My AAD Connect service account password needed to be changed recently, which caused some issues
When changing the password, you need to update the password two places:
- Microsoft Azure AD sync service (ADSync)
- Synchronization Service
I wasn’t aware of #2, which caused incomplete sync to occur. The symptom was new users from onprem not being added to Azure AD, while existing users and groups we’re not being updated. In addition, my service account got locked out on some occasions, specifically when I forced syncs during troubleshooting.
To remedy the Synchronization Service, do the following:
- Open Synchronization Service GUI
- Click “Connectors” (top of window)
- Right click the connector for your on-prem AD
- Select “Connect to Active Directory Forest”
- Type in updated user information (typically just an updated password)
You can test the sync by running the Powershell command:
Start-ADSyncSyncCycle -Policytype Delta
This will run a delta sync of your on-prem AD objects to AAD.