Under Windows Event Viewer, the application event log contains an error with Event ID 6028 and error message “The server encryption key cannot be accessed.”.If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -21451857952.” For more information, review the System Event log. Under Windows Service Control Manager, if you try to start the Synchronization Service and it cannot retrieve the encryption key, it fails with error “ Windows could not start the Microsoft Azure AD Sync on Local Computer.Without the encryption key, the Synchronization Service cannot decrypt the passwords required to synchronize to/from on-premises AD and Azure AD. Second, under specific conditions, if the password is updated, the Synchronization Service can no longer retrieve the encryption key via DPAPI. Under Windows Event Viewer, the system event log contains an error with Event ID 7038 and message “ The ADSync service was unable to log on as with the currently configured password due to the following error: The user name or password is incorrect.".Error 1069: The service did not start due to a logon failure." If you try to start the Synchronization Service in Windows Service Control Manager, you receive the error " Windows could not start the Microsoft Azure AD Sync service on Local Computer".Until this issue is resolved you will see following errors: There are two things that need to be done when you change the service account password.įirst, you need to change the password under the Windows Service Control Manager. Issues that arise from changing the password These procedures should also be used if you need to abandon the encryption key for any reason. If you need to change the service account password you can use the procedures in Abandoning the ADSync service account encryption key to accomplish this. DPAPI protects the encryption key using the ADSync service account. The encryption key used is secured using Windows Data Protection (DPAPI). These accounts are encrypted before they are stored in the database. If you upgrade to a build from 2017 April or later, then it is supported to change the password on the service account, but you cannot change the account used.Īzure AD Connect, as part of the Synchronization Services uses an encryption key to store the passwords of the AD DS Connector account and ADSync service account. You cannot change the account to any other account without reinstalling Azure AD Connect. If you use Connect with a build from 2017 March or earlier, then you should not reset the password on the service account since Windows destroys the encryption keys for security reasons.
0 Comments
Leave a Reply. |