Office 365 AADSync does not start after password change

When you install AADSync, it creates a local service account and sets the password. I have not figured out what that password is but of course I want to change the password to something I know and one that follows my password guidelines. I changed the password of the service account and also changed it on the AADSync service logon properties. I did not stop and restart the service. After a couple of months I am am doing some maintenance work and rebooted the server, the AADSync service will not start. The error in the logs is

The server encryption keys could not be accessed.
 
 User Action
 Verify that the service account has permissions to the following registry key:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AD Sync
 
 If the problem persists, run setup and restore the encryption keys from backup.

Cause

In FIM the service account id and password is used to encrypt the system configuration which is stored in the database. When you change the service account password you have to re-encrypt the data that is stored in the FIM database using the MIIS key management tool.

Solution

  1. On your AADSync server, login with the service account (you may have to make it member of the local admin group briefly so that you can connect via RDP) go to C:\Program Files\Microsoft Azure AD Sync\Bin, start the miiskmu.exe at an elevated level (run as administrator).
  2. Chose abandon the former key. You will be prompted to enter the service account, enter the new credentials. the old keys will be removed and a new set of keys generated. You will be prompted to save the key file. If you get an error message “A required privileged is not held by the client” make sure you are following all the steps.
  3. Turn of the AADSync scheduled job in the scheduler.
  4. The AADSync service should be automatically started else start the service your self.
  5. Go to the AD MA and re-enter the AD account password, verify the connection.
  6. Go to the AADSync MA and enter the O365 Admin account password, verify the connection.
  7. Run AD MA delta import and sync. Run AADSync MA delta import and sync. If you get “no server” errors, verify MA connections (password is correct etc, check if you can see AD containers etc). You can also run a full sync on the AD MA.
  8. Turn on the AADSync scheduled job.
Advertisements

One thought on “Office 365 AADSync does not start after password change

  1. Thanks, I got installation with default service account which had same problems. I reset that service account password and followed your instructions, got it syncing again.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s