none
Azure AD connect installation fails

    Question

  • Hi,

    I downloaded the latest version from Azure AD Connect and tried to install it on a server with Windows Server 2008 R2 which is a domain controller.

    I'm trying to use a custom installation using a local installed SQL Server 2012 instance and a domain account with Enterprise Administrator permissions.

    The Azure AD Connect installations fails with "Unable to Install the Synchronization Service" and in the log file Synchronization Service_Install-xyz.log i get the error message:

    ....

    MSI (s) (A0:0C) [16:40:53:022]: Executing op: ActionStart(Name=ChangeServiceAccount,,)
    MSI (s) (A0:0C) [16:40:53:022]: Executing op: CustomActionSchedule(Action=ChangeServiceAccount,ActionType=11265,Source=BinaryData,Target=**********,CustomActionData=**********)
    MSI (s) (A0:40) [16:40:53:022]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI807D.tmp, Entrypoint: ChangeServiceAccount
    MSI (s) (A0:0C) [16:40:53:038]: Executing op: ActionStart(Name=RollbackWMI,,)
    MSI (s) (A0:0C) [16:40:53:038]: Executing op: CustomActionSchedule(Action=RollbackWMI,ActionType=3329,Source=BinaryData,Target=DeleteWMI,CustomActionData=C:\Program Files\Microsoft Azure AD Sync\bin\mmswmi-x.mof)
    MSI (s) (A0:0C) [16:40:53:038]: Executing op: ActionStart(Name=SetupWMI,Description=Setup WMI,)
    MSI (s) (A0:0C) [16:40:53:038]: Executing op: CustomActionSchedule(Action=SetupWMI,ActionType=3073,Source=BinaryData,Target=SetupWMI,CustomActionData=C:\Program Files\Microsoft Azure AD Sync\bin\)
    MSI (s) (A0:00) [16:40:53:038]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI808E.tmp, Entrypoint: SetupWMI
    MSI (s) (A0:0C) [16:40:53:100]: Executing op: ActionStart(Name=RollbackProcessMachineDcomPermission,,)
    MSI (s) (A0:0C) [16:40:53:100]: Executing op: CustomActionSchedule(Action=RollbackProcessMachineDcomPermission,ActionType=3329,Source=BinaryData,Target=ProcessMachineDcomPermission,CustomActionData=ADMINS=ADSyncAdmins OPERATORS=ADSyncOperators BROWSE=ADSyncBrowse PASSWORDSET=ADSyncPasswordSet)
    MSI (s) (A0:0C) [16:40:53:100]: Executing op: ActionStart(Name=ProcessMachineDcomPermission,,)
    MSI (s) (A0:0C) [16:40:53:100]: Executing op: CustomActionSchedule(Action=ProcessMachineDcomPermission,ActionType=1025,Source=BinaryData,Target=ProcessMachineDcomPermission,CustomActionData=ADMINS=ADSyncAdmins OPERATORS=ADSyncOperators BROWSE=ADSyncBrowse PASSWORDSET=ADSyncPasswordSet)
    MSI (s) (A0:54) [16:40:53:100]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI80CD.tmp, Entrypoint: ProcessMachineDcomPermission
    CustomAction ProcessMachineDcomPermission returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (A0:0C) [16:40:53:163]: User policy value 'DisableRollback' is 0
    MSI (s) (A0:0C) [16:40:53:163]: Machine policy value 'DisableRollback' is 0
    Action ended 16:40:53: InstallExecute. Return value 3.

    ....

    Please help me to get Azure AD Connect successfully installed.

    Regards,

    TAntony



    • Edited by TAntony Friday, April 14, 2017 5:54 PM
    Friday, April 14, 2017 5:42 PM

All replies

  • Hi,

    I added the default value for COM security, but that did not helped.

    There is no "all application packages" group for Windows Server 2008 R2.

