sub-domains are not working
Data Collected:
- The password hash sync for the root domain and selective sub-domains are working without any problem
- The user and other objects from the selected OU of the all the root domain and the sub-domain works without any issues
- There is no sync errors for the object which doesn’t sync the password
- When a password has been reset for the object from the sub-domain, there is no event id 656 or 657 logged on the AAD Connect server
- Properties of the connectors shows that sub-domain Directory partition has been checked.
Troubleshooting:
Before I proceed, I have done everything mentioned in the article below,
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-troubleshoot-password-hash-synchronization
- Checked whether password hash is enabled – It is
- When I run the following command,
Invoke-ADSyncDiagnostics –PasswordSync
From the following screenshot it shows that the sub-domains directory partition not considered as domain.
- Ran the above command against the object in the sub-domain for which the password sync is not working
Invoke-ADSyncDiagnostics -PasswordSync -ADConnectorName <Name-of-AD-Connector> -DistinguishedName <DistinguishedName-of-AD-object>
If you look closely, it says that it is available in metaverse database but an error for the objects of the sub-domain
“There is no password has synchronization rule for AD Connector space object”
- But that’s not right as you can see from below screenshot, There is a sync rule for “In from AD – User AccountEnabled” is true
I didn’t bother to get deep in to the sync rule as the installation not customized. I was sure that the domain partition is not recognized
- The domain partitions are selected in the connector properties.
To check this,
- Right click on the connector
- Choose properties
- From the popup window, click on “Configure Directory Partitions”
I now came to conclusion that the domain partition is not recognised but from the GUI it shows it is selected.
After some googling, I found 3 interesting cmdlets
- Enable-ADSyncConnectorPartition
- Enable-ADSyncConnectorPartitionHierarchy
- Update-ADSyncConnectorPartition
There is no explanation of these cmdlets but I did manage to run it but with no success.
Resolution:
So finally I’ve gone back to basics of powershell.
Get-ADSyncConnector
This gives me list of connectors. I need the first connector (where the sub-domain is)
$c = Get-ADSyncConnecor
I’m interested in the first connector and its partition, I’m assign that into the variable
$adConn= $c[0]
$AdConn.Partitions
This will list down the list of partitions under that connector. There are about 5 partition, out of that last 2 partition’s object is having problems
If you closely look in the attribute called “IsDomain” is set to “False”, but the same is “True” for the rest of the domain partition (Its not in the screenshot though)
This exactly the same reason when we ran the password sync troubleshooter, it said that the sub-domain in questions is not a domain
To change this value, run the following command, for 2 sub-domains
$adConn.Partitions[5].IsDomain=$true
$adConn.Partitions[6].IsDomain=$true
After the change it will look like below
We are not done yet. This should take care of the password sync but
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector “domain.net” –TargetConnector “domain.onmicrosoft.com – AAD” -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector “domain.net” –TargetConnector “domain.onmicrosoft.com – AAD” -Enable $True
Soon after this, the eventlog shows lot of 656 events indicating that password sync of the objects from sub-domains are syncing.
VJ