Share via

Azure AD Connect service fail to start after ASR

AdamTyler-3590 305 Reputation points
2024-04-23T15:35:59.81+00:00

Hello, I've recently added our Azure AD Connect server to Azure Sit Recovery. It was fully replicated recently, and I just completed a test failover in an isolated environment. For a few reasons it is not acceptable to allow this failover test version of the VM to reach the public internet or our production environment in any way. So I replicated a Domain Controller using the same method and brought it up within the isolated environment as well. I've tested Domain Controller operation in this DR test environment, the AD database is accessible, SRV records and DNS function.

My issue is when testing AD Connect services just to validate the DR test was successful. The server boots fine and I am able to login, however the "Microsoft Azure AD Sync" service is stuck in the starting state and I am unable to work with the AD Connect software in any way. I can't tell if this is a problem with replication or simply the result of the AD Connect server being prevented from reaching the public internet in an isolated test lab. Any thoughts?

Screenshots to follow...

User's image

User's image

Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator
    2024-04-24T14:01:49.76+00:00

    @AdamTyler-3590Thank you for posting this in Microsoft Q&A.

    As I understand you have deployed a new AD connect server in ASR. Currently this server does not have connection to internet.

    Now when you rebooted the server, AD connect service is not starting. You can check below and confirm if this helps.

    Make group policy changes if necessary so that the ADSync service account can log on locally, as a service, and as a batch job. Because a domain group policy takes precedence over a local group policy, you need to check the settings for both types of group policies.

    1. Select Start, enter gpedit.msc in the search box, and then press Enter to open the Local Group Policy Editor snap-in.
    2. In the console tree, under Computer Configuration, expand Windows Settings > Security Settings > Local Policies, and then select User Rights Assignment.
    3. Verify that the ADSync service account is added for the following policy settings:
      • Allow log on locally
      • Log on as a batch job
      • Log on as a service
    4. For domain group policies, open an administrative command prompt.
    5. Run the following gpresult command, which generates a group policy report:

    gpresult /H gpresult.htm

    1. Open the resulting group policy report (gpresult.htm).
    2. If User Rights Assignment settings are applied through any domain group policy object (GPO), use the Group Policy Management console (gpmc.msc) from a domain controller to take one of the following actions:
      • Remove the following policy settings from the Winning GPO:
      • Allow log on locally
      • Log on as a batch job
      • Log on as a service
      • Update the Winning GPO to include the ADSync service account.
    3. If you made any changes to the local group policy or domain group policy, restart the computer to apply the changes.

    If above steps doesn't help then you will have to open internet ports for AD connect server to connect with Azure endpoints on internet.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.