Context:
We had Azure AD/Entra ID Sync running on one of our DC's. The DC started acting 'squirrely', so I decided to decommission it and stand up a new one from scratch to replace it. It was running on a full MSSQL 2019 database (rather than Windows Internal Database), so I just exported the Entra Sync Settings, disabled the sync services on the original server, ran a full SQL database backup, installed a SQL instance on the new server and restored the database in, then followed the instructions in this doc:
Install Microsoft Entra Connect using an existing ADSync database
It created a new AD MSA, and of course a new [servername][guid]@domain.onmicrosoft.com account, which was expected, but the sync service itself isn't being able to connect to Entra to do the import/sync/export process. In the Synchronization Service Manger GUI, all of the -AAD operations show a status of either 'no-start-ma' (on the AAD import operation) or 'stopped-extension-dll-exception' (on the AAD Export operation).
Errors:
I looked in the event logs, and any time it tries to sync, I see a bunch of Event ID 906/106 errors from source 'Directory Synchronization', as well as Event IDs 6804, 6401, 6005, and 6110 from 'ADSync'
The first of the 906 errors is a stack trace that means nothing to me. The second one though is much more readable:
Authenticate-MSAL: unexpected exception [Unspecified-Authentication-Failure] - extendedMessage: An error occurred while sending the request. | The underlying connection was closed: An unexpected error occurred on a receive. | The client and server cannot communicate, because they do not possess a common algorithm
webException: The underlying connection was closed: An unexpected error occurred on a receive.
STS endpoint: HTTPS://LOGIN.MICROSOFTONLINE.COM/CSISD.ONMICROSOFT.COM
The thing is though, before that, there are several Information event ID 904 events from source 'Directory Synchronization', among which are more than one that look like this:
Authenticate-MSAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.MICROSOFTONLINE.COM/CSISD.ONMICROSOFT.COM), scope (https://graph.windows.net/user_impersonation), userName (Sync_NEWDCNAME_29b71ced256e@csisd.onmicrosoft.com).
What I've done so far:
Most of my search results on these errors turned up posts/articles saying it was an issue with MFA policies conflicting with the [servername][guid]@domain.onmicrosoft.com sync account. So I created a "NoMFA" group, added the sync account to it, and excluded the group from all of our policies that require MFA. No change.
So I originally configured the sync service using a generic global admin account to connect to Entra (yeah I know, not good practice). So I tried adding THAT account to the 'NoMFA' group. Still no luck.
Ok fine. So I finally got off my behind and created a Hybrid Identity Admina ccount in Entra, added it to the 'Hybrid Identity Admin' Entra role, ALSO added it to the 'NoMFA' group, and then reapplied all of the 'tasks' in the Entra Connect setup wizard using the new HIA account... and still no luck. Side note: Waiting 30+ minutes for a full sync cycle to try to run after applying each 'task' is... painful.
Any suggestions?