Hello,
I have a azure ad connect setup.
My company needs to synchronize accounts that are in the domain administrator group.
However this fails.
The error I get is:
8344, insufficient permissions.
We use the mS-DS-ConsistencyGuid as source anchor.
I already set the correct permissions on the adminsdholder container:
Allow domain\sa-account SPECIAL ACCESS for mS-DS-ConsistencyGuid
WRITE PROPERTY
READ PROPERTY
THis was done via Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN (dn of domain\sa-account)
When I enable inheritance on the a domain admin account, the synchronisation succeeds, until the default security rights get reset on the domain admin member account.
We use azure ad connect version 1.2.70
Can somebody help?