Azure AD Connect同步服务没有导出广告对象并显示错误许可 - 发行。单击错误以获取更多详细信息显示执行操作的访问权限不足和错误代码8344。为什么会发生这种情况?解决方案是什么?在本文中,您将学习如何修复Azure AD Connect-Indermission-Issue错误代码8344。
在Microsoft Entra Connect服务器上登录并启动Azure AD连接同步服务。
您将看到导出错误:许可 - 发行。
单击许可 - 发行检查错误信息。
错误信息显示:
错误:许可 - 发行
连接的数据源错误代码:8344
连接的数据源错误:执行操作的访问权限不足。
我们为什么要遇到此错误?在Azure AD Connect Synchronization Service Manager中使用错误代码8344执行操作的访问权限的解决方案是什么?
Azure AD DS连接器帐户没有所有正确的权限集,这就是为什么错误代码8344许可 - 在导出AD对象时出现在Azure AD Connect中的原因。
笔记:Azure AD Connect使用3个帐户来同步Windows Server Active Directory和Azure Active Directory之间的信息。
通过以下步骤修复Azure AD连接的访问权限以执行操作 - 错误代码8344:
- 开始Azure AD Connect。
- 点击配置。
- 点击故障排除。
- 点击下一个。
- 点击发射。
- 出现Aadconnect故障排除屏幕(PowerShell)。
----------------------------------------AADConnect Troubleshooting------------------------------------------
Enter '1' - Troubleshoot Object Synchronization
Enter '2' - Troubleshoot Password Hash Synchronization
Enter '3' - Collect General Diagnostics
Enter '4' - Configure AD DS Connector Account Permissions
Enter '5' - Test Azure Active Directory Connectivity
Enter '6' - Test Active Directory Connectivity
Enter 'Q' - Quit
Please make a selection:- 选择4然后按进入。
----------------------------------------AADConnect Troubleshooting------------------------------------------
Enter '1' - Troubleshoot Object Synchronization
Enter '2' - Troubleshoot Password Hash Synchronization
Enter '3' - Collect General Diagnostics
Enter '4' - Configure AD DS Connector Account Permissions
Enter '5' - Test Azure Active Directory Connectivity
Enter '6' - Test Active Directory Connectivity
Enter 'Q' - Quit
Please make a selection: 4- 选择12然后按进入。
--------------------------------------------Configure Permissions------------------------------------------
Enter '1' - Get AD Connector account
Enter '2' - Get objects with inheritance disabled
Enter '3' - Set basic read permissions
Enter '4' - Set Exchange Hybrid permissions
Enter '5' - Set Exchange mail public folder permissions
Enter '6' - Set MS-DS-Consistency-Guid permissions
Enter '7' - Set password hash sync permissions
Enter '8' - Set password writeback permissions
Enter '9' - Set restricted permissions
Enter '10' - Set unified group writeback permissions
Enter '11' - Show AD object permissions
Enter '12' - Set default AD Connector account permissions
Enter '13' - Compare object read permissions when running in context of AD Connector account vs Admin account
Enter 'B' - Go back to main troubleshooting menu
Enter 'Q' - Quit
Please make a selection: 12- 选择y然后按进入。
This option will set permissions required for the following:
Password Hash Sync
Password Writeback
Hybrid Exchange
Exchange Mail Public Folder
MsDsConsistencyGuid
It will then restrict permissions
Confirm
Would you like to continue with these options?
[Y] Yes [N] No [?] Help (default is "Y"): Y- 选择e然后按进入。
Account to Configure
Would you like to configure an existing connector account or a custom account?
[E] Existing Connector Account [C] Custom Account [?] Help (default is "E"): E- 输出显示AD DS连接器帐户和更多信息。
Configured connectors and their related accounts:
ADConnectorName ADConnectorForest ADConnectorAccountName ADConnectorAccountDomain
--------------- ----------------- ---------------------- ------------------------
exoip.local exoip.local svc-adds EXOIP.LOCAL- 填写adconnectorname(exoip.local),然后按进入。
Name of the connector who's account to configure: exoip.local- 出现Windows PowerShell凭据请求。
- 填写本地管理员凭据,然后单击好的。
笔记:你会被问到7次如果您确保在AD DS连接器帐户上设置权限。按一个每次和进入。
- 授予密码哈希同步权限。
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Hash Synchronization permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 授予密码写入权限。
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 授予密码的密码权限,以右扩展到中期密码。
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permission for Unexpire Password extended right" on target
"exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 授予交换混合权限。
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Hybrid permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 授予交换邮件公共文件夹许可。
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Mail Public Folder permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 授予MS-DS - 一致性权限。
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant mS-DS-ConsistencyGuid permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 设置限制权限。
Confirm
Are you sure you want to perform this action?
Performing the operation "Set restricted permissions" on target "CN=svc-adds,OU=Service
Accounts,OU=Company,DC=exoip,DC=local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A- 所有权限均正确设置为AD DS连接器帐户。
- 关闭AADCONNECT故障排除PowerShell和Azure AD Connect窗口。
- 启动Windows PowerShell并运行完整的Microsoft Entra Connect Sync。
Start-ADSyncSyncCycle -PolicyType Initial- 等待几分钟,然后验证所有AD对象是否同步,没有更多的8344权限错误,并且导出统计信息显示值。
在我们的示例中,它确实更新了5个用户。
就是这样!
有关的:
使用正确的权限创建AD DS连接器帐户,然后更改Azure AD Connect Sync中的AD DS连接器,以修复权限 - 发行错误代码8344:
- 创建AD DS连接器帐户
- 更改AD DS连接器帐户
您选择了哪种方法?
结论
您学会了如何修复Azure AD Connect-Indermission-Iss-Ise错误代码8344。在AD DS连接器帐户上设置正确的权限至关重要。设置后,您将不会看到执行操作错误的访问权限不足,并且同步将起作用。
您喜欢这篇文章吗?您可能还喜欢迁移Azure AD连接到新服务器。不要忘记关注我们并分享这篇文章。