Azure AD Connect - Failed to Connect to the Primary AD FS Server

Patrick 26 Reputation points
2020-05-01T19:26:54.237+00:00

Trying to set up Azure AD connect with my home lab AD FS....i have a WAP set up and can sign into my ADFS server with a domain account from the internet...so im sure the WAP and Federation Server are configured properly...the WAP is running on a child domain controller in a vmware vm on one machine...the ADFS server is setup on the root forest domain controller on another machine...not sure if its a port forwarding issue, i did run the Diagnostics Analyzer and all it came up with is that the time is not synced between WAP and FS server, which is incorrect. - apologies if this seems vague...but i've done so much i dont know where to start.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-05-07T00:05:46.153+00:00

    If you are seeing issues with time differences, you can run:

    Set-ADFSRelyingPartyTrust -TargetName <trustname> -NotBeforeSkew <time_in_minutes>

    https://learn.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=win10-ps

    Have you checked the troubleshooting guide for this error?

    https://support.microsoft.com/en-us/help/3018485/failed-to-connect-to-active-directory-federation-services-2-0-on-the-l

    PROBLEM

    When you run the Convert-MsolDomainToStandard cmdlet to convert a domain from federated to managed, you receive the following error message:

    Failed to connect to Active Directory Federation Services 2.0 on the local machine.
    Please try running Set-MsolADFSContect before running this command again.

    CAUSE

    This problem occurs if the server on which you're running the Convert-MsolDomainToStandard cmdlet is not running Active Directory Federation Services (AD FS).

    SOLUTION

    Do one of the following, as appropriate for your situation:
    If AD FS is still running, use the Set-MsolADFSContext cmdlet to specify the server on which AD FS is running.

    For example: 

    Set-MsolADFSContext –Computer <ServerName>

    For more information about the Set-MsolADFSContext cmdlet, see Set-MsolADFSContext.
    If AD FS is not running, use the Set-MsolDomainAuthentication cmdlet to change the domain to a managed domain.

    For example: 

    Set-MsolDomainAuthentication -DomainName <DomainName> -Authentication Managed

    For more info about the Set-MsolDomainAuthentication cmdlet, see Set-MsolDomainAuthentication.

    Also, make sure the file and print sharing is open and the VMs can ping each other.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patrick 26 Reputation points
    2020-05-07T11:03:57.18+00:00

    Hello Marilee,

    Thank you for your reply, I switched to pass-through authentication and it seems to be working fine. My AD users are able to login to myapps.microsoft.com with domain creds, which is what i was shooting for. i will definitely try your suggestions next time i decide to use ADFS and run into the same problem.

    Regards

    1 person found this answer helpful.