I was assisting a customer who reported that Azure AD Connect (aka Dirsync) was taking too long for passwords to synchronize. It was such a huge lag that they assumed it was broken entirely.

Upon inspecting the Application Event Log on the Dirsync server for event ID 656, I observed a large gap between when the password was set on the Domain Controller and when the Event log on the Dirsync server picked up the change.

This is not expected because the synchronization service polls on-premises AD for password changes every 2 minutes for password updates. The overhead to then hash the password, transfer it to Azure AD’s connector, and received on the far end is an additional minute (if all the stars are aligned). So three minutes is a reasonable expectation for passwords to sync to Azure AD. However, 14 minutes? Something ain’t right!

Upon inspection in the MIIS client, I observed that the domain controller that Dirsync was connecting to was 62 milliseconds away, and *not* the nearby DC in the same site as Dirsync. This is viewable in the ‘last used’ field in the screen shot below.

The Fix

Configuring Azure AD Connect to use preferred domain controllers solved the problem.

Results

This reduced the synchronization lag from 14 minutes to 40 seconds! That is a 95% percent reduction in lag!

Need help with an Office 365 Project? Visit our website at www.PatriotConsultingTech.com or drop us a line at [email protected]