Written by Rafael Silva

KnowledgeBase: You experience EventID 1699 on Domain Controllers targeted by Azure AD Connect

KnowledgeBase: You experience EventID 1699 on Domain Controllers targeted by Azure AD Connect

https://ift.tt/3ukyxfL

One of the issues you might encounter, when you misconfigure the delegated permissions for Azure AD Connect’s Active Directory connector account is events in your Domain Controllers’ event viewers every hour with event ID 1699.

The situation

You are using Azure AD Connect with Password Hash Synchronization as either the sign-in method to Azure AD or as an optional feature.

When you setup Azure AD Connect you did not take the opportunity to have Azure AD Connect create an account to connect to Active Directory. Or you changed the AD connector account credentials at a later date to an account you created yourself.

The issue

On the Domain Controllers that Azure AD Connect communicates to, you experience hourly events in the Directory Service event log with event ID 1699 and source ActiveDirectory_DomainService:

EventID 1699 (click for larger screenshot)

The event typically states that the user is the Azure AD Connect service account and that the computer is the server running Azure AD Connect. In the additional data field, the error value is stated:

8453 Replication access was denied.

The cause

This issue is caused by an absence of delegated permissions to Azure AD Connect’s Active Directory Connector account. It lacks the following delegated permissions in Active Directory:

  1. Replicate Changes
  2. Replicate Changes All

These permissions are needed for Password Hash Synchronization.

The solution

You can prevent the events from appearing by either disabling password hash synchronization in Azure AD Connect (not recommended), or by delegating the required access to Azure AD Connect’s AD Connector account by adding it to the previously configured PHS Permissions group (proper solution) or using the following command line (quick solution):

dsacls.exe "dc=domain,dc=tld" /G "DOMAINADConnectorAccount:CA;Replicating Directory Changes;" "DOMAINADConnectorAccount:CA;Replicating Directory Changes All;"

Replace the values for your domain, your top-level domain and your Azure AD Connect AD Connector account in the above command line.

The post KnowledgeBase: You experience EventID 1699 on Domain Controllers targeted by Azure AD Connect appeared first on The DirTeam.com / ActiveDir.org Weblogs.

windows,microsoft

via The DirTeam.com / ActiveDir.org Weblogs https://dirteam.com

February 22, 2021 at 04:50PM
Sander Berkouwer