Entra - AD Sync - Reinstall fails

Question

I have a POC / demo space. AD system on prem. AD Sync (old version) had working a sync from on-premise domain. But it stopped syncing.... figured I would take time to uninstall and upgrade to Entra. One odd thing is that when I removed old AD sync it cleaned out synced AD accounts

but did NOT clean out groups

So Not sure if this plays into workflow where I am running setup of Entra and now I am getting error below: Entra Setup Log / Error:

</cd-error></incident></error></error>    at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchemaFromDirectory(Connector connector, Boolean commit)    at Microsoft.IdentityManagement.PowerShell.Cmdlet.UpdateADSyncConnectorSchemaCmdlet.ProcessRecord()    --- End of inner exception stack trace ---    at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)    at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)    at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)    at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)    at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)    at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)    at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()    at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)    at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)    at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.UpdateConnectorSchema(Connector connector)    at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.UpdateConnectorSchema()    at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.UpdateConnectorSchema(ConnectorAdapterBase connectorAdapter)    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.CreateADDSConnector(IDirectoryConnection directory)    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.CreateConnectors(Object obj) [10:56:43.124] [122] [INFO ] Page transition from "Connect Directories" [ConfigSyncDirectoriesPageViewModel] to "Azure AD sign-in" [UserSignInConfigPageViewModel] [10:56:43.124] [122] [ERROR] RootWizardPageViewModel: An unhandled exception occurred during a page load. Exception Data (Raw): System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index    at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UserSignInConfigPageViewModel.OnLoad(NavigateDirection direction)    at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.ActivatePage(IWizardPage page, NavigateDirection direction) [10:56:43.124] [124] [ERROR] A terminating unhandled exception occurred. Exception Data (Raw): System.AggregateException: One or more errors occurred. ---> System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index    at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UserSignInConfigPageViewModel.OnLoad(NavigateDirection direction)    at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.ActivatePage(IWizardPage page, NavigateDirection direction)    at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.MoveNext()    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.WaitForTaskCompletion(Task task)    at System.Threading.Tasks.Task.Execute()    --- End of inner exception stack trace --- ---> (Inner Exception #0) System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index    at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UserSignInConfigPageViewModel.OnLoad(NavigateDirection direction)    at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.ActivatePage(IWizardPage page, NavigateDirection direction)    at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.MoveNext()    at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigSyncDirectoriesPageViewModel.WaitForTaskCompletion(Task task)    at System.Threading.Tasks.Task.Execute()<---  [10:56:43.202] [  1] [INFO ] Page transition from "Azure AD sign-in" [UserSignInConfigPageViewModel] to "Error" [ErrorPageViewModel] [10:56:43.202] [  1] [INFO ] UserSignInConfigPageViewModel : UPN attribute:  [10:57:52.515] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20240125-092940.log 

I found vaious postings about the AD account having "non normal characters (https://learn.microsoft.com/en-us/answers/questions/22648/azure-ad-connect-after-uninstall-cannot-configure) but I don't think that is the case

PS C:\Users\administrator> Get-ADUser -Identity adsync -Properties *|findstr UserPrincipalName UserPrincipalName                    : adsync@lab.local

Answer 1

@adsyc ,

Based on the information provided and the error message, this looks like potentially an authentication issue. I would recommend checking the Global Admin account that you are using and confirming whether it has MFA enabled or is in a federated domain. If you check the sign-in logs you can verify if the cloud connector account is having any restrictions logging on. One way to validate would be to create a new Enterprise Admin for the domain and run the configuration on the wizard with that account.

You would also need to check the Event Viewer logs on the server to see the more detailed error message.

Answer 2

Thanks for response. I created a user "adsync@mydomain.local" where I did try best practices to have limited account (it created these groups. But later.. as you noted, just added and set as primary group "Enterprise Admins".
I am trying to do this via powershell so I can get better debug and logs. As for logs in event viewer:

Nothing to really go off of. Nothing in system logs either Only thing I have to go off is the Client error during connect

PS: Can we get team to NOT dump logs to UI interfaces where txt cannot be copied or selected? I will try to figure out az / power shell means to debug and post more as I get it.

Answer 3

I think I figured out issue. Azure Entra is trying to auth on first wizard screen to Azure. My old domain for intranet is "penguinpages.local" but part of AZ sync v1 was to enable "penguinpages.net" to be zone enabled for accounts.

This then confuses wizard to try auth local. So I needed to get my "onmicrosoft.com" username and use that instead.

The clue was in the example in entra that account was "******@domain.onmicrosoft.com"
Now the wizard is done...

sync is back working.