unable to create syncronization service account for azure active directory. Retrying this operation may resolve issue

kedar giri 81 Reputation points
2021-10-14T12:34:56.55+00:00

Every time i try to run azure ad connect wizard at the last moment it throw an error "unable to create synchronization service account for azure active directory. Retrying this operation may resolve issue." what might be the possible solution for this Issue and log look like below. Help 140578-image.png

[17:23:29.329] [ 6] [INFO ] Examining domain Cloudguru.tk (:0% complete) [17:23:29.329] [ 6] [INFO ] ValidateForest: using DC-01.Cloudguru.tk to validate domain Cloudguru.tk [17:23:29.344] [ 6] [INFO ] Successfully examined domain Cloudguru.tk GUID:19d7d81b-9a8d-43b2-8e87-2d7dc6158028 DN:DC=Cloudguru,DC=tk [17:23:29.344] [ 6] [INFO ] ValidateForest returned 1 reachable and 0 unreachable domains. [17:23:29.350] 1 [INFO ] ConvertUpnToSam: Given username CLOUDGURU.TK\AzureAdConnect@Felipe .tk needs to be converted. [17:23:29.350] 1 [WARN ] ConvertUpnToSam: Given username CLOUDGURU.TK\AzureAdConnect@Felipe .tk was not converted successfully. Error 1317:The specified account does not exist [17:23:29.350] [ 6] [INFO ] validForest=True [17:23:29.397] [ 6] [INFO ] Exit ConfigSyncDirectoriesPageViewModel:ValidateDirectoryConnection: [17:23:34.394] 1 [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.WaitForTaskCompletion in Page:"Connect your directories" [17:23:34.394] 1 [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:26027 [17:23:34.410] [ 14] [INFO ] ConvertUpnToSam: Given username Cloudguru.tk\AzureAdConnect@Felipe .tk needs to be converted. [17:23:34.410] [ 14] [WARN ] ConvertUpnToSam: Given username Cloudguru.tk\AzureAdConnect@Felipe .tk was not converted successfully. Error 1317:The specified account does not exist AzureADConnect.exe Information: 0 : Management Agent Created: C:\Program Files\Microsoft Azure Active Directory Connect\SetupFiles\MA-ADDSTemplate.xml. [17:23:35.534] [ 14] [INFO ] SyncDataProvider: Calling refresh schema on connector Cloudguru.tk [17:23:36.136] [ 14] [INFO ] SyncDataProvider: Successfully refreshed schema on connector Cloudguru.tk AzureADConnect.exe Warning: 0 : The DomainIgnore registry key is not present AzureADConnect.exe Information: 0 : One or more domains were added to the Cloudguru.tk Connector. AzureADConnect.exe Information: 0 : One or more domains were removed from the Cloudguru.tk Connector. AzureADConnect.exe Information: 0 : Configured Connector Cloudguru.tk for forest Cloudguru.tk. AzureADConnect.exe Information: 0 : Connector Cloudguru.tk was updated successfully. [17:23:39.301] [ 14] [ERROR] ADPowerShellQueyProvider:SearchAdSyncDirectoryObjects Failed to run the ldap search query. Parameter values passed to PowerShell: ForestFqdn : Cloudguru.tk
AdConnectorId : e1279c85-75d9-4f93-929f-cd60681ecae6 PropertiesToRetrieve : msDS-DeviceLocation,name,displayName,distinguishedName,objectClass NamingContextType : Configuration BaseDnType : Relative AdConnectorUserName : Cloudguru.tk\AzureAdConnect@Felipe .tk BaseDn : CN=Services LdapFilter : (objectClass=msDS-DeviceRegistrationService) SearchScope : Subtree AllowUnreachableDomain : False SizeLimit : 0 Exception Details : System.Management.Automation.CmdletInvocationException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet) ---> System.ServiceModel.FaultException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Azure.ActiveDirectory.ADSyncManagement.Contract.IADSyncManagementService.SearchADSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, String namingContextType, String baseDnType, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, String userDomain, String userName, String password, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput] at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput] at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke() at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.InvokeCommand(IPowerShell powerShell, Command command) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.SearchAdSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, NamingContextType namingContextType, BaseDnType baseDnType, String baseDn, String ldapFilter, SearchScope searchScope, String[] propertiesToRetrieve, PSCredential adConnectorCredential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize, Boolean rethrowException) [17:23:39.301] [ 14] [ERROR] Unable to discover device sync configuration for forest Cloudguru.tk Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet) ---> System.ServiceModel.FaultException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Azure.ActiveDirectory.ADSyncManagement.Contract.IADSyncManagementService.SearchADSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, String namingContextType, String baseDnType, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, String userDomain, String userName, String password, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput] at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput] at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke() at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.InvokeCommand(IPowerShell powerShell, Command command) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.SearchAdSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, NamingContextType namingContextType, BaseDnType baseDnType, String baseDn, String ldapFilter, SearchScope searchScope, String[] propertiesToRetrieve, PSCredential adConnectorCredential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize, Boolean rethrowException) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.DiscoverDeviceSyncConfiguration(String forestName, Guid connectorIdentifier, String userName, SecureString password, DeviceSyncConfiguration& configuration) [17:23:39.301] [ 14] [ERROR] Unable to discover device configuration. Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet) ---> System.ServiceModel.FaultException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Azure.ActiveDirectory.ADSyncManagement.Contract.IADSyncManagementService.SearchADSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, String namingContextType, String baseDnType, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, String userDomain, String userName, String password, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput] at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput] at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke() at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.InvokeCommand(IPowerShell powerShell, Command command) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.SearchAdSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, NamingContextType namingContextType, BaseDnType baseDnType, String baseDn, String ldapFilter, SearchScope searchScope, String[] propertiesToRetrieve, PSCredential adConnectorCredential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize, Boolean rethrowException) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.DiscoverDeviceSyncConfiguration(String forestName, Guid connectorIdentifier, String userName, SecureString password, DeviceSyncConfiguration& configuration) at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.CreateConnectors(Object obj) [17:23:39.317] [ 6] [INFO ] Page transition from "Connect Directories" [ConfigSyncDirectoriesPageViewModel] to "Azure AD sign-in" [UserSignInConfigPageViewModel] [17:23:39.401] [ 6] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UserSignInConfigPageViewModel.ValidateScenario in Page:"Azure AD sign-in configuration" [17:23:39.401] [ 6] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:26433 [17:23:39.426] [ 6] [VERB ] MsolDomainExtensions.ConnectMsolService: Connecting to MSOL service. [17:23:39.426] [ 6] [INFO ] Authenticate-MSAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.MICROSOFTONLINE.COM/CLOUDGURU.TK), scope (https://graph.windows.net/user_impersonation), userName (kedar@Felipe .tk). [17:23:39.426] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:38:39] (UnknownClient: 0.0.0.0) Deserialized 1 items to token cache. [17:23:39.427] [ 6] [INFO ] Authenticate-MSAL: acquiring token via cache for account kedar@Felipe .tk [17:23:39.427] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:38:39 - 3b9221b4-e636-48a4-8ef3-6486a3059b47] (UnknownClient: 0.0.0.0) MSAL MSAL.Desktop with assembly version '4.5.1.0'. CorrelationId(3b9221b4-e636-48a4-8ef3-6486a3059b47) [17:23:39.427] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:38:39 - 3b9221b4-e636-48a4-8ef3-6486a3059b47] (UnknownClient: 0.0.0.0) === OnBehalfOfParameters === LoginHint provided: False User provided: True ForceRefresh: False

