Azure ADConnect Troubleshooting: Reinstalling Health for Sync
Scenario
The troubleshooting of "Azure ADConnect Health Agent for Sync” with Proxy connectivity issue: Customer un-installed the “Azure ADConnect Health Agent for Sync” for test purpose. He can not install that component alone back.
Challenge:
- We have separate install for Health agent for AD FS and AD DS. But not for health agent . it incorporated inside ADConnect setup
- Repair AD Connect software and reboot of the box not bringing back the uninstalled Health Agent for Sync
- We cannot remove completely AD Connect – because we have several custom rules and they have custom install , sync with employee id not with Object GUID from AD
- Customer has a Proxy (Ion port) , which was blocking the certificate retrieval thing from client (policykeyservice.dc.ad.msft.net:443) , so client cert auth broken
- we can prove simple test by connecting to https://policykeyservice.dc.ad.msft.net. you will see it prompt for certificate from our end. Customer end it directly goes to 401 unauthorized. since proxy blocks it.
What we found:
complete uninstall AD Connect and Re-install helps. Which is not an option for customer.
Resolution:
Searched further on the registry “Software” able to find the setup path
we are able to locate the path now
C:\program files\Microsoft Azure Active Directory Connect\SetupFilesv
Click on "ADConnectHealthAadSyncSetup.exe . we are good to go (refer the screen shot)
Now configuration part of AD Health for Sync failed, because though we enable certificate retrieval at Ion port proxy to allow client cert, Health agent for sync missing proxy agent information.
Set-AzureAdConnectHealthProxySettings -ImportFromWinHttp. it grabbed those and the darned thing now successfully gets set up.
PS C:\Program Files\Microsoft Azure Active Directory Connect\SetupFiles> Register-AzureADConnectHealthSyncAgent
2016-08-19 19:49:52.727 ProductName: Microsoft Azure AD Connect Health agent for sync, FileVersion: 2.6.107.0, Current UTC Time: 2016-08-19 19:49:52Z
2016-08-19 19:49:52.727 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/
2016-08-19 19:49:52.727 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/
2016-08-19 19:49:54.323 AHealthServiceApiVersion: 2014-01-01 v2016-08-19 19:50:27.099 Detecting AadSyncService roles...
2016-08-19 19:50:27.85 Detected the following role(s) for XYZ.onmicrosoft.com:
2016-08-19 19:50:27.85 Microsoft Azure Active Directory Sync Services
2016-08-19 19:50:28.884 Aquiring Monitoring Service certificate using tenant.cert
2016-08-19 19:50:30.061 Successfully aquired and stored Monitoring Service certificate: Subject=CN=MyServer1, CN=eef95730-77bf-4663-a55d-1ddff9335b5b, OU=Microsoft ADFS Agent, Issuer=CN=Microsoft PolicyKeyService Certificate Authority, Thumbprint=087974E20A6A049F0A45BC8EFFEF5EBC67191281
2016-08-19 19:50:30.077 Fetched and stored agent credentials successfully...
2016-08-19 19:50:31.233 Started agent services successfully...
Test-AzureADConnectHealthConnectivity completed successfully...
2016-08-19 19:50:37.528 Agent registration completed successfully.
Detailed log file created in temporary directory:
C:\Users\azureappidprd\AppData\Local\Temp\2\AdHealthAadSyncAgentConfiguration.2016-08-19_14-49-52.log
Also if you register multiple time or upgrade ADConnect , you will see each time new cert generated.
most latest one will be in use. Expired and old certs are not removed by ADConnect.
Admin can clean them manually for now or ignore it unless if it any other concern.