none
Add untrusted forest in Azure AD Connect fails - The user name or password is incorrect.

    Question

  • Hi there,

    when I try to add an untrusted AD forest to Azure AD Connect I choose the option "create new AD account". I enter the fqdndomain\username and password. Then I get the error: "the provided user is not member of the Enterprise Admins group". Then i add the user to the enterprise admin group and try again. Now I get the error "The user name or password is incorrect. 

    When I remote the user from the enterprise admin group again, I get the error "the provided user is not member of the Enterprise Admins group". 

    How can i troubleshoot the login of the user during the "Add Directory" process?

    Update:

    In A trace file in the directory \programdata\aadconnect I found following error string:

    [ERROR] Caught exception while retrieving forest FQDN

    Exception Data (Raw): System.Security.Authentication.AuthenticationException: The user name or password is incorrect.
     ---> System.Runtime.InteropServices.COMException: The user name or password is incorrect.


    Cheers, Gunter


    • Edited by Gunter D Wednesday, October 4, 2017 8:45 AM
    Wednesday, October 4, 2017 8:29 AM

Answers

  • Solved the issue. When adding a domain that is not trusted, before you click on Add Domain, the FQDN domain name must be past into the domain name field that overrides the already existing domain in the wizard. 

    Cheers, Gunter

    Wednesday, October 4, 2017 11:17 AM

All replies

  • Check the prerequisites link for Azure AD Connect - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites

    Accounts

    • An Azure AD Global Administrator account for the Azure AD directory you wish to integrate with. This must be a school or organization account and cannot be a Microsoft account.

    Also refer to the link about Azure AD Connect: Accounts and Permissions 

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Wednesday, October 4, 2017 9:03 AM
    Moderator
  • Hi,

    thanks for the reply. However this has nothing to do with the account that is used to connect to Azure AD. I have already connected AD connect to azure AD. Now I want to add a new on-premise AD. This is described here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies 

    -> When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. You don't have to join the server to a domain. If necessary to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

    I try to connect to a forest where the AD Connect server is not joined to. From the AD Connect server, I can ping the DC of that forest and I can rdp into that DC. There are no networking limitation between the AD connect server and a DC in the untrusted forest.

    Any other hints?


    Cheers, Gunter

    Wednesday, October 4, 2017 10:32 AM
  • Solved the issue. When adding a domain that is not trusted, before you click on Add Domain, the FQDN domain name must be past into the domain name field that overrides the already existing domain in the wizard. 

    Cheers, Gunter

    Wednesday, October 4, 2017 11:17 AM
  • Good to hear that you got it working. Thank you for updating this forum with the solution.

    Appreciate your time!

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Thursday, October 5, 2017 10:53 AM
    Moderator