    I now get the error message:

    MSI (s) (0C:58) [12:06:45:691]: Doing action: ValidateAccount
    Action ended 12:06:45: SetMSSQLSERVERServiceEmpty. Return value 1.
    MSI (s) (0C:B8) [12:06:45:691]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIE322.tmp, Entrypoint: ValidateAccount
    MSI (s) (0C!40) [12:06:45:691]: PROPERTY CHANGE: Adding UpdatedSourcesDialog property. Its value is '1'.
    Action start 12:06:45: ValidateAccount.
    MSI (s) (0C!40) [12:06:48:640]: Product: Microsoft Azure AD Connect synchronization services -- Error 25001.The Microsoft Azure AD Connect synchronization services setup wizard cannot validate the information for service account, password, or domain or local computer. Verify the entered information is correct, and then try again.

    CustomAction ValidateAccount returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    Action ended 12:06:48: ValidateAccount. Return value 3.
    Action ended 12:06:48: INSTALL. Return value 3.
    MSI (s) (0C:58) [12:06:48:655]: Note: 1: 1708
    MSI (s) (0C:58) [12:06:48:655]: Product: Microsoft Azure AD Connect synchronization services -- Installation operation failed.

    The domain account for the Azure AD Connect account is member of "Administrators, "ADSyncAdmins", Users, "Domain Admins", "Domain Users" and "Enterprise Administrators".

    I'm even logged on the domain controller with the Azure AD Connect domain account and try to install it with this account.

    What could be the reason for the error 25001?

    Any additional help is very appreciated!

    Regards,

    TAntony


    • Edited by TAntony Tuesday, April 18, 2017 12:13 PM
    Tuesday, April 18, 2017 10:28 AM
  • Hi,

    Does the user account which you are logging on to the DC have Local Admin rights?

    Thanks,

    Chun Yong

    Tuesday, April 18, 2017 10:24 PM
  • Hi,

    Yes it does.

    The account is member of "Administrators, "ADSyncAdmins", Users, "Domain Admins", "Domain Users" and "Enterprise Administrators".

    Regards,

    Tantony

    Tuesday, April 18, 2017 10:29 PM
  • Just to confirm, this is build 486?

    Also, does the installing admin have SA rights to the SQL server?

    Tuesday, April 18, 2017 10:40 PM
  • Yes, it is build 486.

    The domain account is member of sysadmin role.

    Only Windows authentification is enabled.

    Tuesday, April 18, 2017 10:53 PM
  • Thanks. Can you check if the following regkey properties exists on the DC please:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineAccessRestriction
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission

    Thanks,

    Chun Yong

    Wednesday, April 19, 2017 12:20 AM
  • Hi,

    All 3 Registry keys exists.

    Regards,

    TAntony

    Wednesday, April 19, 2017 11:15 AM
  • Hi,

    When installing Azure AD Connect, one of the things which the installer does is to configure the DCOM security descriptors. The error stack you provided suggests that the installer is not able to update the DCOM security descriptors. This is very rare. Based on the cases we have seen, the regkey values are either missing or corrupted.

    Can you give the following steps a try please:

    1. Login to the server
    2. Go into Component Services > Computers > My Computer
    3. Right click and select Properties.
    4. Click on COM Security tab.
    5. Under Access Permissions, select Edit Limits, don't make any change, click OK to close.
    6. Under Launch and Activation Permissions, select Edit Limits, don't make any change, click OK to close.
    7. Under Launch and Activation Permissions, select Edit Defaults, don't make any change, click OK to close.
    8. Then click OK to close My Computer Properties.

    Then try to run the wizard again. If it still doesn't work, we'll need you to open a Support Request so that we can take a closer look at the server itself.

    Thanks,

    Chun Yong


    Thursday, April 20, 2017 6:18 AM
  • Hi,

    I tried this but the installation is still unsuccessful.

    Could you please open a ticket for me?

    Regards,

    TAntony

    Thursday, April 20, 2017 8:03 AM
  • Unfortunately, I can't do this. Depending on whether you are an Office or Azure customer, you will need to use the Office Portal or Azure Portal to open one and provide your contact information so that Support will be able to reach out to you.

    Thanks,

    Chun Yong

    Thursday, April 20, 2017 12:25 PM