Azure AD unable to validate credentials

Question

Performed a successful swing migration from AAD Connect 1.1.647.0 on Windows Server 2008 R2 to AAD Connect 2.1.16.0 on Windows Server 2019 and now am attempting to configure the 2008 R2 install to staging mode.

Cannot connect to Azure AD with global admin credentials even using /interactiveauth switch. Global admin credentials validated by accessing the admin console from another computer. Error returned is: Unable to validate credentials. Verify network connectivity and firewall or proxy settings. The remote server returned an error: (400) Bad Request.

The 2008 R2 system has network and internet connectivity.

How do I resolve this issue or can I just disable AD Connect operations and uninstall? Final objective is to remove the 2008 R2 server from production operation.

Answer 1

Hi @Jim Goyette

Thank you for asking this question on the **Microsoft Q&A Platform. **

It is not worth the effort to troubleshoot your Azure AD Connect on your Windows Server 2008 R2.

On August 31, 2022, all 1.x versions of Azure AD Connect will be retired because they include SQL Server 2012 components that will no longer be supported.

Source: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Hope this helps,
Carlos Solís Salazar

---

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.

---

Answer 2

Hi Jim,

I would suggest you to take a snapshot of the VM, backup all the files related to the AAD Connect, and verify the Bypass Proxy (configuration) if at all possible, if you are unable to bypass the proxy then you need to ensure that the timeout value is greater than 5 minutes.

If proxy is required then you must add the proxy to the machine.config file

Backup everything as below:
Backup Keys
Backup Synchronization Rules
Backup Server Configuration
Backup SQL Database

As Carlos suggested not a good idea to have windows 2008 server and unsupported system, so unnstall after the backup and decom the server.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hi Jim,

Yes that are the steps, also make sure the server is definetely set to Staging Server Mode before you carry out the decommision.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 4

If your end goal is to just remove the server, you don't need to worry about switching it to staging mode. I'd recommend stopping the sync scheduler (Set-ADSyncScheduler -SyncCycleEnabled $false) just in case the server ends up back online for some reason, and then you can turn it off and later uninstall AAD Connect, delete the server, etc.

Setting the server to staging mode before decommissioning it only really serves to protect you from those unexpected situations where the server, thought to be disabled, is later restored, leading to two online and active servers at the same time (with the associated problems that causes). Disabling the scheduler is another way to prevent most of the bad stuff that could happen if the server was restored. Disabling the NIC on the server/VM as you decommission it (if you aren't deleting the VM immediately) is another good safety measure.