Event 611, RPC Error 8453 Replication access was denied in Azure AD Sync Services
Issue: New Passwords are not syncing to AAD from On-Premises. It throws an error with an Event ID: 611 in the Event Logs with the following message.
Password hash synchronization failed for domain: Mushaaf.com, domain controller hostname: DC2.Mushaaf.com, domain controller IP address: 192.168.139.132. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy
The reason for this error is that the account configured for the Azure AD Connect Sync does not have proper permission to sync the password changes to the AAD.
To provide the right permission,
Step 1: Open Active Directory Users and Computers
Step 2: Right Click on the Mushaaf.com –> Security –> add the Service account configured for the Azure AD Connect and select two permissions shown in the below screenshot
- Replicating Directory Changes
2. Replicating Directory Changes All
Once permissions are set, do run the Azure AD Connect Full Sync and do validate the password Sync is happening as Expected.