Azure Active Directory Connect (AADC) Installation Issue

Craig Bull 1 Reputation point
2022-01-27T21:24:45.12+00:00

I have an issue attempting to install Azure Active Directory Connect (AADC). On installation, most of the process seems to complete as normal. But fails on attempting to create the synchronization account in Azure AD. This may be because I previously had AADC sync from another Forest/Domain under a different name and did not delete or uninstall the previous AADC correctly. I am attempting to sync a new Forest/Domain under a different forest name but some legacy config must remain within Azure AD Tenant that is causing it to fail on attempting to create the sync account. I have tried manually removing all sync configuration and SSO settings from the Azure AD tenant using PowerShell commands. No matter what I try, it always fails. I'm out of ideas. Anyone able to help? I've already tried disabling sync using PowerShell, already tried disabling SSO using PowerShell, I've tried deleting the legacy sync accounts from Azure AD.

Here is the log:

[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0)
=== Request Data ===
Authority Provided? - True
Scopes - https://graph.windows.net/user_impersonation
Extra Query Params Keys (space separated) -

[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) === Token Acquisition (SilentRequest) started: 

Authority Host: login.microsoftonline.com

[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Looking up access token in the cache.
[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Filtering by tenant id item count before 2 after 2
[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Filtering by home account id item count before 2 after 2
[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Matching entry count -2
[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Matching entry count after filtering by scopes - 1
[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Access token is not expired. Returning the found cache entry. [Current time (01/27/2022 18:36:58) - Expiration Time (01/27/2022 19:37:43 +00:00) - Extended Expiration Time (01/27/2022 19:37:43 +00:00)]
[18:36:58.197] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) Returning access token found in cache. RefreshOn exists ? False
[18:36:58.198] [ 12] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.20348.0 [01/27/2022 18:36:58 - a74e8dd9-34e0-41ed-80d9-000c77929e38] (UnknownClient: 0.0.0.0) === Token Acquisition finished successfully. An access token was returned with Expiration Time: 01/27/2022 19:37:43 +00:00 ===
[18:36:58.198] [ 12] [INFO ] Authenticate-MSAL: successfully acquired an access token. TenantId=1f372b5d-fbc7-4947-b336-c064f6565381, ExpiresUTC=27/01/2022 19:37:43 +00:00, UserInfo=<redacted>, IdentityProvider=login.windows.net.
[18:37:00.274] [ 12] [INFO ] GetServiceAccount: successfully created a service account (Sync_CNDOM01_aedd59d24962@<redacted>onmicrosoft.com). Sleeping an initial backoff time to facilitate account propagation.
[18:37:15.713] [ 12] [WARN ] GetServiceAccount: service account authorization failed for Sync_CNDOM01_aedd59d24962@<redacted>onmicrosoft.com. Waiting for account to be provisioned. Details: Federated service at https://autologon.microsoftazuread-sso.com/<redacted>onmicrosoft.com/winauth/trust/2005/usernamemixed?client-request-id=30ab64b5-cf12-439c-9905-2a734deea8a8 returned error: Authentication Failure
[18:37:32.194] [ 12] [WARN ] GetServiceAccount: service account authorization failed for Sync_CNDOM01_aedd59d24962@<redacted>onmicrosoft.com. Waiting for account to be provisioned. Details: AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.
Trace ID: ef485566-9fbe-4224-84e1-56b1c0f06200
Correlation ID: 48c82a28-8d54-4f19-a5dd-9e9817df7b08

Timestamp: 2022-01-27 18:38:42Z
[18:37:48.120] [ 12] [WARN ] GetServiceAccount: service account authorization failed for Sync_CNDOM01_aedd59d24962@<redacted>onmicrosoft.com. Waiting for account to be provisioned. Details: AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.
Trace ID: 4059503a-69dd-457f-8fff-579e75bd3700
Correlation ID: 3a3a6098-6053-4b64-a590-2d6471c92de5
Timestamp: 2022-01-27 18:38:58Z
[18:38:04.261] [ 12] [WARN ] GetServiceAccount: service account authorization failed for Sync_CNDOM01_aedd59d24962@<redacted>onmicrosoft.com. Waiting for account to be provisioned. Details: AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.
Trace ID: fa6041d5-9b74-4ad0-b030-a596604a3d00
Correlation ID: f7320fe1-af4d-45f5-a33a-59189b491c99

Timestamp: 2022-01-27 18:43:21Z
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AuthenticateMSAL(AzureService azureService, String userName, SecureString password, Boolean useCachedToken, String& accessToken, String& errorCode, String& additionalDetails, Boolean throwOnException, Boolean throwExceptionOnMFAError)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& errorCode, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException, Boolean throwExceptionOnMFAError)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& additionalDetail, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier)
--- End of inner exception stack trace ---
at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier)
at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.UpdateAADConnectorCredentials(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(Action1 UpdateProgressText) [18:42:26.306] [ 12] [ERROR] ConfigureSyncEngineStage: Caught exception while creating azure service account. [18:42:26.306] [ 12] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed [18:42:26.306] [ 12] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: Error details: Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue. ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges. Trace ID: 27f5d130-ffe3-4dc1-b8b8-d4d02c856500 Correlation ID: 5eff6d43-0603-4789-9b64-20c82b8fa22e Timestamp: 2022-01-27 18:43:21Z at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AuthenticateMSAL(AzureService azureService, String userName, SecureString password, Boolean useCachedToken, String& accessToken, String& errorCode, String& additionalDetails, Boolean throwOnException, Boolean throwExceptionOnMFAError) at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& errorCode, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException, Boolean throwExceptionOnMFAError) at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException) at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& additionalDetail, Boolean throwOnException) at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken() at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper() at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize() at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation) at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier) --- End of inner exception stack trace --- at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier) at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.UpdateAADConnectorCredentials(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext) at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(Action1 UpdateProgressText)
[18:42:26.307] [ 12] [ERROR] ExecuteADSyncConfiguration: configuration failed. Skipping export of synchronization policy. resultStatus=Failed
[18:42:26.310] [ 12] [ERROR] PerformConfigurationPageViewModel: An error occurred while creating the synchronization service account in Azure AD. The error was: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
[18:42:26.310] [ 12] [ERROR] PerformConfigurationPageViewModel: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
[18:43:51.215] [ 1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20220127-170931.log

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 27,886 Reputation points Microsoft Employee
    2022-01-28T06:58:01.067+00:00

    @Craig Bull

    Thank you for reaching out to us. As per the logs/Azure AD error code indicates MFA has seen prompted due to Conditional Access Policy.

    Do you get MFA prompt for your Global admin account during the installation ?

    Are you able to login to the office 365 portal with the same Global Admin credentials ? You can review Azure AD sign in logs based on Correlation ID for more information on which Conditional policies are getting applied ?

    If you have any other questions, please let me know.

    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if my answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments