none
AD CONNECT -Check the minimum password length, password complexity and password history requirements.

    Question

  • Hi,

    I have Windows Server 2016 with AD, ADFS, CA.

    I decided to install AD Connect on the server,

     I created a new Domain Admin + Enterprise admin account and put it into AD Connect installation Wizard,

    But getting this error:

    SynchronizationServiceSetupTask:InstallCore - Caught unexpected exception. Details System.DirectoryServices.AccountManagement.PasswordException: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
     ---> System.Runtime.InteropServices.COMException: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
    
       at System.DirectoryServices.DirectoryEntry.CommitChanges()
       at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
       --- End of inner exception stack trace ---
       at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
       at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword)
       at System.DirectoryServices.AccountManagement.SAMStoreCtx.Insert(Principal p)
       at System.DirectoryServices.AccountManagement.Principal.Save()
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.CreatePrincipalCore(Principal principal)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.CreateUser(NetworkCredential userCredential, String userDescription, Boolean userPasswordNeverExpires)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClass12.<CreateSyncServiceAccount>b__11()
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.CreateSyncServiceAccount(AccountManagementAdapter accountManagementAdapter, String installationIdentifier)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.Initialize(String installationIdentifier, Boolean allowVirtualServiceAccount, Boolean allowManagedServiceAccount, Boolean specifiedAccount, String domain, String userName, String password)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)

    [21:10:58.821] [ 21] [VERB ] MsolDomainExtensions.GetAllConfiguredDomains: Connecting to MSOL service.
    [21:10:58.821] [ 21] [INFO ] ConnectMsolService: connecting using an AccessToken.
    [21:10:58.860] [ 21] [WARN ] Failed to import module MSOnline for PowerShell Command Connect-MsolService
    [21:10:59.110] [ 21] [WARN ] Failed to import module MSOnline for PowerShell Command Get-MsolDomain
    [21:10:59.357] [  1] [INFO ] UPN Suffix List
    [21:10:59.357] [  1] [INFO ] --------------------------------------------------------------------
    [21:10:59.357] [  1] [INFO ] UPN Suffix [Azure Status]
    [21:10:59.357] [  1] [INFO ] --------------------------------------------------------------------
    [21:10:59.358] [  1] [INFO ] pelegit.co.il [Verified]
    [21:10:59.358] [  1] [INFO ] --------------------------------------------------------------------
    [21:10:59.359] [  1] [INFO ] All UPN suffixes match a verified Azure domain.
    [21:11:00.763] [  1] [INFO ] Page transition from "Azure AD sign-in" [UserSignInConfigPageViewModel] to "Configure" [PerformConfigurationPageViewModel]
    [21:11:00.767] [  1] [INFO ] Starting a background thread in Ready to configure. Background Task Id: 11197.
    [21:11:01.771] [ 24] [INFO ] DiscoverAzureEndpoints [AADHealth]: ServiceEndpoint=https://s1.adhybridhealth.azure.com, AdalAuthority=https://login.windows.net/pelegit.co.il, AdalResource=https://management.core.windows.net/.
    [21:11:01.794] [  1] [INFO ] Exchange schema is not detected for forest PelegIT.co.il , so no exchange option displayed.
    [21:11:04.128] [  1] [INFO ] Starting a background thread in Configuring. Background Task Id: 11777.
    [21:11:04.128] [ 21] [INFO ] PerformConfigurationPageViewModel.ExecuteADSyncConfiguration: Preparing to configure sync engine (WizardMode=ExpressInstall).
    [21:11:04.129] [ 21] [INFO ] PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore: Preparing to install sync engine (WizardMode=ExpressInstall).
    [21:11:04.131] [ 21] [INFO ] Starting Sync Engine installation
    [21:11:06.909] [ 21] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
    [21:11:06.910] [ 22] [INFO ] Starting Telemetry Send
    Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.NullReferenceException: Object reference not set to an instance of an object.
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.RemoveMembersFromLocalGroup(SecurityIdentifier groupSid, DirectoryEntry[] members)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClassf.<RemoveFromLocalAdministratorsGroup>b__e()
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
       --- End of inner exception stack trace ---
       at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
       at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
       at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
       at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
       at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)

    This is my password policy on my environment:

    Enforce password history 24 passwords remembered
    Maximum password age 90 days
    Minimum password age 1 days
    Minimum password length 9 characters
    Password must meet complexity requirements Enabled
    Store passwords using reversible encryption Disabled


    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!


    • Edited by Meir Peleg Wednesday, April 12, 2017 6:16 PM
    Wednesday, April 12, 2017 6:15 PM

All replies

  • You can close this case,

    I fixed it by specified service account manually.


    Windows IT MVP 2015 /2016 www.PelegIT.co.il Thank you!

    Wednesday, April 12, 2017 6:21 PM
  • We are glad to know that your issue is fixed.  
    Thursday, April 13, 2017 2:45 PM
    Moderator
  • I've the exact same issue but do not understand how you fixed the issue.

    It would seem that you either found a particular service account and changed the password for the account or found a service and changed what account the service used to login. Am I close? 

    LOL - better question: what service or what account did you change?  I cannot see what you see in the logs.

    Wednesday, March 7, 2018 5:49 PM