使用 Azure AD Connect 同步解决密码哈希同步问题Troubleshoot password hash synchronization with Azure AD Connect sync

本主题提供解决密码哈希同步问题的步骤。This topic provides steps for how to troubleshoot issues with password hash synchronization. 如果密码未按预期同步,请区分该密码是一部分用户的密码还是所有用户的密码。If passwords are not synchronizing as expected, it can be either for a subset of users or for all users.

对于 1.1.614.0 版或更高版本的 Azure Active Directory (Azure AD) Connect 部署,使用向导中的故障排除任务来排除密码哈希同步问题:For Azure Active Directory (Azure AD) Connect deployment with version 1.1.614.0 or after, use the troubleshooting task in the wizard to troubleshoot password hash synchronization issues:

对于 1.1.524.0 版或更高版本的部署,可以使用一个诊断 cmdlet 排查密码哈希同步问题:For deployment with version 1.1.524.0 or later, there is a diagnostic cmdlet that you can use to troubleshoot password hash synchronization issues:

对于较早版本的 Azure AD Connect 部署:For older versions of Azure AD Connect deployment:

未同步任何密码:使用故障排除任务进行故障排除No passwords are synchronized: troubleshoot by using the troubleshooting task

可以使用此故障排除任务查明未同步任何密码的原因。You can use the troubleshooting task to figure out why no passwords are synchronized.

备注

此故障排除任务仅可用于 Azure AD Connect 1.1.614.0 版或更高版本。The troubleshooting task is available only for Azure AD Connect version 1.1.614.0 or later.

运行故障排除任务Run the troubleshooting task

排查未同步任何密码的问题:To troubleshoot issues where no passwords are synchronized:

  1. 使用“以管理员身份运行”选项,在 Azure AD Connect 服务器上打开一个新的 Windows PowerShell 会话。Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.

  2. 运行 Set-ExecutionPolicy RemoteSignedSet-ExecutionPolicy UnrestrictedRun Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.

  3. 启动 Azure AD Connect 向导。Start the Azure AD Connect wizard.

  4. 导航到“其他任务”页面,选择“故障排除”,然后单击“下一步”。 Navigate to the Additional Tasks page, select Troubleshoot, and click Next.

  5. 在“故障排除”页上,单击“启动”以在 PowerShell 中启动故障排除菜单。On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.

  6. 在主菜单中,选择“排查密码哈希同步问题”。In the main menu, select Troubleshoot password hash synchronization.

  7. 在子菜单中,选择“密码哈希同步根本不工作”。In the sub menu, select Password hash synchronization does not work at all.

了解故障排除任务的结果Understand the results of the troubleshooting task

此故障排除任务执行以下检查:The troubleshooting task performs the following checks:

  • 验证是否为 Azure AD 租户启用了密码哈希同步功能。Validates that the password hash synchronization feature is enabled for your Azure AD tenant.

  • 验证 Azure AD Connect 服务器是否未处于暂存模式。Validates that the Azure AD Connect server is not in staging mode.

  • 对于每个现有本地 Active Directory 连接器(对应于现有 Active Directory 林):For each existing on-premises Active Directory connector (which corresponds to an existing Active Directory forest):

    • 验证是否启用了密码哈希同步功能。Validates that the password hash synchronization feature is enabled.

    • 在 Windows 应用程序事件日志中搜索密码哈希同步检测信号事件。Searches for password hash synchronization heartbeat events in the Windows Application Event logs.

    • 对于本地 Active Directory 连接器下的每个 Active Directory 域:For each Active Directory domain under the on-premises Active Directory connector:

      • 验证是否可从 Azure AD Connect 服务器访问该域。Validates that the domain is reachable from the Azure AD Connect server.

      • 验证本地 Active Directory 连接器所用的 Active Directory 域服务 (AD DS) 帐户是否具有正确的用户名、密码和密码哈希同步所需的权限。Validates that the Active Directory Domain Services (AD DS) accounts used by the on-premises Active Directory connector has the correct username, password, and permissions required for password hash synchronization.

下图演示了对单个域的本地 Active Directory 拓扑运行 cmdlet 的结果:The following diagram illustrates the results of the cmdlet for a single-domain, on-premises Active Directory topology:

密码哈希同步的诊断输出

本部分的剩余内容说明了此任务返回的具体结果以及相应问题。The rest of this section describes specific results that are returned by the task and corresponding issues.

