How to troubleshoot Azure Active Directory Sync tool installation and Configuration Wizard errors

Applies to: Azure Active DirectoryMicrosoft IntuneAzure Backup More

INTRODUCTION

This article describes how to troubleshoot Microsoft Azure Active Directory Sync tool installation and Azure Active Directory Sync tool Configuration Wizard error messages. It discusses general troubleshooting procedures, lists error messages that may occur when you install or set up the Directory Sync tool, and contains information about how to resolve the issue.

PROCEDURE

General troubleshooting for Directory Sync tool installation and for Configuration Wizard issues

System requirements

The Azure Active Directory Sync tool can be installed on a computer if all the following conditions are true:

Windows PowerShell 1.0 is installed on the computer.
You are logged on to the computer as a member of the local Administrators group.
The computer has a 64-bit processor.
The computer is running one of the following operating systems:
- Windows Server 2003 x64 with Service Pack 2 (SP2) or a later version
- An x64-based version of Windows Server 2008
The computer isn't a domain controller.
The computer is joined to an Active Directory domain and is located in the forest that you want to sync with Azure Active Directory (Azure AD).
The Microsoft .NET Framework 3.5 or a later version is installed on the computer.

Permissions

To start the Directory Sync tool Configuration Wizard successfully, users who log on to the computer on which the Directory Sync tool is installed must be a member of the local Microsoft Identity Integration Server (MIIS) Admins group that was added during installation of the tool.

When you run the Directory Sync tool Configuration Wizard, you must provide the following information:

Enterprise admin credentials for the on-premises Active Directory schema
Global admin credentials for the Microsoft cloud service

How to troubleshoot the "The computer must be joined to a domain" error message

To troubleshoot this error message, check the domain membership of the computer. To do this, follow these steps:

Log on to the computer.
Right-click My Computer, and then click Properties.
Click the Computer Name tab. If the computer is a domain member, the Full Computer Name resembles ComputerName>.<Domain>.<xxx>. The domain name appears next to Domain.

If the computer is a domain member and you still receive the error message, you should verify that the computer can communicate with the domain and can discover the domain controller. To do this, follow these steps:

Use the ipconfig command-line tool to check the Domain Name System (DNS) settings on the server.
Confirm that you can ping the DNS server that's listed in the network properties on the problem computer.
Run the nslookup command-line tool. If the DNS server is unreachable, you receive an error message. For example, you receive an error message that resembles the following:
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 157.56.149.72: Timed out
Default Server: UnKnown
Address: 157.56.149.72

Sometimes, joining the computer to a workgroup and then joining the computer back to the domain may resolve this error message. If the computer can't join the domain, this indicates that the computer is experiencing an issue in contacting the domain controllers or that the Active Directory domain is rejecting the request.

Use the nltest tool

Run the Nltest command-line tool. To do this, type the following at the command prompt:

Nltest /dsgetdc:<FQDN of the domain>

Note The Nltest tool requires installation of the Windows Server 2003 Support Tools.

If the settings are correct, you receive output that resembles the following:

DC: \\DC.contoso.com Address: \\157.56.149.72 Dom Guid: a3bd534c-19e9-4330-81ad-a8ee34cd7298 Dom Name: contoso.com Forest Name: contoso.com Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully

Run the following command to check the computer's site membership:
```
nltest /dsgetsite 
```
A successful result resembles the following:
```
Default-First-Site-Name
 The command completed successfully 
```

How to troubleshoot the "The Azure Active Directory Sync Tool is already installed" error message

In this case, the Directory Sync tool may not be installed because of a previous pending installation. During installation, the Setup package also installs software in the background. To resolve this issue, follow these steps:

In Control Panel, check whether Microsoft Identity Integration Server is listed in Add or Remove Programs or in Programs and Features. If it is present, you must remove it.
Verify that the Program Files folder contains a subfolder that's named "Microsoft Identity Integration Server." If the subfolder exists, you must rename the folder to "Microsoft Identity Integration Server_Old."
Run Setup again.