[17:23:39.427] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:38:39 - 3b9221b4-e636-48a4-8ef3-6486a3059b47] (UnknownClient: 0.0.0.0) === Request Data === Authority Provided? - True Scopes - https://graph.windows.net/user_impersonation Extra Query Params Keys (space separated) -

[17:23:39.427] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:38:39 - 3b9221b4-e636-48a4-8ef3-6486a3059b47] (UnknownClient: 0.0.0.0) === Token Acquisition (SilentRequest) started:

[17:23:46.332] 1 [INFO ] cloudguru.tk [Verified] [17:23:46.332] 1 [INFO ] -------------------------------------------------------------------- [17:23:46.333] [ 6] [INFO ] UserSignInConfigPageViewModel: AD Domains: notAddedDomains 0, notVerifiedDomains 0, verifiedDomains 1 [17:23:46.333] [ 6] [INFO ] UserSignInConfigPageViewModel: Azure Domains: aadUnverifiedDomains 0, aadVerifiedDomains 1 [17:23:46.333] [ 6] [INFO ] UserSignInConfigPageViewModel: The currently selected sign-in method is PassThroughAuthentication [17:23:46.340] 1 [INFO ] UserSignInConfigPageViewModel: All AD UPN suffixes match a corresponding Azure verified domain in tenant (Cloudguru.tk). [17:23:48.695] 1 [INFO ] Page transition from "Azure AD sign-in" [UserSignInConfigPageViewModel] to "Connect Directories" [ConfigSyncDirectoriesPageViewModel] [17:24:05.229] 1 [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.WaitForTaskCompletion in Page:"Connect your directories" [17:24:05.229] 1 [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:31467 [17:24:05.338] [ 14] [ERROR] ADPowerShellQueyProvider:SearchAdSyncDirectoryObjects Failed to run the ldap search query. Parameter values passed to PowerShell: ForestFqdn : Cloudguru.tk
AdConnectorId : e1279c85-75d9-4f93-929f-cd60681ecae6 PropertiesToRetrieve : msDS-DeviceLocation,name,displayName,distinguishedName,objectClass NamingContextType : Configuration BaseDnType : Relative AdConnectorUserName : Cloudguru.tk\AzureAdConnect@Felipe .tk BaseDn : CN=Services LdapFilter : (objectClass=msDS-DeviceRegistrationService) SearchScope : Subtree AllowUnreachableDomain : False SizeLimit : 0 Exception Details : System.Management.Automation.CmdletInvocationException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex

StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet) ---> System.ServiceModel.FaultException: Exception details => Type => System.ArgumentOutOfRangeException StartIndex cannot be less than zero. Parameter name: startIndex StackTrace => at System.String.Substring(Int32 startIndex, Int32 length) at Microsoft.MetadirectoryServices.LDAPQueryClient.Utilities.GetDomainNameFromDistinguishedName(String dn) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResultsUnderBaseDn(String ldapSearchFilter, SearchScope searchScope, String baseDn, String username, SecureString password, IList1 propertiesToLoad, Int32 sizeLimit, Int32 pageSize) at Microsoft.MetadirectoryServices.LDAPQueryClient.ReturnAdSearchResults.GetSearchResults(String forestFqdn, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, PSCredential credential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at SyncInvokeSearchADSyncDirectoryObjects(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Azure.ActiveDirectory.ADSyncManagement.Contract.IADSyncManagementService.SearchADSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, String namingContextType, String baseDnType, String baseDn, String ldapFilter, String searchScope, String propertiesToLoadSerialized, String userDomain, String userName, String password, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput] at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput] at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke() at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.InvokeCommand(IPowerShell powerShell, Command command) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.SearchAdSyncDirectoryObjects(String forestFqdn, Guid adConnectorId, NamingContextType namingContextType, BaseDnType baseDnType, String baseDn, String ldapFilter, SearchScope searchScope, String[] propertiesToRetrieve, PSCredential adConnectorCredential, Boolean allowUnreachableDomain, Int32 sizeLimit, Int32 pageSize, Boolean rethrowException) at Microsoft.Online.Deployment.Types.Providers.SyncEngineQueryProvider.DiscoverDeviceSyncConfiguration(String forestName, Guid connectorIdentifier, String userName, SecureString password, DeviceSyncConfiguration& configuration) at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.CreateConnectors(Object obj) [17:24:05.339] [ 4] [INFO ] Page transition from "Connect Directories" [ConfigSyncDirectoriesPageViewModel] to "Azure AD sign-in" [UserSignInConfigPageViewModel] [17:24:05.401] [ 4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UserSignInConfigPageViewModel.ValidateScenario in Page:"Azure AD sign-in configuration" [17:24:05.403] [ 4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:31615 [17:24:05.403] [ 6] [VERB ] MsolDomainExtensions.ConnectMsolService: Connecting to MSOL service. [17:24:05.403] [ 6] [INFO ] Authenticate-MSAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.MICROSOFTONLINE.COM/CLOUDGURU.TK), scope (https://graph.windows.net/user_impersonation), userName (kedar@Felipe .tk). [17:24:05.404] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:39:05] (UnknownClient: 0.0.0.0) Deserialized 1 items to token cache. [17:24:05.404] [ 6] [INFO ] Authenticate-MSAL: acquiring token via cache for account kedar@Felipe .tk [17:24:05.404] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:39:05 - 50596685-c0b3-4959-a8c9-c12f69e33c19] (UnknownClient: 0.0.0.0) MSAL MSAL.Desktop with assembly version '4.5.1.0'. CorrelationId(50596685-c0b3-4959-a8c9-c12f69e33c19) [17:24:05.404] [ 6] [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:39:05 - 50596685-c0b3-4959-a8c9-c12f69e33c19] (UnknownClient: 0.0.0.0) === OnBehalfOfParameters === LoginHint provided: False User provided: True ForceRefresh: False

[17:24:49.700] 1 [INFO ] MSAL: (False) MSAL 4.5.1.0 MSAL.Desktop Microsoft Windows NT 10.0.17763.0 [10/14/2021 11:39:49 - daf34164-738f-409f-bce0-b9eec63998be] (UnknownCl

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2021-10-14T18:24:49.397+00:00

    This appears to be the relevant log entry:

    [17:31:22.485] [ 24] [ERROR] GetServiceAccount: the retry time limit for service account authorization has been exceeded.
    Exception Data (Raw): Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue. ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.

    The account you are using as the Azure AD admin account when going through the wizard, despite being able to authenticate earlier in the session (apparently), is getting blocked by what appears to be the Azure AD Conditional Access feature. You'll need to make sure that the Azure AD admin account you use is able to authenticate and authorize fully into Azure AD, as it is used to create the AAD Connect AAD service account.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Fabrice Bo 41 Reputation points
    2022-11-14T10:31:45.987+00:00

    Hello,

    Just exclude ******@jiggri.onmicrosoft.com from conditionnal access and it works.

    8 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.