未启用密码哈希同步功能password hash synchronization feature isn't enabled

如果尚未通过 Azure AD Connect 向导启用密码哈希同步,则返回以下错误:If you haven't enabled password hash synchronization by using the Azure AD Connect wizard, the following error is returned:

未启用密码哈希同步

Azure AD Connect 服务器处于暂存模式Azure AD Connect server is in staging mode

如果 Azure AD Connect 服务器处于暂存模式,则暂时禁用密码哈希同步,并返回以下错误:If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled, and the following error is returned:

Azure AD Connect 服务器处于暂存模式

没有密码哈希同步检测信号事件No password hash synchronization heartbeat events

每个本地 Active Directory 连接器都有其自己的密码哈希同步通道。Each on-premises Active Directory connector has its own password hash synchronization channel. 如果已创建密码哈希同步通道,并且没有任何要同步的密码更改,Windows 应用程序事件日志中将每隔 30 分钟生成一次检测信号事件 (EventId 654)。When the password hash synchronization channel is established and there aren't any password changes to be synchronized, a heartbeat event (EventId 654) is generated once every 30 minutes under the Windows Application Event Log. 对于每个本地 Active Directory 连接器,cmdlet 将搜索过去三小时内相应的检测信号事件。For each on-premises Active Directory connector, the cmdlet searches for corresponding heartbeat events in the past three hours. 如果找不到检测信号事件,则返回以下错误:If no heartbeat event is found, the following error is returned:

没有密码哈希同步检测信号事件

AD DS 帐户没有正确的权限AD DS account does not have correct permissions

如果本地 Active Directory 连接器用于同步密码哈希的 AD DS 帐户没有相应的权限,则返回以下错误:If the AD DS account that's used by the on-premises Active Directory connector to synchronize password hashes does not have the appropriate permissions, the following error is returned:

显示 AD DS 帐户用户名或密码不正确时返回的错误的屏幕截图。

错误的 AD DS 帐户用户名或密码Incorrect AD DS account username or password

如果本地 Active Directory 连接器用于同步密码哈希的 AD DS 帐户的用户名或密码不正确,则返回以下错误:If the AD DS account used by the on-premises Active Directory connector to synchronize password hashes has an incorrect username or password, the following error is returned:

错误的凭据

一个对象未同步密码:使用故障排除任务进行故障排除One object is not synchronizing passwords: troubleshoot by using the troubleshooting task

可以使用此故障排除任务来确定某个对象未同步密码的原因。You can use the troubleshooting task to determine why one object is not synchronizing passwords.

备注

此故障排除任务仅可用于 Azure AD Connect 1.1.614.0 版或更高版本。The troubleshooting task is available only for Azure AD Connect version 1.1.614.0 or later.

运行诊断 cmdletRun the diagnostics cmdlet

排查特定用户对象的问题:To troubleshoot issues for a specific user object:

  1. 使用“以管理员身份运行”选项,在 Azure AD Connect 服务器上打开一个新的 Windows PowerShell 会话。Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.

  2. 运行 Set-ExecutionPolicy RemoteSignedSet-ExecutionPolicy UnrestrictedRun Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.

  3. 启动 Azure AD Connect 向导。Start the Azure AD Connect wizard.

  4. 导航到“其他任务”页面,选择“故障排除”,然后单击“下一步”。 Navigate to the Additional Tasks page, select Troubleshoot, and click Next.

  5. 在“故障排除”页上,单击“启动”以在 PowerShell 中启动故障排除菜单。On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.

  6. 在主菜单中,选择“排查密码哈希同步问题”。In the main menu, select Troubleshoot password hash synchronization.

  7. 在子菜单中,选择“特定用户帐户的密码未同步”。In the sub menu, select Password is not synchronized for a specific user account.

了解故障排除任务的结果Understand the results of the troubleshooting task

此故障排除任务执行以下检查:The troubleshooting task performs the following checks:

  • 检查 Active Directory 连接器空间中的 Active Directory 对象、Metaverse 和 Azure AD 连接器空间的状态。Examines the state of the Active Directory object in the Active Directory connector space, Metaverse, and Azure AD connector space.

  • 验证是否为密码哈希同步启用了同步规则,并将该规则应用于 Active Directory 对象。Validates that there are synchronization rules with password hash synchronization enabled and applied to the Active Directory object.

  • 尝试检索和显示上次尝试同步对象密码的结果。Attempts to retrieve and display the results of the last attempt to synchronize the password for the object.

