locked
Azure AD Connect Setup RRS feed

  • Question


  • Hi,

    We're currently trying to configure the AD Connect tool to sync local AD users to our Azure AD.

    Halfway through the install we're running into the following error when it tries to initialize the Synchronization Service:

    Synchronization Service_Install.log

    MSI (s) (7C!54) [13:11:08:516]: Product: Microsoft Azure AD Connect synchronization services -- Error 25009.The Microsoft Azure AD Connect synchronization services setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

    CustomAction ConfigDB returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

    trace-xxx.log:

    [11:58:14.067] [ 13] [ERROR] InstallSyncEnginePageViewModel: Error occurred while installing sync engine.
    Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.



    Setup:

    - Using domain administrator account when installing AD Connect who is in the Administrators group in AD

    - Machine running Windows Server 2008 R2 Standard with SP1

    - Prerequisites already installed as prompted by setup (.NET 4.5.2 and Management Framework)

    - Verified the user has permissions mentioned here:

    https://msdn.microsoft.com/en-us/library/azure/jj151831.aspx?f=255&MSPPError=-2147217396#BKMK_UserPermissionsandRelatedSettings

    Found someone else having a similar issue here but doesn't seem to have a resolution:

    https://community.office365.com/en-us/f/613/t/406971

    I can see the LocalDB\ADSync instance is created in SQL Express but the database seems to get created then rolled back during installation due to the above error.

    Any help on this issue is much appreciated.



    Thanks,

    Rukshan



    Thursday, December 3, 2015 5:49 AM

All replies

  • Hello Rukshan,

    Greetings!

    We are pleased to answer your query. With regards to your query, which is the installation method you have chosen (is it Custom installation or Express Settings)? If you are trying with express settings, make sure that the account which you are using to authenticate your local AD have the Enterprise administrator rights.

    Also are you trying to upgrade from DirSync/AAD Sync or fresh installation of AAD Connect? I would suggest you to follow the steps mentioned in the article Installation of AAD Connect.

    If you still have the issue, then you may follow the steps mentioned below.

    The issue may be because of Installing DirSync could not find any log file, but when we try AADSync this log is created at C:\Windows\temp\AADSync\Synchronization Service_Install.log found this entry: ProcessMachineDcomPermission CustomAction ProcessMachineDcomPermission returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox).

    Below steps might resolve this issue:

    The Setup process is having issues to change machine DCOM permissions. This usually happen when you install AADSync/Dirsync on a DC or you have previously installed and uninstalled several times.

    To troubleshoot this issue check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole if entries DefaultLaunchPermission, MachineLaunchRestriction and MachineAccessRestriction are missing.

    If they are missing go to component services, click at the security tab and just enter to the security settings. To do this click at Start > Administrative Tools > Component Services Inside Component Services Expand Component Services > Computers and right Click "My Computer" and click Properties Go to the COM Security Tab and click at "Edit Default" for Access Permissions and "Launch and Activation Permissions" this will open the permission windows and will populate the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole with the missing information.

    After this was done, try to install AAD Connect again.

    Hope this helps!

    Best Regards

    Kamalakar

    _____________________________________________________________________

    If a post answers your question, please click Mark as Answer on that post and Vote as Helpful.



    Thursday, December 3, 2015 7:22 PM
  • Hi Kamalakar,

    Thanks for your response. We're doing the Custom Installation. However the same issue is present in Express setup also.

    The user account we're using belongs to Enterprise Admin and Domain Admin groups.

    We've also verified the registry keys you mentioned and confirmed that they exist.

    The issue happens when the Synchronization Service install tries to configure the database. The following errors show up in the logs:

    Product: Microsoft Azure AD Connect synchronization services -- Error 25009.The Microsoft Azure AD Connect synchronization services setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

    create database permission denied in database 'master'

    We've also tried installing standalone SQL Express on the server and pointing to that via Custom Setup but got the same error. The user also has been given "sysadmin" role on the SQL Server. I've confirmed that the user has permissions to create a database via SQL Server Management Studio.

    Regards,

    Rukshan

    Wednesday, December 9, 2015 5:41 AM
  • Hello Rukshan,

     

    We are pleased to answer your query.

     

    This looks like an issue which needs in-depth troubleshooting as we will need to find out the root cause. As this is beyond the purview of the Forums Support, we would request you to create a Technical Ticket so that our engineers can help you appropriately. Also we would need sensitive information regarding the Subscription and Tenant details which should not be disclosed on the Public Forums.

     


    Hope this helps!

    Best Regards

    Kamalakar

    _____________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Wednesday, December 9, 2015 2:04 PM