Event 611,RPC Error 8453 Replication access was denied in Azure AD Sync Services

Windows Server Windows Server 2019
1

Hi,

I am using AD sync between my on-premises server to azure. I am started to face a new problem where only New Passwords are not syncing to AAD from On-Premises. It throws Error with an Event ID : 611 in the Event Logs with following message.

Password hash synchronization failed for domain: contoso.com, domain controller hostname: DC2.contoso.com, domain controller IP address: 10.20.20.5. Details:

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges. at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState) at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState) at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func1 operation, Func1 shouldAbort, RetryPolicyHandler retryPolicy)

2

The reason for this error is that the account configured for the AADConnect Sync does not have proper permission to sync the password changes to the AAD.

To provide the right permission,

Step 1: Open Active Directory Users and Computers

981×771 109 KB

Step 2: Right Click on the Windowstechpro.com –> Security –> add the Service account configured for the AADConnect and select two permissions shown in the below screenshot

  1. Replicating Directory Changes & 2. Replicating Directory Changes All

1024×815 417 KB

Once permissions are set, do run the AADConnect Full Sync and do validate the password Sync is happening as Expected.

3

The RPC 8453 error you’re encountering is linked to the Azure Active Directory (AD) Connect tool, which synchronises your on-premises Active Directory with Azure AD. When you see the RPC Error 8453: Replication denied access message, it suggests that the replication permissions aren’t accessible.

Here are some potential solutions:

  • Update the Azure AD Connect tool: Make sure you have the latest version of the Azure AD Connect tool installed.
  • Check the permissions: The error might be due to the destination domain controller not having the required permissions to replicate the naming context/partition. You can grant permission to replicate directory changes to the forest-root domain’s Enterprise Read-only Domain Controllers security group.
  • Use the Administrator Account: Ensure that your account has the necessary administrative privileges.
  • Change Registry Settings: On the AD Sync server server, you can try changing a registry setting and rebooting the server.