There has been a new build of the Windows Azure Active Directory Synchronization client released - version 1.0.6694.0086.

This build includes a single fix, but it is an important one since the issue may be affecting a number of customers.

 

 


Symptoms

  •  Unexpectedly high amounts of Password Synchronization activity in the Application event log.
  •  Upon investigating further, it is observed that password hashes are being synchronized for users who have not had a password change recently.
  •  Legitimate password syncs for new users and those who have had a password change may occur slower than expected.
  •  Customers may report “looping”, where they observe certain batches of users synced over and over. Note: there is not a true loop here, the sync succeeds but certain users will be added to future cycles repeatedly without having a password change in AD.
  •  They may also describe the problem as a performance issue, or extra “noise” in the event log. • Despite these symptoms, PasswordSync completes successfully and there are no explicit errors thrown.

 

↑ Back to top


Diagnosis

  •  This can be observed by looking at the password change date for batches of users in the Application Event log and Password Sync debug log.
  • Replication metadata should be retrieved for these users to confirm that pwdLastSet or unicodePwd has not been updated on any DC.
    • You can use repadmin /showobjmeta DCPrefix* <ObjectDN> to gather this, where “DCPrefix” is a common prefix in the DC naming convention throughout the environment. If there is not a common prefix you can specify individual DCs.
    •  In this replication metadata you will notice that another attribute was updated shortly before the password for this user was synced.
  •  Change an attribute on a test user who has synced successfully in the past but do not change the password. Note whether this user is included in a subsequent PasswordSync batch.

 

↑ Back to top


Resolution

Install the new build, which can be found here http://technet.microsoft.com/en-us/library/jj151800.aspx or in the O365/Azure Portal.

Since this sort of issue does not stop password sync from running or cause any specific errors to be thrown, customers may not necessarily know they are affected.

 

↑ Back to top


See Also

 

↑ Back to top