How to troubleshoot the "The Microsoft Online Services Sign-in Assistant service installation returned FAIL. See the event log for more detailed information." error message

You receive the following error message when you try to install the Azure Active Directory Sync tool:

The Microsoft Online Services Sign-in Assistant service installation returned FAIL. See the event log for more detailed information.

Unable to uninstall the Windows Azure Active Directory Sync tool. Use the Control Panel to remove the Directory Sync tool

Additionally, the following events are logged to Event Viewer:

To resolve this issue, see the following Microsoft Knowledge Base article:

3073644 "Microsoft Online Services Sign-in Assistant service installation returned FAIL." error when you try to install the Azure Active Directory Sync tool and event ID 0 and 1013 are logged

How to troubleshoot additional error messages

All directory synchronization logging is viewable in Event Viewer. To view all events that are related to directory synchronization, follow these steps:

Open Event Viewer.
Expand Windows Logs, and then expand Application.
In the Actions pane, click Filter Current Log.
In the Event sources box, select the Directory Synchronization check box.
Click OK.

The following table lists the error name, the error details, the error source, and the steps to help resolve the error.

Error name	Details	Source	Resolution
AdminRequired	Local administrator permissions are required to install Directory Synchronization	Event Viewer/ Error prompt
DirSyncAlreadyInstalled	The Directory Sync tool is already installed. Version {0}	Event Viewer	Uninstall all earlier versions of the Directory Sync tool before you try to install the latest version.
DirSyncInstallKeyNotRemoved	Windows Installer could not remove the uninstall registry key from the Azure Active Directory Sync MSI. Retry uninstall or contact Microsoft Online Support.	Event Viewer	Manually remove the registry keys to complete the installation.
DirSyncNotInstalledError	A complete installation of the Azure Active Directory Sync tool was not detected on this machine. Please uninstall any versions of this tool and then reinstall the most recent version.	Event Viewer	Uninstall all earlier versions of the Directory Sync tool before you try to install the latest version.
ErrorReRunConfigWizard	Unable to start synchronization due to configuration issues. To fix the issues, try running the Configuration Wizard. If you continue to see this error please contact Microsoft Online Support.	Event Viewer	Run the Directory Sync tool Configuration Wizard.
WindowsInstaller45Required	Microsoft Windows Installer 4.5 is required for installation. Please install Microsoft Windows Installer 4.5 and try again.	Event Viewer	Make sure that the server on which the Directory Sync tool is being installed meets the minimum requirements.
ErrorClearRunHistory	Could not clear the run history on the MIIS Server. Error returned is '{0}'. Contact Microsoft Online support.	Event Viewer
ErrorNoStartConnection	Synchronization failed to start because of connection issues or domain controllers could not be contacted by the server. Verify that you are connected to the server and all the configured domain controllers are connected to the network. If you have recently deleted domain or naming context, please rerun the Configuration Wizard.	Event Viewer	Confirm that the local Active Directory domain controllers can be accessed from the server that's running the Directory Sync tool.
ErrorNoStartCredentials	Synchronization failed to start because of credential problems. Rerun Configuration Wizard to update credentials for Synchronization.	Event Viewer	Run the Directory Sync tool Configuration Wizard, and re-enter credentials. Also, confirm that the credentials have Administrator access to the portal.
ErrorNoStartNoDomainController	Synchronization failed to start because the domain controller could not be contacted by the server. Verify that the domain controller is connected to the network.	Event Viewer	Confirm that the local Active Directory domain controllers can be accessed from the server that's running the Directory Sync tool.
ErrorStoppedConnectivity	Synchronization stopped because of connectivity loss. Restore connectivity to the server.		Confirm that the local computer can access the Internet. Have the user try to ping provisioning.microsoftonline.com to verify that the computer can reach the Azure Active Directory authentication system.
ErrorStoppedDatabaseDiskFull	Synchronization stopped because the SQL Server database used by the Synchronization server is full. Create some space in the SQL Server database.	Event Viewer	Free up space on the storage used to hold the directory synchronization SQL database. If the issue isn't resolved, the Directory Sync tool will be unable to run successfully, and the SQL database may be permanently damaged.
