Register health agent fails during installation Azure AD Connect

Rob van den Broek 96 Reputation points

As a request from @AmanpreetSingh-MSFT I made a new topic of this problem.

@AmanpreetSingh-MSFT , here is all the information about registering health agent.

I installed Azure AD Connect v1.5.18.0 on a Win 2012 R2 machine. Choose NOT to configure the User Sign-in, because I don’t want this installation to make changes to our ADFS servers. Our ADFS servers are operational, I can’t make changes (if needed) to them now. Choose ObjectGUID as Unique identifying because old servers is also using it. All other options default installation. AAD connect is installed en configured. New sync account is created in Azure AD. One of the msg’s at the and of the installation was: Registration failed for your AAD Connect Health Agent for sync.

Did try to register it: Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $true. But unfortunately every time it fails.

In Azure Active Directory Connect Health I can see under sync services 2 connected servers. 1 is unhealthy. Msg:

The AAD Connect Health Service is not receiving the latest data from the server(s) listed above. This may be due to connectivity issues or data collection issues on the server itself.

If I have a look at the log files during the register process I see al lot of information. I hope I pick the right lines from this log. First error only when I use the register command.

2020-04-22 12:41:13.367 AHealthServiceUri (ARM):
2020-04-22 12:41:13.367 AdHybridHealthServiceUri:
ERROR: 2020-04-22 12:41:13.367 [DiscoverAndOverrideEndpoints]:Null/Empty AdalAuthority
System.InvalidOperationException: Null/Empty AdalAuthority2020-04-22 12:41:13.399 AHealthServiceUri (ARM):
2020-04-22 12:41:13.399 AdHybridHealthServiceUri:

During installation and registering this error did not exist:

2020-04-22 09:09:52.447 AdHybridHealthServiceUri:
2020-04-22 09:09:52.45 [OverrideEndpoints]:AdalAuthority: HTTPS://LOGIN.WINDOWS.NET/XXXXXXX.ONMICROSOFT.COM

The problem starts here I guess.

2020-04-22 09:09:54.97 Monitoring Agent Registration Attempt start
2020-04-22 09:09:54.971 Tenant Certificate successfully written to location: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert, byte[] length = 3621 bytes, written file length = 3621 bytes
2020-04-22 09:09:54.971 Start Command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version=""
2020-04-22 09:10:06.14 Monitoring Agent Registration Attempt process exited, ExitCode = 1
2020-04-22 09:10:06.141 Monitoring Agent Registration Attempt end, ExitCode = 1, Result = Fail
2020-04-22 09:10:06.148 Attempt Failed. Exception: System.InvalidOperationException: Failed configuring Monitoring Service using command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version=""
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.<>c__DisplayClass78_0. <StoreMonitoringServiceCertificateAndConfig>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.<>c__DisplayClass1.<ExecuteAction>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteActionTResult

This copying of the cert file and registering of the service repeats a couple of times without success. A bit futher you can read.

Agent.Main;Client activation failed:The remote server returned an error: (403) Forbidden.
System.Net.WebException: The remote server returned an error: (403) Forbidden.

And I’m running out of ideas how I must fix this.
If you need more information, I can reregister again and sent you the log.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,513 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,491 Reputation points

    @Rob van den Broek As per the image that you shared in the other post, Test Connectivity is failing at step 2. For successful installation of health agent, all 3 steps should complete successfully. Test connectivity usually fails if AD Connect server is failing to connect with the required endpoints.

    I would suggest you to check the requirements and connectivity to the required Azure service endpoints mentioned in below document. Make sure any outbound traffic to these endpoints are not being blocked by your corporate firewall:


    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  2. Rob van den Broek 96 Reputation points


    Thanks for all the information! I still have to many questions to continue without any risk. That’s why I decided to create a test environment to test all the things before I make any changes to the production. I think this is the only way to keep the risk as low as possible. If I have some new question, I will make a new topic.
    I will use this topic to see how I can test. Thanks again!

    0 comments No comments