The latest version of DirSync, or to use it’s full name Windows Azure Active Directory Sync, provides a new feature removing the requirement to use AD FS for some customers, or if you’re using DirSync without AD FS now use your Active Directory credentials to log on to Office 365 services.
If you’re upgrading from a previous version of DirSync (for example, the Microsoft Online Services Directory Sync Tool) and you choose to enable Password Synchronization then you may experience the following issue:
- User passwords are not synchronized until each user resets their password.
You can force a full password synchronization against the local Active Directory by following these steps:
- On the DirSync server, open Registry Editor as Administrator
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence
- Create a new key named PasswordSync
- Create a new DWORD value within the new key named with the value 1
This should show as below:
Next, ensure the correct permissions are set on the new PasswordSync key. Right click MSOLCoExistence and choose Properties. Choose Permissions, then Advanced.
Select the Azure AD Service Account (Which may be prefixed AAD_ or MIISService) and
choose edit:
Next, change the Apply To select from This Key Only to This Key and Subkeys
After applying permissions, close Registry Editor and restart the following service:
- Forefront Identity Manager Synchronization Service
After service restart, a full synchronization should begin. Check the DirSync server’s Event Viewer for Event ID 656 which signifies that password change request events associated with a full sync are commencing.
