This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I am trying to setup ADFS through Azure AD connect and running into a problem. They have a forest root domain that only contains admin accounts, all other resources exist in a child domain where AAD & ADFS will be installed.
For the directory connect section I need to specify an account in the forest root domain which works fine, this account is also a member of enterprise admins. I then specify an ADFS service account from the child domain. When running the installation I get the error below. The account referenced is one I have specified for the directory connect.
Microsoft.Online.Deployment.PowerShell.PowerShellInvocationException: An error occurred while executing the 'Install-AdfsFarm' command. The specified user ( domain.LOCAL\svcazureldap ) is not a member of Domain Admins of the target machine's domain. ---> System.Management.Automation.RemoteException: The specified user (domain.LOCAL\svcazureldap ) is not a member of Domain Admins of the target machine's domain.
How do I resolve this so I can install ADFS, as I know it's not possible to add this account to domain admins on the child domain?
Thanks,
Richard
Microsoft 365 features that help users manage their subscriptions, account settings, and billing information.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Answer accepted by question author
Just install the AD FS role manually, it's a two minute job. You can then point the AADConnect wizard to the already installed machine, if you want to finish the rest of the process via the wizard that is.
Managed to get things running by installing the ADFS role and WAP role manually as suggested and testing so far has proved successful.
So I think the main problem was that it requires domain admin credentials to run the ADFS configuration. In this situation with a parent/child domain, it would be good if we could specify a domain admin account at the ADFS section of Azure AD connect to over-ride it trying to use the forest root account, not sure if it would be possible to add this feature in a future release of Azure AD connect.
Thanks Vasil, that was my plan tomorrow. Was just in case I was doing anything wrong with the setup.