Microsoft Azure AD Sync Service not starting - Access is denied

James Carrera 0 Reputation points
2024-11-01T14:47:06.0033333+00:00

I recently reinstalled Azure AD connect. The install created a new managed service account (ADSyncMSAxxxxx) that is used to start the Microsoft Azure AD Sync service. That service was running correctly for several days and the sync between our on-prem server and our Azure instance was running and working successfully. A couple days ago I applied some Windows updates to the server running the Azure AD Connect, restarted the server and ever since I have not been able to start the Microsoft Azure AD Sync service, getting an "Error 5: Access is denied" error message. I have made sure the managed service account was added to our GPO and assigned "Allow log on locally", "Log on as a batch job" and "Log on as a service". Not sure what I am missing but any help would be appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,435 questions
{count} votes

2 answers

Sort by: Most helpful
  1. akinbade abiola 20,145 Reputation points
    2024-11-03T23:40:42.3966667+00:00

    Error 5 typically has to do with your access. Run as administrator. That should help.

    See:

    https://answers.microsoft.com/en-us/windows/forum/all/how-to-fix-error-5-access-is-denied-in-windows-10/8a4069ea-4b0e-4517-9d7a-62c44b4d6e7d

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    0 comments No comments

  2. Raja Pothuraju 9,050 Reputation points Microsoft Vendor
    2024-11-18T14:37:21.8133333+00:00

    Hello @James Carrera,

    Thank you for posting your query on Microsoft Q&A.

    The "Error 5: Access is denied" error message will typically occur when AD DS Connector account does not have the permissions that it needs.

    How to configure AD DS Connector Account Permissions

    To configure permissions and tighten the AD DS Connector service account, follow the steps below.

    Navigate to existing AD DS Connector service account and check the permissions were assigned to that account or not.

    If the permission was not assigned, you can follow the below steps to configure and tighten the AD DS Connector service account, you need to install Remote Server Administration Tools.

    Run PowerShell as administrator on the Microsoft Entra Connect Server and run the cmdlet below.

    Install-WindowsFeature RSAT-AD-Tools
    

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account#using-the-adsyncconfig-powershell-module

    Load PowerShell module AdSyncConfig.psm1

    Run Windows PowerShell as administrator. Run the Import-Module and specify the path to load the module.

    Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
    

    Run the Get-Command and specify the module AdSyncConfig. Check that all the cmdlets are included in this module.

    Get-Command -Module AdSyncConfig
    

    Find AD DS Connector service account distinguishedName

    Right-click on the AD DS Connector service account and click Properties. Go to the Attribute Editor tab. Find the attribute distuingedName in the attributes list. Double-click to open the string and copy the value. You will need it in the next part.

    AD user distinguishedname

    Now follow the below document and run the commands MS-DS-Consistency-Guid Permissions, Permissions for Password Hash Synchronization, Permissions for Password Writeback and so on.

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-configure-ad-ds-connector-account#configure-ms-ds-consistency-guid-permissions

    Instead of assigning individual permissions, you can temporarily add the AD DS Connector service account to the Domain Admins and Enterprise Admins groups to verify if permissions are the root cause.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.