none
Azure AD Sync version 1.0.0494.0501 failing with "Failed getting registry value 'ADMADoNormalization'"

    Question

  • Hi All,

    Our Azure AD instance is in North America and today I sync'd a bunch of users between our local AD instance (2012 R2) and our Azure AD. Everything is configured correctly, and password sync & write-back was working late last week, but I am getting these errors:

    An unexpected error has occurred during a password set operation. 
     "ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
    BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
    BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
    BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(3188): ..\session.cpp(2114): Asynchronous modify result (dn=<GUID=3C860000000000000000000000000000>) failed
    WARNING: MMS(3188): ..\session.cpp(2115): Asynchronous modify result (dn=<GUID=3C860000000000000000000000000000>) failed
    BAIL: MMS(3188): ..\session.cpp(2121): 0x80070005 (Access is denied.)
    ERR_: MMS(3188): admaexport.cpp(4253): The password change operation failed: ERR_: MMS(3188): admaexport.cpp(4259): Insufficient Rights 0x32
    BAIL: MMS(3188): admaexport.cpp(3516): 0x80004005 (Unspecified error)
    ERR_: MMS(3188): ..\ma.cpp(8322): ExportPasswordSet failed with 0x80004005
    Azure AD Sync 1.0.0494.0501"

    I understand somewhat that the registry entries relate to here: https://msdn.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx, but I'm reluctant to manually those entries myself.

    Our Azure AD Sync instance is not running on a domain controller, but the users have all the right permissions.

    Any help would be greatly appreciated.

    Cheers,
    Paul


    Tuesday, May 19, 2015 8:44 AM

Answers

All replies

  • Hello,

    We are researching on the query and would get back to you soon on this.

    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,

    Neelesh

    Tuesday, May 19, 2015 4:12 PM
    Moderator
  • Hi Neelesh,

    Thanks for taking the time to look at this. Some notes from my end after trying some things this morning:

    • Re-installed the software - registry entries not created
    • Manually added those registry entries according to link in my original post - still the same error reported
    • Password change on web (e.g. aka.ms/sspr) reports error, but password change still happens. Password is changed at both the cloud-apps level, and the domain-login level
    • We are running a "synchonised identity" model, not federated (https://blogs.office.com/2014/05/13/choosing-a-sign-in-model-for-office-365/)

    Regards,
    Paul

    Wednesday, May 20, 2015 4:47 AM
  • Hello Paul,

    Appreciate your patience and sorry for the delayed response!

    The error is related to access denied when talking to AD. See the list of attributes we need to have
    permissions to:
    https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx?f=255&MSPPError=-2147217396#BKMK_e

     In the Permission Entry dialog box that shows up, check the box for Reset Password, Change Password, Write Permissions on“lockoutTime”, and Write Permissions on “pwdLastSet”.

    Tuesday, May 26, 2015 7:43 PM
    Moderator
  • Then click Apply/Ok through all the open dialog boxes.

    I hope this helps!

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Tuesday, May 26, 2015 7:57 PM
    Moderator
  • Thanks Sadiqh,

    That was it.

    Paul

    Tuesday, June 02, 2015 6:36 AM
  • FYI, to do this in PowerShell (and save the hunting for those checkboxes)

    $DN = "DC=domain,DC=com"
    $Account = "domain\aadsync"
     
    $cmd = "dsacls '$DN' /I:S /G '`"$Account`":CA;`"Reset Password`";user'"
    Invoke-Expression $cmd
    $cmd = "dsacls '$DN' /I:S /G '`"$Account`":CA;`"Change Password`";user'"
    Invoke-Expression $cmd
    $cmd = "dsacls '$DN' /I:S /G '`"$Account`":WP;pwdLastSet;user'"
    Invoke-Expression $cmd
    $cmd = "dsacls '$DN' /I:S /G '`"$Account`":WP;lockoutTime;user'"
    Invoke-Expression $cmd

    Wednesday, October 28, 2015 3:09 PM