Forcing Password Synchronization with the Azure AD Connection Tool

Welcome back to another episode of things that should work right the first time, but don't!  In today's episode, we are dealing with an issue where password synchronization is not working when using the Azure AD connection tool.  The incident in question relates to a recent Microsoft engagement I was working on which involved a Multi-forest Exchange Hybrid to Office 365.  In this engagement, I had three separate forests that needed to synch their AD objects to Azure via the latest Azure AD connection tool.




After setting up the tool on one server in one of the forests, and configuring the Synchronization wizard to sync all three forests (two -way trusts in place) to Azure, I had incorrectly thought that my work on the Azure front was done.  Upon testing the accounts in the cloud, I noticed that only one of the forests was not syncing passwords up to the cloud.  I began the usual volley of troubleshooting techniques, and quickly realized my issue was inline with many others who have seen similar event ID's on the Sync server.  The event ID's that give away that all is not well are the following...

Event ID 657
Event ID 611

Rerunning the configuration wizard did not help.  Rerunning the Scheduled Sync task did not help.  I was stuck.  fortunately this problem has been addressed somewhat and now a script is available to force on the Password Sync on the AAD connector.  The script can be found here -

http://social.technet.microsoft.com/wiki/contents/articles/28433.how-to-use-powershell-to-trigger-a-full-password-sync-in-azure-ad-sync.aspx

Once executing this script, password synchronization resumed. 

Script is below as well:

$adConnector  = "fabrikam.com"

$aadConnector = "aaddocteam.onmicrosoft.com - AAD"

 

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

 

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true