Monday, December 29, 2014

Unhealthy Directory Synchronization Notification - Expired Credentials

As you may be aware, when there are issues with Dirsync connecting to O365, you get an Unhealthy Directory Synchronization Notification email. The email doesn't provide any information other than to check the event logs. I got this notification for my test environment recently.

I happened to have the Synchronization Service Manager (miisclient.exe) open on my Dirsync server and looked in there first. The Active Directory Connector had a status of Success, which is expected. So, all good on the local side. However, the Windows Azure Active Directory Connector had a status of "stopped-extension-dll-exception".

The Application event log gave more information:
  • Directory Synchronization, Event ID 115 - Access to Windows Azure Directory has been denied
  • Directory Synchronization, Event ID 0 - Update your password and try again
  • Directory Synchronization, Event ID 655-  Failed credential provisioning ping
The cause of my error was an expired password on the account I was using for directory synchronization. I was using a dedicated cloud account in Office 365 that I was not monitoring. The password for the account expired and was not allowing authentication for the account.

The fix was to perform the following:
  1. Log in to Office 365 as an administrator and reset the password for the directory synchronization account.
  2. Update the password in Dirsync.
To update the password in Dirsync, you can run Directory Sync Configuration again. However, instead, I updated the credentials in Synchronization Service Manager. To do this in Synchronization Service Manager, use the following steps:
  1. Open Synchronization Service Manager (miisclient.exe).
  2. In Synchronization Service Manager, click Management Agents and double-click Windows Azure Active Directory Connector.
  3. In the Properties window, click Connectivity.
  4. On the Connectivity page, update the Password and click OK.
  5. Run Start-OnlineCoexistenceSync (or wait for Dirsync to do it automatically)

Update Dirsync Credentials

The long term fix for this issue to prevent the Dirsync credentials from expiring on the account. In the graphical interface of O365 management, you can configure a password expiration policy for all cloud accounts but not individual cloud accounts. To set the password expiration policy for a single account, you need to use Windows PowerShell and the command Set-MsolUser -UserPrincipalName -PasswordNeverExpires $true.

A complete set of instructions is here:

1 comment: