question

mfreitas365 avatar image
0 Votes"
mfreitas365 asked Pavlo-3139 answered

Unable to create the syncronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.

Hi community,
I am try reinstall and configure Azure AD Connect on Windows Server 2019 Activey Directory, I used 'Express Mode', inserted a user 'Global Admin' and user 'Enterprise Admin' (to create local user). The wizard getting the user and password "sync_mf365-dc01_01701687a2bc@msdx530006.onmicrosoft.com" (user visible on Azure AD based On-Premise sync) but I cancel because don't know the passwod created and I can't reset the password. And the message error showed me "Unable to create the syncronization service account for Azure Active Directory. Retrying this operation may help resolve the issue", as follow the shared Log shared.
Can someone help me? Thank you!

 {
 [19:32:05.334] [  8] [ERROR] ExecuteADSyncConfiguration: configuration failed.  Skipping export of synchronization policy.  resultStatus=Failed
 [19:32:05.378] [  8] [ERROR] PerformConfigurationPageViewModel: An error occurred while creating the synchronization service account in Azure AD. The error was: Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Azure Active Directory.  Retrying this operation may help resolve the issue.   ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: User canceled authentication. On an Android device, this could be due to the lack of capabilities, such as custom tabs, for the system browser. See https://aka.ms/msal-net-system-browsers for more information.
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__14.MoveNext()
 --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__60.MoveNext()
 --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__42.MoveNext()
 --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__34.MoveNext()
 --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName, SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType, String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
    at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService adalResource, String& additionalDetails, Boolean throwOnException)
    at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
    at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
    at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier)
    --- End of inner exception stack trace ---
    at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier)
    at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.UpdateAADConnectorCredentials(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext)
    at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(Action`1 UpdateProgressText)
 [19:32:05.378] [  8] [ERROR] PerformConfigurationPageViewModel: Unable to create the synchronization service account for Azure Active Directory.  Retrying this operation may help resolve the issue.  

 [19:47:47.088] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20201226-190545.log
 }

51315-reinstall-azureadconnect-error1.png


azure-ad-connect
reinstall-azureadconnect-error1.png (64.9 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

mirba-msft avatar image
0 Votes"
mirba-msft answered MohamedAly-5956 commented

Hello @mfreitas365

Thank you for reaching out to us.

Please follow the steps below and let me know if this helps to resolve your issue.

  1. Make sure you have TLS 1.2 enabled as by looking at the logs you posted this looks to be an Authentication issue failing for getting the token in order to Enable TLS 1.2 run the PowerShell command listed in the article. and then restart the server.

  2. Please download and install the following six new certificates listed in this article and restart the Azure AD Connect server.

  3. Make sure you have all the endpoints open listed in the article.

  4. As you have mentioned you are reinstalling the Azure AD Connect please make sure to use a cloud-only global admin Account.

  5. if following the steps listed above do not resolve the issue then please elaborate on what do you mean when you mention the AD Sync Account "sync_mf365-dc01_01701687a2bc@msdx530006.onmicrosoft.com"

Let me know if this helps to answer your question If Yes then do accept it as an answer in the interest of community members with similar queries. If this does not answer, please ask further in the comments and we will happy to address your concerns. Thank you.







· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mfreitas365 avatar image mfreitas365 ·

Hi, mirba-msft 
Thank you for your message.

I folowed the steps informated but the problem continue.

I executed again the wizard of Microsoft Azure Active Directory Connect in the step Configure, in the moment Creating the Azure Active Directory Synchronization Account show me a user "sync_mf365-dc01_9f764114bcec@msdx530006onmicrosoft.com", this user there is Azure AD with status 'Directory synced' = Yes.
But for this Tenant sync has never run - as the prints.62277-azure-ad-connect-1.png62345-azure-ad-connect-2.png


0 Votes 0 ·
azure-ad-connect-1.png (13.6 KiB)
azure-ad-connect-2.png (23.5 KiB)
MohamedAly-5956 avatar image MohamedAly-5956 mfreitas365 ·

sync_mf365-dc01_9f764114bcec@msdx530006onmicrosoft.com is showing as synced because it is being created by the AD connect during installation. it doesn't exist in your local AD and not actually syncing, but created from an on-premise source, which is the AD connect server.

AD connect tool creates 3 accounts https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

They are service accounts and you don't need to know there passwords. just exclude the Azure AD connector account which is "sync_mf365-dc01_9f764114bcec@msdx530006onmicrosoft.com" from MFA if it is enforced by CA policy.

If for any reason you want to change passwords for those accounts then follow this doc
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-serviceacct-pass

0 Votes 0 ·
ReneMulder-9842 avatar image
1 Vote"
ReneMulder-9842 answered

Probably a conditional access policy which asks for registration of your sync user.
Exclude your sync user from MFA/CA.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Pavlo-3139 avatar image
0 Votes"
Pavlo-3139 answered

ReneMulder-9842 Thank you! I was same error, and after add On-Premises Directory Synchronization Service Account to excluded users of Conditional Access policy, Configuration was complete sucessfully.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.