Azure AD Connect - Synchronization Service Installation fails

Copper Contributor

Hello everyone,
we have a problem installing azure ad connect on a windows server 2019. when installing the syncronization service an error occurs. this is a first time installation on a brand new server (only AD DS, DNS and DHCP has been installed).
In Azure AD Connect installation wizard, we use the express settings. AD DS Enterprise Admin credentials and Azure AD Global Admin credentials are correct. A service user account is successfully auto-generated during the installation.
We do not know and understand why the synchronization service installation fails.
Parts of the logs (in German) attached...

Spoiler
AzureActiveDirectorySyncEngine Error: 906 : SynchronizationServiceSetupTask:InstallCore - Caught unexpected exception. Details System.DirectoryServices.AccountManagement.PrincipalServerDownException: Mit dem Server konnte keine Verbindung hergestellt werden. ---> System.DirectoryServices.Protocols.LdapException: Der LDAP-Server ist nicht verfügbar.
bei System.DirectoryServices.Protocols.LdapConnection.Connect()
bei System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
bei System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
bei System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
--- Ende der internen Ausnahmestapelüberwachung ---
bei System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
bei System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
bei System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
bei System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.GetPrincipal(Boolean isDomainController, AccountManagementAdapter localAccountManagementAdapter, AccountManagementAdapter& domainAccountManagementAdapter)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.ResolveSid(Boolean isDomainController)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
AzureActiveDirectorySyncEngine Error: 906 : SyncServiceAccount:RemoveAccountRights - no SidString available
AzureActiveDirectorySyncEngine Information: 904 : SyncServiceAccount:RemoveFromLocalAdministratorsGroup:
AzureActiveDirectorySyncEngine Information: 904 : Starting: Removing the Sync Service account from the local Administrators group...
AzureActiveDirectorySyncEngine Error: 906 : Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
Spoiler
[14:06:53.576] [ 21] [INFO ] Starting Sync Engine installation
[14:06:57.425] [ 21] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service. Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt. Please see the event log for additional details. ---> System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.RemoveMembersFromLocalGroup(SecurityIdentifier groupSid, DirectoryEntry[] members)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClass54_0.<RemoveFromLocalAdministratorsGroup>b__0()
bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
--- Ende der internen Ausnahmestapelüberwachung ---
bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
bei Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
bei Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
bei Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)

...Please help :smile:

2 Replies

@mmw_it Sounds like your issue might be due to connectivity to a DC in your network. 

 

System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server was unable to connect. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is not available.

 

Is ADDS installed on this server?

Was the server promoted to a DC?

 

Installing Azure AD Connect on a Domain Controller is not recommended due to security practices and more restrictive settings that can prevent Azure AD Connect from installing correctly.

 

I suggest going through these prerequisites. 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

@rosaliodYes, ADDS is installed on this server and yes, the server was promoted to a DC. This may not be recommended, but it is the most standard case in small businesses (in our case 50 users)?! We have not found and heard anything that others have problems with. Quite the reverse!

The LDAP server is online (checked via telnet localhost / server ip 389 or 636). Naming context is like LDAP://COMPUTERNAME.ad.contoso.com/....