Working on an Azure Active Directory Sync for a client with multiple forests I came across a strange issue. The first forest was setup with password synchronization for the On-Premises AD accounts, stepped through the wizard and did the initial sync to Azure AD. Once the sync was complete tested login to Office 365 using one of the synced accounts and all worked as expected.
The issue came when adding the second AD connection. Disabled the scheduled task, then open the Microsoft Azure AD Connection Tool to use the wizard to add the second AD forest. Once the new forest was added and synchronization was complete I tested the new logins with Office 365, however this time I was not able to use the accounts that had been synched.
After double checking all settings and making sure I’d not missed anything, I checked the connector using PowerShell:
Get-ADSyncAADPasswordSyncConfiguration –SourceConnector ForestB.Domain.com
This reported back that:
Password hash synchronization isn’t configured for this connector
I checked the original connector
Get-ADSyncAADPasswordSyncConfiguration –SourceConnector ForestA.Domain.com
This reported back:
SourceConnector: ForestA.Domain.com
TargetConnector: Tenant.Onmicrosoft.com
Enabled: True
I ran the PowerShell to add password synchronization to the new connector:
Set-ADSyncAADPasswordSyncConfiguration –SourceConnector ForestB.Domain.com –TargetConnector “tenant.onmicrosoft.com – AAD” –Enable $True
Re-checked the AD Connector, which reported back:
SourceConnector: ForestB.Domain.com
TargetConnector: Tenant.Onmicrosoft.com
Enabled: True
Re-ran the synchronization to Azure AD, once completed tested the same login and all worked.
Note: We plan to add another AD forest to this Azure Active Directory Sync installation, so will update if the issue was with this AD connector or all connectors…
https://www.guest-articles.com/education/cka-certified-kubernetes-administrator-cka-program-01-03-2021
ReplyDelete