Blog Post

Core Infrastructure and Security Blog
2 MIN READ

Lather, rinse, repeat...Azure AD Connect Installation Stalls At Service Account Screen

Joel Vickery's avatar
Joel Vickery
Icon for Microsoft rankMicrosoft
Nov 22, 2019

 


Albert Einstein was famously quoted for saying that the definition of insanity is doing the same thing over and over again and expecting a different result.  I was reminded of that during a recent Azure AD Connect installation that ran into a brick wall during the installation wizard.  We kept trying over and over, knowing we were being thorough in our preparations for the installation. May thanks to Russ Tarr, a Principal Consultant at Microsoft with many years of experience troubleshooting everything Microsoft.  He was instrumental in tracing this down to root cause for us in our troubleshooting session.  There's no substitute for experience and I am sharing our experience with you.  We hope this helps anyone experiencing the same issue.

 

The Problem

The Azure AD Connect installation would get to the ADFS Service Account screen (shown below) but would not allow the installation to proceed.  After restarting the installation process and walking through the steps several times, the process appeared to be in an infinite loop (see paragraph above). The screen below was the brick wall in the installation process.  The account information was auto populated from the existing ADFS farm.  The accounts specified throughout  the installation wizard are all done in DOMAIN\User format.  So what's going on here?
 

 

Digging Through the Logs

During the installation of Azure AD Connect, logs are created in the C:\ProgramData\AADConnect  folder on the local machine and give a clue on the issue being experienced.
 
 

The Moment of Clarity

So, where is this coming from?  In our case, the service account on the Active Directory Federation Services service was configured with the Log On account configured in UPN format.  While this is perfectly valid for a service account as far as Windows is concerned, the Azure AD Connect installation has a problem with it.
 

 

The Solution

The solution is easy,  just change the service log on information to DOMAIN\UserName format in the service and the installation will proceed past the ADFS Service Account screen.
 

Pay Dirt!

Now that we have the Log On information in the service account for ADFS corrected, the installation continues on.
 
Updated Nov 22, 2019
Version 1.0
  • Thanks for sharing this, Joel!

    This weird inconsistency should be fixed on the Azure AD [Connect] side. Probably you need to talk with relevant team internally, if not done already, to fix this issue in order for IT Pros not to bang their heads against the monitor.