Hello,

In a previous domain, we had DirSync installed on a Domain Controller and configured successfully to Sync with our Office 365 (No Hybrid as we only use Exchange online), with Password Sync enabled.  I also enabled the password write-back feature.  This worked without issue.

We recently built a new domain and installed DirSync on a standalone server vs the DC, repointed it to the existing O365 subscription and enabled password sync as well as password write-back.  The text below is a direct copy from PowerShell showing success, and I receive the event that shows success as well.

PS C:\Windows\system32> Enable-OnlinePasswordWriteBack

cmdlet Enable-OnlinePasswordWriteBack at command pipeline position 1
Supply values for the following parameters:
LocalADCredential
AzureADCredential
Password reset write-back is enabled.

Password sync from on prem AD to Azure AD is working without a problem, however the password write-back simply doesn't work.  The AD account is an Enteprise Admin, and the Azure account is a Global Administrator.  No firewalls between the dirsync server or the DC.

When a user changes their password from the cloud, the password change takes affect, however that change is never written back to AD.  No errors in the event logs or FIM sync interface.

Not sure where to start looking to figure out why this is not working.  I have scoured the internet to see if there is anything special about installing DirSync on a standalone member server and cant seem to find any indication that the process is different (other than needing to log off and back on when installing on a DC)

Anyone have any ideas on where to look next?

Thanks!

Hello,

for Office365 please ask in one from the following forums http://community.office365.com/en-us/f/default.aspx

I've actually opened a support case with Microsoft on this issue.  Once I hear back I'll update this thread.

Hi,

If you have any update about the issue, please feel free to let us know.

Meanwhile, as far as i know, the directory synchronization computer must be joined to Active Directory.

According to this artcie:

http://technet.microsoft.com/en-us/library/jj151831.aspx

It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. For the rich co-existence scenario, this is a requirement because the DirSync server explicitly enumerates and reaches out to all domain controllers in the forest in order to set permissions for write-back. This is not the case if you do not have Hybrid Deployment enabled.
The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.

Hope this is helpful.

Regards.

No updates yet.  I will follow up for sure once I have more data.  As far as domain joined, the DirSync server is indeed domain joined. ;-)

• Edited by William Bracken Monday, September 29, 2014 6:04 PM

Hi William,

We are also experiencing this issue. We are using the new AAD Sync tool to perform Password Writeback. The Self Service Portal is functioning as expected and the Azure AD password changes, however these changes are not written back to the on premise AD environment.

I would be very interested in hearing the results of your MS Support Call :-)

Thanks in advance,

David

I'll follow up for sure once I hear back.  As an FYI though, its my understanding that AADSync GA release does not contain the Password Reset feature.  Its listed as "coming soon".  This is why we haven't moved from DirSync yet.

Hi William,

After trying to enable the Password Reset feature we have come to the same conclusion, however the option does exist to enable Password Writeback during setup and the feature was 'successfully enabled' according to the tool. We are experiencing the same symptoms as yourself so would be interested in the results either way :)

William,

Did you get an answer/fix for this issue? I am experiencing a similar issue with AD Connect PP2.

Max

Hey guys, so I ended up upgrading to the latest version of AAD Sync (as of about 4 months ago, side by side upgrade) and the password write-back is working again.  I got too busy to work with the MS Support folks and ask them to put in on hold awhile back so never got any good data about my specific issue at hand.  Sorry!!