Azure AD Connect Installation schlägt fehl

[bdel 0]

Hello,

Same trouble on Windows 2012 PDC.

The problems comes when creating the Service "ADSync" with the stupid username.

When using "fast parameters" the security context used to run the ADSync Service is mentioned in the log file : "<Domain Name>\ADSyncMSA_3139f$" and also the binary path.
I tried to create the service manualy (sc create ADSync BinPath= "blablabla.exe") , at first without the username , but it has been deleted when running Azure AD Connect, and a second time with the username : sc create ADSync BinPath= "blabla.exe" obj= "MyDomain\ADSyncMSA_3139f$" and i get the error "File Name or extention too long".
Next attempt : create the service without "obj" parameter (UserName) and then modify the service through the regular interface. Same error.
The problem comes with the stupid UserName used for service who seems to be too long.
May be, because of PDC, the <DomainName> prefixing the UserName is not mandatory and should be not used when using this Agent on the PDC.

[NorbertFe 2.063]

Did you not create the group managed service account by yourself? Always a good idea.

[Radon86 0]

Die Beobachtung mit der Länge des Managed Service Accounts, welcher durch den AD Connect Assistenten angelegt wird, habe ich auch schon gemacht. Den Dienst kann ich aber manuell anlegen, wenn ich den erzeugten Managed Service Account-Name um ein Zeichen verkürze. 

[bdel 0]

Next try on a Server who is just Domain Member (not PDC nor BDC).
Just try to create the service (sc create) with binpath cmd.exe and obj with full username "<MyDomain>\ADSyncMSA_3139f$"

failed (206) : Same error "File Name or extention too long"

[MrCocktail 194]

Und wenn du nicht auf die Webseite kommst, weil TLS 1.2 nicht an ist, dann kannst du es vor dem Reboot auch gleich für die .Net Installation machen, wie auch irgendwo in den Tiefen des AD Connect Supports beschrieben, siehe https://docs.microsoft.com/de-de/azure/active-directory/hybrid/reference-connect-tls-enforcement

 

Das vergessen irgendwie die meisten

[bdel 0]

Next Try: create, as mentioned, a managed service account manually (new-adServiceAccount), who's name not as long as the default one. The service has been created but does not launch because of wrong password. May be wait for the password to be generated.

bearbeitet 30. April 2021 von bdel

[NorbertFe 2.063]

Did you install the manual created account onto this server? Has the server the permission to get the password?

[bdel 0]

I created the account with the "PrincipalAllowToRetrivePassword" with the ComputerName$ of the server on which the service is used

bearbeitet 30. April 2021 von bdel

[NorbertFe 2.063]

Ok so that’s the answer for one question. ;)

did you install it?

1. Install the gMSA on your host by running the following command from the PowerShell command prompt: Install-AdServiceAccount <gMSA>

 

 

[bdel 0]

Of course not, as I'm quite some NewBy these things....

After some other PowerShell Commands, I reached the Install-ADServiceAccount

and stupid Install-ADServiceAccount reply with an access denied, even after restarting server.

[NorbertFe 2.063]

Well without this, it won’t work. So you have to figure out a way to create, install and use a managed service account. I‘m sure there’s a lot of websites with the correct ways to handle this.

[bdel 0]

Sutpid Me.
used wrong parameter -PrincipalAllowedToDelegate instead of RetrievePassword.

 

Going to next steps... Yessss, reached next window in the wizzzzard !

 

Thanks for all !

[NorbertFe 2.063]

Excellent. Good luck

[bdel 0]

vor 1 Minute schrieb NorbertFe:

Excellent. Good luck

Thanks Norbert