下图演示了使用 cmdlet 排查单个对象的密码哈希同步问题的结果:The following diagram illustrates the results of the cmdlet when troubleshooting password hash synchronization for a single object:

密码哈希同步的诊断输出 - 单个对象

本部分的剩余内容说明了 cmdlet 返回的特定结果以及相应问题。The rest of this section describes specific results returned by the cmdlet and corresponding issues.

Active Directory 对象未导出到 Azure ADThe Active Directory object isn't exported to Azure AD

此本地 Active Directory 帐户的密码哈希同步失败。因为 Azure AD 租户中没有相应的对象。password hash synchronization for this on-premises Active Directory account fails because there is no corresponding object in the Azure AD tenant. 返回以下错误:The following error is returned:

缺少 Azure AD 对象

用户的密码为临时密码User has a temporary password

当前,Azure AD Connect 不支持同步 Azure AD 的临时密码。Currently, Azure AD Connect does not support synchronizing temporary passwords with Azure AD. 如果在本地 Active Directory 用户中设置了“下次登录时更改密码”选项,则会将密码视为临时密码。A password is considered to be temporary if the Change password at next logon option is set on the on-premises Active Directory user. 返回以下错误:The following error is returned:

未导出临时密码

上次尝试同步密码的结果不可用Results of last attempt to synchronize password aren't available

默认情况下,Azure AD Connect 会将密码哈希同步尝试的结果存储七天。By default, Azure AD Connect stores the results of password hash synchronization attempts for seven days. 如果所选 Active Directory 对象没有可用结果,则返回以下警告:If there are no results available for the selected Active Directory object, the following warning is returned:

单个对象的诊断输出 - 没有密码同步历史记录

未同步任何密码:使用诊断 cmdlet 排查问题No passwords are synchronized: troubleshoot by using the diagnostic cmdlet

可以使用 Invoke-ADSyncDiagnostics cmdlet 找出未同步任何密码的原因。You can use the Invoke-ADSyncDiagnostics cmdlet to figure out why no passwords are synchronized.

备注

Invoke-ADSyncDiagnostics cmdlet 仅可用于 Azure AD Connect 1.1.524.0 或更高版本。The Invoke-ADSyncDiagnostics cmdlet is available only for Azure AD Connect version 1.1.524.0 or later.

运行诊断 cmdletRun the diagnostics cmdlet

排查未同步任何密码的问题:To troubleshoot issues where no passwords are synchronized:

  1. 使用“以管理员身份运行”选项,在 Azure AD Connect 服务器上打开一个新的 Windows PowerShell 会话。Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.

  2. 运行 Set-ExecutionPolicy RemoteSignedSet-ExecutionPolicy UnrestrictedRun Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.

  3. 运行 Import-Module ADSyncDiagnosticsRun Import-Module ADSyncDiagnostics.

  4. 运行 Invoke-ADSyncDiagnostics -PasswordSyncRun Invoke-ADSyncDiagnostics -PasswordSync.

一个对象未同步密码:使用诊断 cmdlet 排查问题One object is not synchronizing passwords: troubleshoot by using the diagnostic cmdlet

可使用 Invoke-ADSyncDiagnostics cmdlet 来确定某个对象未同步密码的原因。You can use the Invoke-ADSyncDiagnostics cmdlet to determine why one object is not synchronizing passwords.

备注

Invoke-ADSyncDiagnostics cmdlet 仅可用于 Azure AD Connect 1.1.524.0 或更高版本。The Invoke-ADSyncDiagnostics cmdlet is available only for Azure AD Connect version 1.1.524.0 or later.

运行诊断 cmdletRun the diagnostics cmdlet

排查没有为用户同步任何密码的问题:To troubleshoot issues where no passwords are synchronized for a user:

  1. 使用“以管理员身份运行”选项,在 Azure AD Connect 服务器上打开一个新的 Windows PowerShell 会话。Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator option.

  2. 运行 Set-ExecutionPolicy RemoteSignedSet-ExecutionPolicy UnrestrictedRun Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.

  3. 运行 Import-Module ADSyncDiagnosticsRun Import-Module ADSyncDiagnostics.

  4. 运行以下 cmdlet:Run the following cmdlet:

    Invoke-ADSyncDiagnostics -PasswordSync -ADConnectorName <Name-of-AD-Connector> -DistinguishedName <DistinguishedName-of-AD-object>
    

    例如:For example:

    Invoke-ADSyncDiagnostics -PasswordSync -ADConnectorName "contoso.com" -DistinguishedName "CN=TestUserCN=Users,DC=contoso,DC=com"
    

未同步任何密码:手动排查问题的步骤No passwords are synchronized: manual troubleshooting steps

按照下列步骤确定未同步任何密码的原因:Follow these steps to determine why no passwords are synchronized:

  1. 连接服务器是否处于暂存模式Is the Connect server in staging mode? 处于暂存模式的服务器不同步任何密码。A server in staging mode does not synchronize any passwords.

