Share via

Re-installing Entra Sync Connect fails due to Microsoft ADSync service getting stuck during the 'Starting' status

Tyler Gervase 0 Reputation points
2025-02-03T08:54:21.71+00:00

Hello,

I am managing a HyperV Host with 2 VM's for an Educational client of mine. We have a DC & a SQL Server VM (for their education software).

I am having issues trying to reinstall Azure AD Sync/Entra Connect Sync onto my DC. Originally my issue stemmed from not being able to run a manual 'refresh directory schema' through Azure AD Sync - so I decided to upgrade to Entra Connect Sync v2.XX

Currently that has not gone well 😅 I am trying to install the tool via the latest Entra Connect Sync download from Microsoft, but when I go through the steps I until requiring the Microsoft 'AzureAD' service to run, but it gets stuck on the 'starting' status. I have tried quite a bit of troubleshooting so I'm kind of at my wits end.

Some steps I've taken are:

  • In-place upgrade: failed
  • Restarting DC: no change
  • Removing AzureAD/Entra & it's related programs via Control panel/Powershell and re-installing: failed
  • Trying to purge any and all lingering Azure/Entra settings that could be causing issues before re-installing: failed

I have an EventViewer log I think may be relatedhere:

ADSync Error ID 2005 - 3.2.25.txt

I have attached some logs below from my last 'fresh' install. Any help is appreciated!

Synchronization Service_Install-20250203-142628.log

SyncEngine-20250203-142409.log

ADSyncBootstrap-20250203-142521.log

ADSyncBootstrap-20250203-142521.log

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,246 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marti Peig 960 Reputation points Microsoft Employee
    2025-02-03T09:46:08.6933333+00:00

    Hi @Tyler Gervase

    Thanks for reaching out. Please check Resolve Model database corruption in SQLLocalDB and let us know if that resolved your issue.

    As usual, if this answers your question, do click Accept Answer and Yes for what if this answer was helpful. And, if you have any further queries do let us know. 

    Cheers

  2. Kancharla Saiteja 625 Reputation points Microsoft Vendor
    2025-02-04T06:35:54.8+00:00

    Hi @Tyler Gervase ,

    I see @Marti Peig has provided you the respective document to resolve the error but found you have some queries in resolving the issue. I would like to provide you additional information based on the errors provided. I see there is an error of AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication which means there is conditional access policy which is requesting MFA for your AdSync cloud account. Since the account works non interactive authentication and will not be able to accomplish the MFA. In this situation kindly make sure to exclude your Cloud Service account. You can find the cloud service account of Entra connect in audit logs by filtering logs with Entra connect.

    Once you find the service account, go to conditional access policy and click on "WhatIf" and check the policies that are getting applied to the account and exclude accordingly.

    I have also seen an error where it states about the credentials of the service account. Make sure you follow this document to ensure there is no password issues.
    Here is the official document of troubleshooting sync service failed to start: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/user-prov-sync/directory-sync-stop-register

    Here are the permissions that are necessary for AD Sync Service account.

    Make group policy changes if necessary, so that the AD Sync service account can log on locally, as a service, and as a batch job. Because a domain group policy takes precedence over a local group policy, you need to check the settings for both types of group policies.

    1. Select Start, enter gpedit.msc in the search box, and then press Enter to open the Local Group Policy Editor snap-in.
    2. In the console tree, under Computer Configuration, expand Windows Settings > Security Settings > Local Policies, and then select User Rights Assignment.
    3. Verify that the ADSync service account is added for the following policy settings:
      • Allow log on locally
        • Log on as a batch job
          • Log on as a service
          1. For domain group policies, open an administrative command prompt.
          2. Run the following gpresult command, which generates a group policy report:

    gpresult /H gpresult.htm

    1. Open the resulting group policy report (gpresult.htm).
    2. If User Rights Assignment settings are applied through any domain group policy object (GPO), use the Group Policy Management console (gpmc.msc) from a domain controller to take one of the following actions:
      • Remove the following policy settings from the Winning GPO:
        • Allow log on locally
          • Log on as a batch job
            • Log on as a service
              • Update the Winning GPO to include the ADSync service account.
              1. If you made any changes to the local group policy or domain group policy, restart the computer to apply the changes.

    If above steps doesn't help then you will have to open internet ports for AD connect server to connect with Azure endpoints on internet.Make group policy changes if necessary so that the ADSync service account can log on locally, as a service, and as a batch job. Because a domain group policy takes precedence over a local group policy, you need to check the settings for both types of group policies.

    1. Select Start, enter gpedit.msc in the search box, and then press Enter to open the Local Group Policy Editor snap-in.
    2. In the console tree, under Computer Configuration, expand Windows Settings > Security Settings > Local Policies, and then select User Rights Assignment.
    3. Verify that the ADSync service account is added for the following policy settings:
      • Allow log on locally
        • Log on as a batch job
          • Log on as a service
          1. For domain group policies, open an administrative command prompt.
          2. Run the following gpresult command, which generates a group policy report:

    gpresult /H gpresult.htm

    1. Open the resulting group policy report (gpresult.htm).
    2. If User Rights Assignment settings are applied through any domain group policy object (GPO), use the Group Policy Management console (gpmc.msc) from a domain controller to take one of the following actions:
      • Remove the following policy settings from the Winning GPO:
        • Allow log on locally
          • Log on as a batch job
            • Log on as a service
              • Update the Winning GPO to include the ADSync service account.
              1. If you made any changes to the local group policy or domain group policy, restart the computer to apply the changes.

    If none of the above help you in resolving the issue, kindly install the Azure Ad connect on new server which is domain joined and windows server 2019 or above version.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.