Azure AD Sync不再起作用-设置后首次重新启动后 [英] Azure AD Sync is not working anymore - after first restart after setup

问题描述

你好，

我们已在星期五设置了具有Pass Hash Sync的Azure AD Sync.由于Windows更新，我们不得不今天重新启动服务器.

we have set up Azure AD Sync with Pass Hash Sync on friday. Due to windows updates we had to restart the server today.

现在由于权限问题，它不再同步:

Now it is not syncing anymore because of permission problems:

域horvath.de的密码哈希同步失败.详细信息:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException:RPC错误8453:复制访问被拒绝.调用_IDL_DRSGetNCChanges时出错.
    at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
    at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationStateplicationState)
  Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry [T](Func`1操作，Func`1应该终止，RetryPolicyHandler retryPolicy)
    at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
    at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
    at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
    at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)

Password hash synchronization failed for domain: horvath.de. Details: 
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.

我找到了这篇文章:

https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx

https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx

但是不清楚在何处需要这些权限.在安装Azure客户端时，我们让Azure AD客户端管理服务用户以进行同步.因此，条目是由程序设置的.

But it's not clear where it needs those permissions. When installing the azure client we've let Azure AD client to manage the service user for syncing. So the entries were set by the program.

它对"root"拥有这些权利，但不是在所有OU上.

It has these rights on "root" but not on all OUs.

有人可以建议吗?

< h3>关于斯蒂芬</h3>

<h3>Regards Stephan</h3>

推荐答案

ADSync使用了错误的帐户.它使用是"安装帐户. OrgAdmin，现在不再可用.

ADSync is using the wrong account. It uses the installation account which "was" OrgAdmin and now is not anymore.

这篇关于Azure AD Sync不再起作用-设置后首次重新启动后的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！