locked
Registry error when trying to Update AAD connect from 1.1.561.0 to 1.1.750.0 RRS feed

  • Question

  • I tried to update aad connect in a customer environment where I don't have domain admin permissions. The wizard started and gave me 4 steps instead of 3. The additional step was connecting to the local directory with admin credentials, which I did with the help of an enterprise admin from the customer team.

    Upon updating the application stops with the following error

    [13:11:41.897] [  4] [INFO ] Examining domain abc.local (:0% complete)
    [13:11:41.901] [  4] [INFO ] ValidateForest: using ADC01.abc.local to validate domain abc.local
    [13:11:41.905] [  4] [INFO ] Successfully examined domain abc.local GUID:b3317fa0-eacc-4944-abb3-b4580a9f9c76  DN:DC=intranet,DC=local
    [13:11:41.924] [  4] [INFO ] Page transition from "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel] to "Configure" [PerformConfigurationPageViewModel]
    [13:11:41.926] [  4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize in Page:"Ready to configure"
    [13:11:41.927] [  4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:5868
    [13:11:42.932] [  4] [VERB ] PerformConfigurationPageViewModel:ExecuteAutoUpgradeCheck: context.WizardMode UpgradeFromAADConnect.
    [13:11:42.940] [  4] [ERROR] GetProductName: Unexpected exception occurred. Details System.Security.SecurityException: Requested registry access is not allowed.
       at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
       at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
       at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.RegistryKeyGetSubKeyValue(RegistryKey baseKey, String subKeyName, String valueName, Object defaultValue)
       at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.GetStringValue(RegistryKey baseKey, String subkeyName, String valueName, String defaultValue)
       at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetMonitoringConfigurationPath()
       at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetProductName()
    The Zone of the assembly that failed was:
    MyComputer
    Exception Data (Raw): System.Security.SecurityException: Requested registry access is not allowed.
       at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
       at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
       at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.RegistryKeyGetSubKeyValue(RegistryKey baseKey, String subKeyName, String valueName, Object defaultValue)
       at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.GetStringValue(RegistryKey baseKey, String subkeyName, String valueName, String defaultValue)
       at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetMonitoringConfigurationPath()
       at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetProductName()
       at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteAutoUpgradeCheck()
    The Zone of the assembly that failed was:
    MyComputer
    [13:11:42.954] [ 18] [ERROR] A terminating unhandled exception occurred.
    Exception Data (Raw): System.AggregateException: One or more errors occurred. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.SecurityException: Requested registry access is not allowed.
       at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
       at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
       at Microsoft.Identity.Health.Common.FileUploader.GetHealthAgentInstallPath()
       at Microsoft.Identity.Health.Common.FileUploader..ctor(UploadSourcePolicy agent, Action`1 logLine)
       at Microsoft.Online.Deployment.Types.Utility.AutoUpgradeEligibilityProvider..ctor()
       --- End of inner exception stack trace ---
       at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
       at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
       at System.Activator.CreateInstance(Type type, Boolean nonPublic)
       at System.Activator.CreateInstance(Type type)
       at Microsoft.Online.Deployment.Framework.ProviderRegistry.CreateInstance[TProvider]()
       at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteAutoUpgradeCheck()
       at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize(Object obj)
       at System.Threading.Tasks.Task.Execute()
       --- End of inner exception stack trace ---
    ---> (Inner Exception #0) System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.SecurityException: Requested registry access is not allowed.
       at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
       at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
       at Microsoft.Identity.Health.Common.FileUploader.GetHealthAgentInstallPath()
       at Microsoft.Identity.Health.Common.FileUploader..ctor(UploadSourcePolicy agent, Action`1 logLine)
       at Microsoft.Online.Deployment.Types.Utility.AutoUpgradeEligibilityProvider..ctor()
       --- End of inner exception stack trace ---
       at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
       at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
       at System.Activator.CreateInstance(Type type, Boolean nonPublic)
       at System.Activator.CreateInstance(Type type)
       at Microsoft.Online.Deployment.Framework.ProviderRegistry.CreateInstance[TProvider]()
       at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteAutoUpgradeCheck()
       at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize(Object obj)
       at System.Threading.Tasks.Task.Execute()<---
    
    [13:11:42.996] [  1] [INFO ] Page transition from "Configure" [PerformConfigurationPageViewModel] to "Error" [ErrorPageViewModel]
    [13:11:48.736] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180409-131036.log
    

    Has anybody seen this Registry Error before and can point me in the right direction?

    If it helps I am local Admin and Sync Admin on the machine and I was able to manage connection settings Like the selected OUs before without any permission errors.

    In the meantime I restored the server to a new vm (without the update) and shut down the defective one.

    Any help would be greatly appreciated.

    Tuesday, April 10, 2018 4:18 AM

All replies

  • With your Local Admin Credentials, do you have access to the system registry of the server running the AADConnect? If not, suggest you to use the credentials of an admin who has the permissions.

    If you still are not able to run the update, suggest you to post the log entries from the path listed - "C:\ProgramData\AADConnect\trace-20180409-131036.log".

    • Edited by Ajay Kadam Tuesday, April 10, 2018 6:11 AM
    Tuesday, April 10, 2018 5:09 AM
  • Hi Ajay,

    I actually have access to the registry with my account since I am in the local admin group of the server.

    The "code block" I attached before is part of the trace log. Unfortunately, I cannot retry the update because I would need a Domain admin from the customer to enter credentials for the Active Directory connection and I would not want to have them do the same thing again leading to the same error.

    Someone must know which Registry key the setup is trying to access. If I know which key or structure it is I can go ahead and check it and try to set permissions acccordingly.

    Regards

    Carsten

    Monday, April 16, 2018 5:39 AM
  • If I know which key or structure it is I can go ahead and check it and try to set permissions accordingly.

    Azure AD Connect utilizes a couple of registry settings.

    The best way to determine which registry key causes the error, and why, is to run Sysinternals Process Monitor alongside the Azure AD Connect Wizard. For this, you will need to ask the customer's domain admin to work together with you a second time, knowing it will fail at least one more time.

    Monday, April 16, 2018 7:13 AM
  • Hi Carsten,

    the registry key to give permission to is:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADHealthAgent\Sync

    Please check this:

    http://beyondthecloud.osb.group/2018/09/29/azure-ad-connect-issue-requested-registry-access-is-not-allowed/

    Saturday, September 29, 2018 6:06 PM