Share via

On-premises Azure AD Password Protection - Forest not registered

Scotty dZ 21 Reputation points
Jul 18, 2022, 9:17 PM

Hello there,

I have two forest's syncing to the same Tenant.

On-premises Azure AD Password Protection is setup and working for one Forest.

I run the command: Register-AzureADPasswordProtectionProxy -AccountUpn "user.account@keyman .com" with credentials to attempt to register the second forest.
The command completes successfully - however the second forest is not registered.

Proxy service is running successfully - and it appears the Azure Heartbeat is working.

However, I have the following error in the DC Agent Admin Log:


The forest has not been registered with Azure. Password policies cannot be downloaded from Azure unless this is corrected.

Resolution steps: an administrator must run the Register-AzureADPasswordProtectionForest cmdlet which is installed as part of the Azure AD Password Protection Proxy software.

Additional information may be available at https://aka.ms/AzureADPasswordProtection


Any help would be much appreciated.

Cheers,
Scotty...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,267 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 35,216 Reputation points Microsoft Employee
    Jul 20, 2022, 9:12 AM

    Hi @Scotty dZ Thank you for sharing these details.

    I did a quick repro at my end by setting up another forest and deployed Azure AD Password Protection, ran into similar issue like yours, after researching further ran the below command to register the 2nd forest

    Register-AzureADPasswordProtectionForest -AccountUpn 'GlobaladminUPN' -ForestCredential $(Get-Credential)

    Note: Get-Credential will prompt for credentials, please provide domain admin credentials of 2nd forest.

    After running the same, 2nd forest got registered successfully, able to get the desired results after running this command Test-AzureADPasswordProtectionDCAgentHealth -TestAll on the domain controller ( of 2nd forest )

    222684-image.png

    Reference: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-implementing-azure-ad-password-protection-on/ba-p/563342

    Try these steps, if doesnt help let me know we can connect offline and troubleshoot further.


3 additional answers

Sort by: Most helpful
  1. Givary-MSFT 35,216 Reputation points Microsoft Employee
    Jul 19, 2022, 5:51 AM

    Hi @Scotty dZ Thank you for reaching out to us. As I understand one of your on-premise AD forest having issues configuring Azure AD Password protection.

    Based on the error details (The forest has not been registered with Azure. Password policies cannot be downloaded from Azure unless this is corrected.) provided in the query, wanted to check if you have followed the troubleshooting steps as mentioned in the below article.

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-troubleshoot#:~:text=DC%20agent%20thinks%20the%20forest%20has%20not%20been%20registered

    Let me know if you have any further questions.

    0 comments No comments

  2. Scotty dZ 21 Reputation points
    Jul 19, 2022, 8:05 PM

    Hello there,

    I did run the following:

    PS C:\Windows\system32> Test-AzureADPasswordProtectionProxyHealth -TestAll
    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyTLSConfiguration Passed
    VerifyProxyRegistration Passed
    VerifyAzureConnectivity Passed

    PS C:\Windows\system32> Test-AzureADPasswordProtectionDCAgentHealth -VerifyPasswordFilterDll
    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyPasswordFilterDll Passed

    PS C:\Windows\system32> Test-AzureADPasswordProtectionDCAgentHealth -TestAll
    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyPasswordFilterDll Passed
    VerifyForestRegistration Failed
    VerifyEncryptionDecryption Passed
    VerifyDomainIsUsingDFSR Passed
    VerifyAzureConnectivity Failed

    I am also running AD-Connect in the same forest - and that is successfully connecting to Azure.

    PS C:\Windows\system32> Test-AzureADPasswordProtectionProxyHealth -VerifyAzureConnectivity

    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyAzureConnectivity Passed

    Cheers,
    Scotty

    0 comments No comments

  3. Scotty dZ 21 Reputation points
    Jul 20, 2022, 9:01 PM

    Hello there,

    Sadly this didn't work for me.

    I didn't receive any errors - and running

    PS C:\Windows\system32> Test-AzureADPasswordProtectionDCAgentHealth -TestAll

    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyPasswordFilterDll Passed
    VerifyForestRegistration Failed
    VerifyEncryptionDecryption Passed
    VerifyDomainIsUsingDFSR Passed
    VerifyAzureConnectivity Failed

    PS C:\Windows\system32> Test-AzureADPasswordProtectionDCAgentHealth -VerifyForestRegistration

    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyForestRegistration Failed

    I still get an error with VeryifyAzure connectivity - and if I check
    PS C:\Windows\system32> Test-AzureADPasswordProtectionProxyHealth -VerifyAzureConnectivity

    DiagnosticName Result AdditionalInfo

    --------------
    ------ --------------
    VerifyAzureConnectivity Passed

    Cheers,
    Scotty...

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.