Wednesday, April 29, 2020

Azure AD Connect error 8244-- SOLVED

So here I was the other day setting up AAD Connect for a new employer, gotta get those account sync'd!  Anyway this being yet another in a long series of inherited networks I ran into almost every single user object in the specified OU's to be sync'd erroring out according to the Synchronization Service Manager under Connector Operations with a 'permission-issue' error 8244.

I spent some quality time with Google and found where people needed to ensure the local sync account has been added to the domain level with:


So I did that, but it did not help. I start looking into the NTFS Security permissions on the users and OU's and low and behold not a single level has inheritance enabled.

So I found this powershell blurp: https://community.spiceworks.com/topic/2120107-powershell-to-enable-inheritance

Ran this and BOOM all my objects were now enabled, however re-running a Delta sync I was still getting mass errors.  So as a test I added the sync account with FC permissions and that account's password hash was sync to AAD.  Odd I thought, so I went looking further and in the event log event 611


So using this I found, eventually, that the sync account needs permissions to edit: ms-dS-ConsistencyGuid which then led me to this:

$accountname = "<domain>\ad_forest"
$forestdn = "dc=<domain1>,dc=<domain2>"
$cmd = "dsacls '$forestdn' /I:S /G '`"$accountname`":WP;ms-ds-consistencyGuid;user'"
invoke-expression $cmd

Once I ran that, I could then see the sync account under the Security tab of all my user objects and the next Delta sync kickoff ran without any errors.



No comments:

Post a Comment