  2. 运行获取密码同步设置的状态部分中的脚本。Run the script in the Get the status of password sync settings section. 这样可以大致了解密码同步配置。It gives you an overview of the password sync configuration.

    PowerShell 脚本从密码同步设置中返回的输出

  3. 如果未在 Azure AD 中启用该功能,或者未启用同步通道状态,请运行 Connect 安装向导。If the feature is not enabled in Azure AD or if the sync channel status is not enabled, run the Connect installation wizard. 选择“自定义同步选项”并取消选择密码同步。此项更改会暂时禁用该功能。Select Customize synchronization options, and unselect password sync. This change temporarily disables the feature. 然后再次运行向导并重新启用密码同步。再次运行脚本,验证配置是否正确。Then run the wizard again and re-enable password sync. Run the script again to verify that the configuration is correct.

  4. 查看事件日志,查找错误。Look in the event log for errors. 查找下述事件,这些事件指示存在问题:Look for the following events, which would indicate a problem:

    • 来源:“目录同步”ID:0、611、652、655 如果看到这些事件,则表示有连接问题。Source: "Directory synchronization" ID: 0, 611, 652, 655 If you see these events, you have a connectivity problem. 事件日志消息包含有问题的林信息。The event log message contains forest information where you have a problem. 有关详细信息,请参阅[连接问题](#connectivity problem)。For more information, see [Connectivity problem](#connectivity problem).
  5. 如果没有看到检测信号,或者其他方面均为异常,则运行触发所有密码的完全同步If you see no heartbeat or if nothing else worked, run Trigger a full sync of all passwords. 仅运行该脚本一次。Run the script only once.

  6. 请参阅“排查一个对象未同步密码的问题”部分。See the Troubleshoot one object that is not synchronizing passwords section.

连接问题Connectivity problems

是否与 Azure AD 连接?Do you have connectivity with Azure AD?

该帐户是否有读取全部域中的密码哈希所需的权限?Does the account have required permissions to read the password hashes in all domains? 如果已使用“快速”设置安装 Connect,则应已具有正确的权限。If you installed Connect by using Express settings, the permissions should already be correct.

如果使用自定义安装,请按照以下步骤手动设置权限:If you used custom installation, set the permissions manually by doing the following:

  1. 若要查找 Active Directory 连接器使用的帐户,请启动 Synchronization Service Manager。To find the account used by the Active Directory connector, start Synchronization Service Manager.

  2. 转到“连接器”,并搜索正在排查的本地 Active Directory 林。Go to Connectors, and then search for the on-premises Active Directory forest you are troubleshooting.

  3. 选择连接器,然后单击“属性”。Select the connector, and then click Properties.

  4. 转到“连接到 Active Directory 林”。Go to Connect to Active Directory Forest.

    Active Directory 连接器使用的帐户
    记下用户名和帐户所处的域。Note the username and the domain where the account is located.

  5. 打开“Active Directory 用户和计算机”,然后验证之前找到的帐户是否在林中所有域的根目录中设置了以下权限:Start Active Directory Users and Computers, and then verify that the account you found earlier has the follow permissions set at the root of all domains in your forest:

    • 复制目录更改Replicate Directory Changes
    • 复制所有目录更改Replicate Directory Changes All
  6. Azure AD Connect 是否可以访问域控制器?Are the domain controllers reachable by Azure AD Connect? 如果 Connect 服务器无法连接到所有域控制器,请配置“仅使用首选的域控制器”。If the Connect server cannot connect to all domain controllers, configure Only use preferred domain controller.

    Active Directory 连接器使用的域控制器

  7. 返回到“Synchronization Service Manager”和“配置目录分区”。Go back to Synchronization Service Manager and Configure Directory Partition.

  8. 在“选择目录分区”中选择域,选中“仅使用首选的域控制器”复选框,然后单击“配置” 。Select your domain in Select directory partitions, select the Only use preferred domain controllers check box, and then click Configure.

  9. 在列表中,输入应由 Connect 用于密码同步的域控制器。同一列表也用于导入和导出。In the list, enter the domain controllers that Connect should use for password sync. The same list is used for import and export as well. 对所有域执行这些步骤。Do these steps for all your domains.

