Azure AD Connect uses a Windows Service called Microsoft Azure AD Sync in order to periodically perform the synchronisation of Directory objects and user passwords - this occurs roughly every 30 minutes or so, but we were finding that on occasion this service would stop working completely. This resulted in the synchronisation process stopping, which caused problems for people who had to change their password. Initially the quickest way we found to rectify the problem was to just uninstall and reinstall Azure AD Connect - everything worked again for a while after that.
Today I got to the bottom of the issue (hopefully!). When you install the Microsoft Azure AD Sync service it creates a local user on the server you install to at the same time which is used by the service as the account it executes as. Part of the process that creates the user account must also grant the user the 'Log on as a service' user right. I discovered that in our AD we had a Default Policy that superseded the local policy for that user right, and as such would periodically wipe out the assignment of that permission to the local user.
To resolve the issue, I added a local group to the Domain Policy, then added the local user to that group. The service started functioning correctly again and the synchronisation between our local AD and Office 365 was working again.
Success!
0 comments :
Post a Comment