Home

Service Account for AAD Connect Changed after reboot

%3CLINGO-SUB%20id%3D%22lingo-sub-194910%22%20slang%3D%22en-US%22%3EService%20Account%20for%20AAD%20Connect%20Changed%20after%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194910%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20customer%20rebooted%20his%20server%20and%20the%20Sync%20Service%20won't%20start%2C%20we%20discovered%20that%20service%20account%20is%20showing%20as%20Local%20Admin%20instead%20of%20the%20expected%20AAD_mmmmm.%20Has%20anyone%20seen%20this%20before%2C%20now%20why%20it%20would%20happen%2C%20or%20have%20a%20recommendation%20on%20the%20best%20way%20to%20fix%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETIA%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-194910%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196072%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Account%20for%20AAD%20Connect%20Changed%20after%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196072%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20very%20similar%20scenario%20after%20an%20update%20of%20AD%20Connect%20was%20installed.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195986%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Account%20for%20AAD%20Connect%20Changed%20after%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195986%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Dean%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYour%20course%20of%20action%20would%20have%20been%20my%20recommendation.%20The%20AAD_xxxxx%20account%20is%20a%20local%20account%20created%20by%20the%20AAD%20Connect%20Wizard.%20The%20password%20is%20complex%20and%20never%20known.%26nbsp%3BVery%20strange%20that%20it%20was%20changed.%20I%20usually%20recommend%20my%20customers%20to%20create%20a%20service%20account%20to%20avoid%20these%20scenarios.%20Then%2C%20use%20the%20Custom%20install%20method%20and%20supply%20your%20new%20domain%20service%20account.%20You%20can%20also%20use%20it%20to%20read%20and%2For%20write%20to%20your%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195839%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Account%20for%20AAD%20Connect%20Changed%20after%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195839%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20after%20troubleshooting%20for%20a%20few%20hours%20without%20being%20able%20to%20figure%20out%20what%20happened%20we%20decided%20to%20uninstall%20and%20reinstall%20and%20that%20fixed%20the%20problem.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195747%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Account%20for%20AAD%20Connect%20Changed%20after%20reboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195747%22%20slang%3D%22en-US%22%3E%3CP%3EI%20saw%20this%20but%20on%20old%20directory%20sync%2C%20The%20service%20account%20AAD_mmmm%20is%20created%20upon%20installation%20and%20is%20a%26nbsp%3Bdomain%20user%20so%20you%20can%20reset%20the%20password%20but%20usually%20the%20password%20is%20rolled%2Fcontrolled%20by%20AADC....%3C%2FP%3E%3CP%3ERepair%20installation%20is%20probably%20the%20best%20way%20to%20re-link%20this%20but%20I%20cant%20tell%20you%20why%20it%20happens.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Dean Gross
Respected Contributor

My customer rebooted his server and the Sync Service won't start, we discovered that service account is showing as Local Admin instead of the expected AAD_mmmmm. Has anyone seen this before, now why it would happen, or have a recommendation on the best way to fix?

 

TIA

4 Replies

I saw this but on old directory sync, The service account AAD_mmmm is created upon installation and is a domain user so you can reset the password but usually the password is rolled/controlled by AADC....

Repair installation is probably the best way to re-link this but I cant tell you why it happens.

Thanks, after troubleshooting for a few hours without being able to figure out what happened we decided to uninstall and reinstall and that fixed the problem. 

Hello Dean,

 

Your course of action would have been my recommendation. The AAD_xxxxx account is a local account created by the AAD Connect Wizard. The password is complex and never known. Very strange that it was changed. I usually recommend my customers to create a service account to avoid these scenarios. Then, use the Custom install method and supply your new domain service account. You can also use it to read and/or write to your AD.

I had a very similar scenario after an update of AD Connect was installed.