Password hash sync is not working for sub-domains – AAD Connect

Issue: The password sync for sub-domains are not working

Data Collected:

  1. The password hash sync for the root domain and selective sub-domains are working without any problem
  2. The user and other objects from the selected OU of the all the root domain and the sub-domain works without any issues
  3. There is no sync errors for the object which doesn’t sync the password
  4. When a password has been reset for the object from the sub-domain, there is no event id 656 or 657 logged on the AAD Connect server
  5. Properties of the connectors shows that sub-domain Directory partition has been checked.

Troubleshooting:

Before I proceed, I have done everything mentioned in the article below,

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-troubleshoot-password-hash-synchronization

  1. Checked whether password hash is enabled – It is
  2. When I run the following command,

Invoke-ADSyncDiagnostics –PasswordSync

From the following screenshot it shows that the sub-domains directory partition not considered as domain.

1

  1. Ran the above command against the object in the sub-domain for which the password sync is not working

Invoke-ADSyncDiagnostics -PasswordSync -ADConnectorName <Name-of-AD-Connector> -DistinguishedName <DistinguishedName-of-AD-object>

2

If you look closely, it says that it is available in metaverse database but an error for the objects of the sub-domain

“There is no password has synchronization rule for AD Connector space object”

  1. But that’s not right as you can see from below screenshot, There is a sync rule for “In from AD – User AccountEnabled” is true

3

 I didn’t bother to get deep in to the sync rule as the installation not customized.  I was sure that the domain partition is not recognized

  1. The domain partitions are selected in the connector properties.

To check this,

  • Right click on the connector
  • Choose properties
  • From the popup window, click on “Configure Directory Partitions”

I now came to conclusion that the domain partition is not recognised but from the GUI it shows it is selected.

After some googling, I found 3 interesting cmdlets

  • Enable-ADSyncConnectorPartition
  • Enable-ADSyncConnectorPartitionHierarchy
  • Update-ADSyncConnectorPartition

There is no explanation of these cmdlets but I did manage to run it but with no success.

Resolution:

So finally I’ve gone back to basics of powershell.

Get-ADSyncConnector

4

This gives me list of connectors.  I need the first connector (where the sub-domain is)

$c = Get-ADSyncConnecor

I’m interested in the first connector and its partition, I’m assign that into the variable

$adConn= $c[0]

$AdConn.Partitions

This will list down the list of partitions under that connector.  There are about 5 partition, out of that last 2 partition’s object is having problems

5

If you closely look in the attribute called “IsDomain” is set to “False”, but the same is “True” for the rest of the domain partition (Its not in the screenshot though)

This exactly the same reason when we ran the password sync troubleshooter, it said that the sub-domain in questions is not a domain

To change this value, run the following command, for 2 sub-domains

$adConn.Partitions[5].IsDomain=$true

$adConn.Partitions[6].IsDomain=$true

After the change it will look like below

6

We are not done yet.  This should take care of the password sync but

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector “domain.net” –TargetConnector “domain.onmicrosoft.com – AAD” -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector “domain.net” –TargetConnector “domain.onmicrosoft.com – AAD” -Enable $True

Soon after this, the eventlog shows lot of 656 events indicating that password sync of the objects from sub-domains are syncing.

 VJ

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.