Event 611,RPC Error 8453 Replication access was denied in Azure AD Sync Services


I am using AD sync between my on-premises server to azure. I am started to face a new problem where only New Passwords are not syncing to AAD from On-Premises. It throws Error with an Event ID : 611 in the Event Logs with following message.

Password hash synchronization failed for domain:, domain controller hostname:, domain controller IP address: Details:

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func1 operation, Func1 shouldAbort, RetryPolicyHandler retryPolicy)

The reason for this error is that the account configured for the AADConnect Sync does not have proper permission to sync the password changes to the AAD.

To provide the right permission,

Step 1: Open Active Directory Users and Computers

Step 2: Right Click on the –> Security –> add the Service account configured for the AADConnect and select two permissions shown in the below screenshot

  1. Replicating Directory Changes & 2. Replicating Directory Changes All

Once permissions are set, do run the AADConnect Full Sync and do validate the password Sync is happening as Expected.