question

DiederikJanson-0956 avatar image
0 Votes"
DiederikJanson-0956 asked ·

Azure AD Connect not working after OS upgrade from 2016 to 2019

Hi,

I have upgraded an Azure AD Connect Server, running in staging mode, to Server 2019 and now I get the following error messages:

  1. When I start Microsoft Azure Active Directory Connect Interface I get "Azure Active Directory Connect cannot proceed further as configuration changes cannot be made at this time" -> The Microsoft Azure AD Sync ServiceAccount is changed during the upgrade from AAD__xxxxxxxxxxxx to NT SERVICE\ADSync. I added the ADSync account to the Administrators group and the ADSyncAdmins group and rebooted the system but this did not help.

  2. When I start the Synchronization Service Manager I Get "Unable to connect to the Synchronization Service". Possible cause is that "your account is not a member of a required security group" -> I am Admin on the system.

Any ideas?

Best Regards,

DJITS

azure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @DiederikJanson-0956 ,

It seems you were running this AAD connect on a Domain Controller. Also the setup was done using automatic configuration and a custom service account was not used. It is generally advised to use a custom service account. The Default service account for ADsync Service when installed on a Domain controller is in the form on Domain\AAD_InstallationIdentifier . There is no way to recover the password for this account because its randomly generated.

In all probability , the current service account has lost its permission to access the database and hence you are facing this issue. The ADsync service encryption Keys probably would have gotten recreated and due to some permission issue you are getting the error. The Microsoft Azure AD sync service would need to be restarted by changing the service account to the original account before the upgrade. so you will need to go to the services console and update the <domain>\AAD_xxxxxxxxxx account again . I am not sure if it will automatically update the account with its password because the password for this account is created and rotated by domain controller itself but sometimes it will ask you to provide the password which you would not have and hence this operation will fail. If you try to go to Active Directory users and computers console and update this account's password and then use it to update the service account password on the ADsync service in services console, I think you will encounter error while starting the service again because the encryption keys created originally will be different and they could only be unlocked by old original password for AAD_xxxxx account which we will not have.

In my experience , I have seen reinstallation as the solution to this scenario most of the times. However you can try to open a support ticket with Microsoft and see if they are able to dig anything deeper to fix it . Should you have any issues opening a ticket , please let let us know by mailing on azcommunity[at]microsoft[dot]com with your azure subscription ID and tenant name referencing this thread and we will help you with alternate support options.

If you manage to solve this yourself, please do share your solution with the community. In case the information in this post is helpful , please do accept it as answer in the interest of the community.

Thank you.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thank you for your answer.

This AAD connect installation was not running on a Domain Controller. Just a normal server. I managed to restore a backup so i'm back with Server 2016 where I started. I checked and already on Server 2016 the NT SERVICE\ADSync account was used as Service Account. So I was wrong in thinking that the account changed,

My problem is solved for now and I will try to figure out if it is supported to upgrade the OS of a AAD Connect installation.

Because we have a custom configuration and there is no good way of exporting the config it will be a hassle to de a reinstall.

Thank you so much for taking the time to look at my problem.

Best Regards,

Diederik.

0 Votes 0 · ·
shashishailaj avatar image shashishailaj DiederikJanson-0956 ·

@DiederikJanson-0956 ·,

I understand now. I checked internally and there is no issues with Upgrade. It is supported but as far as my experience goes I would not recommend the same. The best way to upgrade AAD server would be to do a swing migration . Build a new windows 2019 server and do a parallel deployment and then compare the same and once you find that the object sync is working in similar way without any error then move production to staging and staging into production . Upgrading is supported but if it does not happen properly for any reason, as in your case , we suggest you to open a support case for further troubleshooting because its hard to know and understand the proper reason. The main issue is with the database which gets encrypted and it may be dependent on DLLs which change during OS upgrade. I understand its not the best way but swing migration works .

0 Votes 0 · ·