I have been participating to O365 project for last month and face a strange situation after Exchange Hybrid configuration was enabled from AAD Connect.
First of all everything was configured as planned
- Sync scope
- Delegations to sync account (read/write operations to all synced objects)
- Sync had been running without any errors last four (4) months
My customer has two (2) AAD Connect servers, one is as active and one is at staging mode. Exchange Hybrid configuration was performed first at staging server without any errors. Then moved to active server (which was turned at staging mode before) and performed Exchange Hybrid config with wizard. Everything went fine until export profile to on-premises AD started (when adding Exchange Hybrid to AAD Connect configuration it adds multiple attributes to mailusers depending of Exchange version) and we got 5000 errors to AADC which is the “stopped limit”.
All permission issues had same error code 8433 which lead me to possible AD permission inheritance problem. I triple checked all the permission & inheritance and everything seemed to be right, weird? The next thing to do was “Microsoft Azure AD Sync” service restart and immediately the service was restarted AAD Connect was able to update all necessary objects with X500 proxyAddress attribute.
I haven’t seen this kind of behavior before and assume that kerberos token of sync service account was not updated properly with authentication process until service was restarted. Worth to mention is that delegations to on-premises AD were made day before AAD Configuration was changed.
Link to permission issue docs