Issues with broken AD Connect Health

Mitchell 1 Reputation point
2020-08-18T08:27:27.513+00:00

I've been trying to get Azure AD Connect Health Sync working for the past couple of days on a Windows Server 2012 R2 VM, and have just had no luck. During Azure AD Connect it tells me that the health check is broken. Okay, fine, I'll do the usual checks.

> Test-AzureADConnectHealthConnectivity -Role Sync

Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Endpoint validation for https://login.windows.net is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Testing dependent service endpoints completed successfully.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect.
   at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.LoadIdentityInfo()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure()

at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.ProcessRecord()

Okay. So I try uninstallling AAD Connect, wiping the VM, reinstalling 2012 R2 from scratch, Windows Updates, re-installing AAD Connect, and... still broken. Based on some searches, I run the AAD Network tool to see if I have any network issues, and it comes back clean. So what gives?

  • There's nothing else installed on the VM.
  • It's on a private network, but there's no outgoing firewall, no proxy.
  • This is for a Microsoft 365 setup.
  • Version 3.1.71.0 of the Health agent for sync.
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points
    2020-08-18T18:23:28.767+00:00

    Please Create an Azure support request to better address the present issue.

    --
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.
    0 comments
  2. Mitchell 1 Reputation point
    2020-08-18T09:19:08.073+00:00

    And... it somehow? magically? looks to have gotten past that step (I hate it when that happens), but is instead now complaining about this issue:

    2020-08-18 09:09:20.348 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/

2020-08-18 09:09:20.348 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

Register-AzureADConnectHealthSyncAgent : 2020-08-18 09:09:20.348 [DiscoverAndOverrideEndpoints]:Null/Empty AdalAuthority
At line:1 char:1
+ Register-AzureADConnectHealthSyncAgent -StagingMode $false -Attribute ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Register-AzureADConnectHealthSyncAgent], InvalidOperationException
    + FullyQualifiedErrorId : Null/Empty AdalAuthority,Microsoft.Identity.AadConnect.Health.AadSync.Powershell.ConfigurationModule.RegisterAzureAdConnectHealthSyncAgent
2020-08-18 09:09:20.363 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/

    2020-08-18 09:09:20.379 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

    So, still stuck, would love suggestions, since it still considers itself to be in a "Configuration Failed", "Monitoring will not start until configuration is successful."

    0 comments