备注

若要应用这些更改,请重启 Azure AD Sync (ADSync) 服务。To apply these changes, restart the Azure AD Sync (ADSync) service.

  1. 如果脚本显示没有检测信号,请运行 触发所有密码的完全同步 中的脚本。If the script shows that there is no heartbeat, run the script in Trigger a full sync of all passwords.

一个对象未同步密码:手动排查问题的步骤One object is not synchronizing passwords: manual troubleshooting steps

可以通过检查对象的状态,轻松排查密码哈希同步问题。You can easily troubleshoot password hash synchronization issues by reviewing the status of an object.

  1. 在“Active Directory 用户和计算机”中搜索用户,然后验证是否清除了“用户必须在下次登录时更改密码”复选框 。In Active Directory Users and Computers, search for the user, and then verify that the User must change password at next logon check box is cleared.

    Active Directory 效率密码

    如果选中该复选框,则要求用户登录并更改密码。If the check box is selected, ask the user to sign in and change the password. 临时密码不会与 Azure AD 同步。Temporary passwords are not synchronized with Azure AD.

  2. 如果 Active Directory 中的密码正确,请在同步引擎中跟踪该用户。If the password looks correct in Active Directory, follow the user in the sync engine. 在从本地 Active Directory 到 Azure AD 的路径中跟踪该用户,可以查看该对象是否出现描述性错误。By following the user from on-premises Active Directory to Azure AD, you can see whether there is a descriptive error on the object.

    a.a. 启动 Synchronization Service ManagerStart the Synchronization Service Manager.

    b.b. 单击“连接器”。Click Connectors.

    c.c. 选择用户所在的 Active Directory 连接器。Select the Active Directory Connector where the user is located.

    d.d. 选择“搜索连接器空间”。Select Search Connector Space.

    e.e. 在“作用域”框中,选择“DN 或定位点”,然后输入要排查的用户的完整 DN 。In the Scope box, select DN or Anchor, and then enter the full DN of the user you are troubleshooting.

    在连接器空间中使用 DN 搜索用户

    f.f. 找到正在查找的用户,然后单击“属性”查看所有特性。Locate the user you are looking for, and then click Properties to see all the attributes. 如果用户不在搜索结果中,请验证筛选规则,并确保运行应用并验证更改以在 Connect 中显示用户。If the user is not in the search result, verify your filtering rules and make sure that you run Apply and verify changes for the user to appear in Connect.

    g.g. 若要查看对象在过去一周的密码同步详细信息,请单击“日志”。To see the password sync details of the object for the past week, click Log.

    对象日志详细信息

    如果对象日志为空,则 Azure AD Connect 无法从 Active Directory 读取密码哈希。If the object log is empty, Azure AD Connect has been unable to read the password hash from Active Directory. 继续进行针对连接错误的故障排除。Continue your troubleshooting with Connectivity Errors. 如果看到除“成功”外的任何其他值,请参阅密码同步日志中的表。If you see any other value than success, refer to the table in Password sync log.

    h.如果该值不存在,请单击“添加行”。h. 选择“沿袭”选项卡,确保至少有一个同步规则的“密码同步”列设置为“True” 。Select the lineage tab, and make sure that at least one sync rule in the PasswordSync column is True. 在默认配置中,同步规则的名称为“In from AD - User AccountEnabled”。In the default configuration, the name of the sync rule is In from AD - User AccountEnabled.

    有关用户的沿袭信息

    i.i. 单击“Metaverse 对象属性”,显示用户特性列表。Click Metaverse Object Properties to display a list of user attributes.

    显示 Metaverse 对象属性的用户属性列表的屏幕截图。

    验证 cloudFiltered 属性不存在。Verify that there is no cloudFiltered attribute present. 确保域属性(domainFQDN 和 domainNetBios)具有所需值。Make sure that the domain attributes (domainFQDN and domainNetBios) have the expected values.

    j.j. 单击“连接器”选项卡。请确保同时看到本地 Active Directory 和 Azure AD 的连接器。Click the Connectors tab. Make sure that you see connectors to both on-premises Active Directory and Azure AD.

    Metaverse 信息

    k.k. 选择表示 Azure AD 的行,单击“属性”,然后单击“沿袭”选项卡 。连接器空间对象应存在一个“密码同步”列设置为“True”的出站规则 。Select the row that represents Azure AD, click Properties, and then click the Lineage tab. The connector space object should have an outbound rule in the PasswordSync column set to True. 在默认配置中,同步规则的名称为 Out to AAD - User JoinIn the default configuration, the name of the sync rule is Out to AAD - User Join.

