Getting error on AD sync configuration.

Question

Hello All,

I m encountering an ADD sync error when attempting to connect my on-premises server to Azure Active Directory (AAD). Could someone please assist me in troubleshooting this issue?

Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[09:22:42.439] [ 18] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[09:22:42.439] [ 18] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[09:22:42.441] [ 18] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[09:22:42.441] [ 18] [INFO ] PerformConfigurationPageViewModel.PerformWorkflowInstallationAndUpdateState: result of installation operations - Failed
[09:22:42.441] [ 18] [ERROR] ExecuteADSyncConfiguration: configuration failed.  Skipping export of synchronization policy.  resultStatus=Failed
[09:22:42.446] [ 18] [ERROR] PerformConfigurationPageViewModel: We encountered a problem and couldn’t complete the integration.
[09:22:42.446] [ 18] [ERROR] PerformConfigurationPageViewModel: An error occurred executing Configure AAD Sync task: An error occurred while sending the request.
[09:24:04.195] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20240929-085035.log

Thanks.

Answer 1

@Chaitanya

Thank you for posting this in Microsoft Q&A.

Usually, if you are getting an error, you can check below requirements,

• First, make sure you TLS 1.2 on your server is enabled. Microsoft Entra Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Microsoft Entra ID. If TLS 1.2 isn't available on the underlying operating system, Microsoft Entra Connect incrementally falls back to older protocols (TLS 1.1 and TLS 1.0). From Microsoft Entra Connect version 2.0 onwards. TLS 1.0 and 1.1 are no longer supported and installation will fail if TLS 1.2 is not enabled. Prior to version 1.1.614.0, Microsoft Entra Connect by default uses TLS 1.0 for encrypting communication between the sync engine and Microsoft Entra ID. To change to TLS 1.2, follow the steps in Enable TLS 1.2 for Microsoft Entra Connect.

Note: Version 2.3.20.0 is a security update. With this update, Microsoft Entra Connect requires TLS 1.2. Ensure that you have TLS 1.2 enabled before updating to this version.

All versions of Windows Server support TLS 1.2. If TLS 1.2 is not enabled on your server you will need to enable this before you can deploy Microsoft Entra Connect V2.0.

For a PowerShell script to check whether TLS 1.2 is enabled, see PowerShell script to check TLS

For more information about TLS 1.2, see Microsoft Security Advisory 2960358. For more information on enabling TLS 1.2, see how to enable TLS 1.2

• You can check if you have any firewall or proxy in your environment to block traffic going to internet. If you're using an outbound proxy for connecting to the internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Microsoft Entra Connect Sync to be able to connect to the internet and Microsoft Entra ID. This text must be entered at the bottom of the file. In this code, <PROXYADDRESS> represents the actual proxy IP address or host name. <system.net>Copy

        <defaultProxy>
  
          <proxy
  
          usesystemdefault="true"
  
          proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
  
          bypassonlocal="true"
  
          />
  
      </defaultProxy>
  
  

</system.net>

  
- If your proxy server requires authentication, the [service account](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#adsync-service-account) must be located in the domain. Use the customized settings installation path to specify a [custom service account](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-custom#install-required-components). You also need a different change to machine.config. With this change in machine.config, the installation wizard and sync engine respond to authentication requests from the proxy server. In all installation wizard pages, excluding the **Configure** page, the signed-in user's credentials are used. On the **Configure** page at the end of the installation wizard, the context is switched to the [service account](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#adsync-service-account) that you created. The machine.config section should look like this: <system.net>Copy

  ```xml
      <defaultProxy enabled="true" useDefaultCredentials="true">

        <proxy

        usesystemdefault="true"

        proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"

        bypassonlocal="true"

        />

    </defaultProxy>

</system.net>

Let me know if you have any further questions regarding this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.