Azure AD Connect v1.6.13.0 and v2.0.10.0 solve a PHS issue in renamed Active Directory forests

Azure AD Connect

Azure AD Connect has seen its share of new releases in the last weeks, following a security issue and an issue with Password Hash Synchronization (PHS) transactions for a large number of users (v2 only). Yesterday, Microsoft's free Identity synchronization solution saw another two new releases addressing an issue with Password Hash Synchronization (PHS) in renamed Active Directory forests.

The issue

Organizations using previous versions of Azure AD Connect experience issues where Password Hash Synchronization (PHS) stops working.

In the Microsoft 365 admin portal, the status for Azure AD Connect clearly shows that synchronization of objects and their attributes works, but that Password Hash Synchronization (PHS) has stopped working.

In the event log for the Windows Server running Azure AD Connect, event ID 611 is shown in the Application log after each synchronization cycle, including the following error information:

Unable to open connection to domain: domain.tld.

Error: Unable to retrieve source domain information.

Unable to retrieve source domain information.

Specified cast is not valid.

The cause

This issue is caused by a faulty library in Azure AD Connect.

The issue has no relationship to the actual connection to Active Directory, including improper name resolution, absence of TLS 1.2 on Domain Controllers or authentication errors for the AD connector account. Azure AD Connect cannot connect to the Domain Controller for Password Hash Synchronization (PHS) because of the faulty library.

The solution

Microsoft has released two new Azure AD Connect versions to address the issue:

AZURE AD CONNECT V1.6.13.0

Azure AD Connect v1.6.13.0 addresses the above issue in Azure AD Connect v1.6.11.3.

This version is intended to be used by organizations wishing to continue running Azure AD Connect v1.x or are running Azure AD Connect on an older version of Windows Server and cannot upgrade their server to Windows Server 2016 or newer as this time.

Note:
Admins cannot use this version to update an Azure AD Connect v2.x server.

You can download Azure AD Connect v1.6.13.0 using this link.
This build is not offered as an automatic upgrade.
The download weighs 104 MB.

AZURE AD CONNECT V2.0.10.0

Azure AD Connect v2.0.10.0 addresses the above issue in Azure AD Connect v2.0.8.0 and v2.0.9.0.

Note:
This release requires Windows Server 2016 or newer. If you are using an older version of Windows Server, please use version 1.6.13.0.

You can download Azure AD Connect v2.0.10.0 using this link.
This build is not offered as an automatic upgrade.
The download weighs 153 MB.

Call to action

If Azure AD Connect was recently upgraded within your organization, please check the Application event logs of the Azure AD Connect server(s) for errors with Event ID 611 and specific error Specified cast is not valid.. If this error occurs, upgrade Azure AD Connect to either v1.6.13.0 or v2.0.10.0 to fix Password Hash Synchronization.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.