If you change the ADSync service account password, the Synchronization Service doesn’t start correctly until you abandon the encryption key and reinitialized the ADSync service account password.
Abandoning the ADSync service account encryption key
The following procedures only apply to Microsoft Entra Connect build 1.1.443.0 or older. This can’t be used for newer versions of Microsoft Entra Connect because abandoning the encryption key is handled by Microsoft Entra Connect itself when you change the AD sync service account password so the following steps are not needed in the newer versions.
Use the following procedures to abandon the encryption key.
What to do if you need to abandon the encryption key
If you need to abandon the encryption key, use the following procedures to accomplish that.
- Stop the Synchronization Service
- Abandon the existing encryption key
- Provide the password of the AD DS Connector account
- Reinitialize the password of the ADSync service account
- Start the Synchronization Service
Stop the Synchronization Service
First you can stop the service in the Windows Service Control Manager. Make sure that the service isn’t running when attempting to stop it. If it is, wait until it completes and then stop it.
- Go to Windows Service Control Manager (START → Services).
- Select Microsoft Entra ID Sync and click Stop.
Abandon the existing encryption key
Abandon the existing encryption key so that new encryption key can be created:
- Sign in to your Microsoft Entra Connect Server as administrator.
- Start a new PowerShell session.
- Navigate to folder:
'$env:ProgramFiles\Microsoft Azure AD Sync\bin\'
- Run the command:
./miiskmu.exe /a
Provide the password of the AD DS Connector account
As the existing passwords stored inside the database can no longer be decrypted, you need to provide the Synchronization Service with the password of the AD DS Connector account. The Synchronization Service encrypts the passwords using the new encryption key:
- Start the Synchronization Service Manager (START → Synchronization Service).
- Go to the Connectors tab.
- Select the AD Connector that corresponds to your on-premises AD. If you have more than one AD connector, repeat the following steps for each of them.
- Under Actions, select Properties.
- In the pop-up dialog, select Connect to Active Directory Forest:
- Enter the password of the AD DS account in the Password textbox. If you don’t know its password, you must set it to a known value before performing this step.
- Click OK to save the new password and close the pop-up dialog.
Reinitialize the password of the Entra ID Connector account
You can’t directly provide the password of the Microsoft Entra service account to the Synchronization Service. Instead, you need to use the cmdlet Add-ADSyncAADServiceAccount to reinitialize the Microsoft Entra service account. The cmdlet resets the account password and makes it available to the Synchronization Service:
- Sign in to the Microsoft Entra Connect Sync server and open PowerShell.
- To provide the Microsoft Entra Global Administrator credentials, run
$credential = Get-Credential
. - Run the cmdlet
Add-ADSyncAADServiceAccount -AADCredential $credential
.If the cmdlet is successful, the PowerShell command prompt appears.
The cmdlet resets the password for the service account and updates it both in Microsoft Entra ID and the sync engine.
Start the Synchronization Service
Now that the Synchronization Service has access to the encryption key and all the passwords it needs, you can restart the service in the Windows Service Control Manager:
- Go to Windows Service Control Manager (START → Services).
- Select Microsoft Entra ID Sync and click Restart.