One of the issues you might encounter, when you misconfigure the delegated permissions for Azure AD Connect’s Active Directory connector account is events in your Domain Controllers’ event viewers every hour with event ID 1699.
The situation
You are using Azure AD Connect with Password Hash Synchronization as either the sign-in method to Azure AD or as an optional feature.
When you setup Azure AD Connect you did not take the opportunity to have Azure AD Connect create an account to connect to Active Directory. Or you changed the AD connector account credentials at a later date to an account you created yourself.
The issue
On the Domain Controllers that Azure AD Connect communicates to, you experience hourly events in the Directory Service event log with event ID 1699 and source ActiveDirectory_DomainService:
The event typically states that the user is the Azure AD Connect service account and that the computer is the server running Azure AD Connect. In the additional data field, the error value is stated:
8453 Replication access was denied.
The cause
This issue is caused by an absence of delegated permissions to Azure AD Connect’s Active Directory Connector account. It lacks the following delegated permissions in Active Directory:
- Replicate Changes
- Replicate Changes All
These permissions are needed for Password Hash Synchronization.
The solution
You can prevent the events from appearing by either disabling password hash synchronization in Azure AD Connect (not recommended), or by delegating the required access to Azure AD Connect’s AD Connector account by adding it to the previously configured PHS Permissions group (proper solution) or using the following command line (quick solution):
dsacls.exe "dc=domain,dc=tld" /G "DOMAIN\ADConnectorAccount:CA;Replicating Directory Changes;" "DOMAIN\ADConnectorAccount:CA;Replicating Directory Changes All;"
Replace the values for your domain, your top-level domain and your Azure AD Connect AD Connector account in the above command line.
It should be noted that any account with the 'Replicate Directory Changes ALL' right is effectively a Domain Admin account, and should be secured appropriately. Any host where this account (or any Domain Admin account) logs in interactively should be secured similarly to a DC, since anyone with admin rights to it can steal the credentials associated with an interactive login.
Noted.