[SUPPORT TROUBLESHOOTING] RPC Error 8453 Replication access was denied in Azure AD Sync Services #AADSync

Quick post to describe a common layer-8 issue.

You’ve installed Azure AD Sync Services (AADSync) 1.0.0470.1023 (or later) and have setup password hash synchronisation, i.e. you are synchronising users and their passwords as opposed to creating federated users.

Password synchronisation doesn’t appear to be working and you find the Event ID 611, source Directory Synchronization, in the event log:


Here’s the text:

Password synchronization failed for domain: emeads.abstractsynapse.com. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext).

In order to synchronise credentials the Active Directory Domain Services connector (management agent) account needs both of the following extended rights assigned on each in-scope domain naming context/partition:

  • Replicating Directory Changes
  • Replicating Directory Changes All

In my case I had only granted Replicating Directory Changes All which was insufficient.  Here’s a screenshot of the permissions assignment using the Active Directory Domain Services (AD DS) Users and Computers MMC snap-in.  I’ve granted these control access rights directly to a principal called SVCAADSYNCCON:


Once the permissions are correctly assigned you can wait for scheduled synchronisation to occur or you can manually invoke via C:\Program Files\Microsoft Azure AD Sync\Bin> .\DirectorySyncClientCmd.exe [initial | delta] and you should subsequently see Event ID 656, source Directory Synchronization that describes successful synchronisation of credentials (excuse the misspelling of the Terminator):


Hope this helps.