Password Synchronization – Common Issues and Questions

This page is the starting point for troubleshooting Password Synchronization Issues and contains answers for many common questions.

Reboot the Domain Controllers

The first place to begin troubleshooting password synchronization issues is the Domain Controller(s) on which the Password Sync Client is installed. If you change a password on that domain controller, and nothing is written to the Password Client .log file, follow these steps:

1. Ensure the Password Client Service is running. It is listed in msc as MessageOps Password Client Service.
2. Make sure the domain controller was rebooted after installing the Password Client. This is a requirement for the Password Client as the DLL used to capture the Password can only be loaded at system startup.

Ensure the Office 365 PowerShell module is installed and working

The Office 365 PowerShell Module not being installed is one of the most frequent problems. Alternatively, it may not be able to connect to Office 365 on the server that is running the Password Server Service. You can download the module here.

To test that the module is installed, open a PowerShell window on the Password Server and run:

import-module msonline

If you don’t get an error, then it’s properly installed. Next, run:

connect-msolservice

Type in your credentials when prompted. If you can connect, you could run the following command to ensure that you are connected properly:

get-msoluser -MaxResults 10

If you are unable to connect, it’s likely to be a problem with a firewall or proxy. If you get an authentication error, one thing to try is uninstalling and reinstalling the sign in assistant, as this can clear up authentication issues with the module.

Ensure the Active Directory matching attribute matches the identity in Office 365

If you receive errors about the user not being found in Office 365, you should ensure the matching attribute in Active Directory matches the Office 365 identity. When configuring the password client on the domain controllers in the LDAP Server area, you can specify the matching attribute as either the mail or userprincipalname. The value that you choose should be populated in the local Active Directory, and should match the identity in Office 365.

Encountered blank auth result, restarting core

If you downloaded Password Synchronization prior to December 2012, and have installed the Windows Management Framework 3.0 (KB2506143), which includes PowerShell 3.0, you will need to download and re-install the Password Server Service. You do not need to re-install or reconfigure the Password Clients. Before uninstalling the Password Server, you will need to record the settings on the Configuration Tab, Alerts Tab, and the License Key on the About tab and re-enter the information after the re-installation.

An alternative is to not install the Windows Management Framework 3.0, or uninstall it and reboot, which will revert the PowerShell version back to to 2.0, allowing the Password Server to resume functioning.

Frequently Asked Questions

Can the server service and client service be installed on the same server?

Yes. The only requirement is the server service requires a Windows 2008 R2 or Windows 2012 server. So, if you have a domain controller running Windows 2008 R2 or Windows 2012, both components can be installed.

Can I synchronize the existing user passwords to Office 365?

No. The Passwords are only synchronized when they are changed. During a migration, you could force the users to change their password at next login, which would then sync them to Office 365. They would then sign into Office 365 using this new password.

Do I need to install the Password Client on all DCs?

Yes. When a user changes their password, that change could hit any DC in the domain, so the client must be installed on all. The exceptions would be Read Only DCs and domains which don’t have any users, such as an empty forest root domain.

How does the application match the Active Directory user to the Office 365 user?

On the password client, you have the option of selecting the Matching Attribute. It can either be the mail attribute or the UPN value. If you open the Password Client Admin application on the DC and go to the Config tab, you’ll see an option which allows you to select the attribute. If you make the change, just save the config, stop and start the service.

Is Directory Synchronization Required?

No. We match the AD accounts to the Office 365 user based on the matching attribute configured on the Password Client Admin.

How is Password Complexity Handled?

MessageOps Password Sync does not enforce password complexity. It simply takes the password and passes it to Office 365. Office 365 then verifies the complexity.