    连接器空间对象属性对话框

密码同步日志Password sync log

状态列可能包含以下值:The status column can have the following values:

状态Status 说明Description
SuccessSuccess 已成功同步密码。Password has been successfully synchronized.
FilteredByTargetFilteredByTarget 密码设置为“用户在下次登录时必须更改密码”。Password is set to User must change password at next logon. 未同步密码。Password has not been synchronized.
NoTargetConnectionNoTargetConnection Metaverse 或 Azure AD 连接器空间中没有任何对象。No object in the metaverse or in the Azure AD connector space.
SourceConnectorNotPresentSourceConnectorNotPresent 在本地 Active Directory 连接器空间中找不到任何对象。No object found in the on-premises Active Directory connector space.
TargetNotExportedToDirectoryTargetNotExportedToDirectory 尚未导出 Azure AD 连接器空间中的对象。The object in the Azure AD connector space has not yet been exported.
MigratedCheckDetailsForMoreInfoMigratedCheckDetailsForMoreInfo 日志条目创建于版本 1.0.9125.0 之前,并且以其旧状态显示。Log entry was created before build 1.0.9125.0 and is shown in its legacy state.
错误Error 服务返回未知错误。Service returned an unknown error.
未知Unknown 尝试处理一批密码哈希时出错。An error occurred while trying to process a batch of password hashes.
MissingAttributeMissingAttribute Azure AD 域服务所需的特定属性(如 Kerberos 哈希)不可用。Specific attributes (for example, Kerberos hash) required by Azure AD Domain Services are not available.
RetryRequestedByTargetRetryRequestedByTarget Azure AD 域服务所需的特定属性(如 Kerberos 哈希)以前不可用。Specific attributes (for example, Kerberos hash) required by Azure AD Domain Services were not available previously. 尝试重新同步用户的密码哈希。An attempt to resynchronize the user's password hash is made.

用于故障排除的脚本Scripts to help troubleshooting

获取密码同步设置的状态Get the status of password sync settings

Import-Module ADSync
$connectors = Get-ADSyncConnector
$aadConnectors = $connectors | Where-Object {$_.SubType -eq "Azure Active Directory (Microsoft)"}
$adConnectors = $connectors | Where-Object {$_.ConnectorTypeName -eq "AD"}
if ($aadConnectors -ne $null -and $adConnectors -ne $null)
{
    if ($aadConnectors.Count -eq 1)
    {
        $features = Get-ADSyncAADCompanyFeature
        Write-Host
        Write-Host "Password sync feature enabled in your Azure AD directory: "  $features.PasswordHashSync
        foreach ($adConnector in $adConnectors)
        {
            Write-Host
            Write-Host "Password sync channel status BEGIN ------------------------------------------------------- "
            Write-Host
            Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name
            Write-Host
            $pingEvents =
                Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654  -After (Get-Date).AddHours(-3) |
                    Where-Object { $_.Message.ToUpperInvariant().Contains($adConnector.Identifier.ToString("D").ToUpperInvariant()) } |
                    Sort-Object { $_.Time } -Descending
            if ($pingEvents -ne $null)
            {
                Write-Host "Latest heart beat event (within last 3 hours). Time " $pingEvents[0].TimeWritten
            }
            else
            {
                Write-Warning "No ping event found within last 3 hours."
            }
            Write-Host
            Write-Host "Password sync channel status END ------------------------------------------------------- "
            Write-Host
        }
    }
    else
    {
        Write-Warning "More than one Azure AD Connectors found. Please update the script to use the appropriate Connector."
    }
}
Write-Host
if ($aadConnectors -eq $null)
{
    Write-Warning "No Azure AD Connector was found."
}
if ($adConnectors -eq $null)
{
    Write-Warning "No AD DS Connector was found."
}
Write-Host

触发所有密码的完全同步Trigger a full sync of all passwords

备注

仅运行此脚本一次。Run this script only once. 如果需要多次运行该脚本,会出现其他问题。If you need to run it more than once, something else is the problem. 若要排查问题,请联系 Microsoft 支持部门。To troubleshoot the problem, contact Microsoft support.

可以使用以下脚本触发所有密码的完全同步:You can trigger a full sync of all passwords by using the following script:

$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

后续步骤Next steps