When you install AADSync, it creates a local service account and sets the password. I have not figured out what that password is but of course I want to change the password to something I know and one that follows my password guidelines. I changed the password of the service account and also changed it on the AADSync service logon properties. I did not stop and restart the service. After a couple of months I am am doing some maintenance work and rebooted the server, the AADSync service will not start. The error in the logs is
The server encryption keys could not be accessed.
Verify that the service account has permissions to the following registry key:
If the problem persists, run setup and restore the encryption keys from backup.
In FIM the service account id and password is used to encrypt the system configuration which is stored in the database. When you change the service account password you have to re-encrypt the data that is stored in the FIM database using the MIIS key management tool.
- On your AADSync server, login with the service account (you may have to make it member of the local admin group briefly so that you can connect via RDP) go to C:\Program Files\Microsoft Azure AD Sync\Bin, start the miiskmu.exe at an elevated level (run as administrator).
- Chose abandon the former key. You will be prompted to enter the service account, enter the new credentials. the old keys will be removed and a new set of keys generated. You will be prompted to save the key file. If you get an error message “A required privileged is not held by the client” make sure you are following all the steps.
- Turn of the AADSync scheduled job in the scheduler.
- The AADSync service should be automatically started else start the service your self.
- Go to the AD MA and re-enter the AD account password, verify the connection.
- Go to the AADSync MA and enter the O365 Admin account password, verify the connection.
- Run AD MA delta import and sync. Run AADSync MA delta import and sync. If you get “no server” errors, verify MA connections (password is correct etc, check if you can see AD containers etc). You can also run a full sync on the AD MA.
- Turn on the AADSync scheduled job.