InstallNotAllowedOnDomainController	Microsoft Online Services Coexistence cannot be installed on a domain controller.	Event Viewer	The Directory Sync tool can be installed only on domain-joined computers that are not domain controllers.
InstallPathLengthTooLong	The installation path is too long. Provide a path of 116 characters or fewer and then try again.	Event Viewer	If you use a custom path for the installation of the Directory Sync tool, the total path must contain fewer than 116 characters.
InsufficentDiskSpace	Insufficent Disk Space	Event Viewer	There is insufficient space to install the Directory Sync tool on the local workstation.
InvalidPlatform	The Azure Active Directory Sync tool must be installed on a computer running Windows Server 2003 Service Pack 2 or later.	Event Viewer	Make sure that the server on which the Directory Sync tool is being installed meets the minimum requirements.
InvalidUPNFormat	User Principal Name (UPN) is your logon name. This error is displayed when the user enters credentials for Microsoft Online that do not contain an "@" character.	Event Viewer	Enter valid credentials.
ADCredsNotValid	The Enterprise Administrator credentials that you supplied are not valid. Supply valid credentials and try again.	Event Viewer	The installation wizard could not verify that the user account that's being used to install the tool is an enterprise administrator.
MachineIsDomainJoinedUserIsNot	The computer is joined to a domain, but the current user credentials do not have access permissions on the domain.	Event Viewer	Log on as a domain user by using an account that meets the minimum requirements before you try to install the Directory Sync tool.
MachineIsNotDomainJoined	The computer is not joined to any domain.	Event Viewer	Make sure that the server on which the Directory Sync tool is installed meets the minimum requirements.
MachineNotDomainJoined	The computer must be joined to a domain.	Event Viewer	Make sure that the server on which the Directory Sync tool is installed meets the minimum requirements.
MIISSyncIsInProgressError	The synchronization engine is busy. Retry this operation after this synchronization session is complete.	Event Viewer	There is an existing operation that's being completed by MIIS, and any new operation can be completed only after the current operation is complete.
MIISUserAddRight_AccountNotFound	Account name:'{0}' could not be found. Error Code:{1}	Event Viewer	The Directory Sync tool could not add the local account that's being used to complete the installation to the MIIS Admin Group. Manually add the user to the group to continue with the installation.
MIISUserAddRight_AddFailed	'{0}' could not be added to the account rights for '{1}'. Error code:{2}	Event Viewer	The Directory Sync tool could not add the local account that's being used to complete the installation to the MIIS Admin Group. Manually add the user to the group to continue with the installation.
MIISUserAddRight_PolicyHandleNotFound	Failed to obtain the policy handle. Error Code:{0}	Event Viewer	The Directory Sync tool could not add the local account that's being used to complete the installation to the MIIS Admin Group. Manually add the user to the group to continue with the installation.
PowerShellRequired	PowerShell must be installed.	Event Viewer	Make sure that the server on which the Directory Sync tool is installed meets the minimum requirements.
UnsupportedNameFormat	The name format is not supported. Two examples of the supported user name formats are: someone@example.com or example\someone.	Event Viewer	Enter valid credentials.
UserNotAMemberOfMIISAdmins	The current user is not a member of the Microsoft Identity Integration Server (MIIS) Admin group. If you have recently installed the Azure Active Directory Sync tool , you may need to log off and then log on.	Event Viewer	Manually add the local Active Directory user account that's used to run the Directory Sync tool to the MIIS Admin Group.
UserNotAnEnterpriseAdmin	User '{0}' is not a member of the Enterprise Admins group.	Event Viewer	Manually add the local Active Directory user account that's used to run the Directory Sync tool to the Active Directory Enterprise Admin Group.
UnsupportedClientVersion	This version of the Directory Sync tool is no longer supported. Remove this version and then install the latest version from the Directory Synchronization page of the Migration tab in the Microsoft Online Services Administration Center.	Event Viewer	Download the latest version of the Directory Sync tool. To do this, go to Install or upgrade the Directory Sync tool.
InternetQueryOptionError	Internet Explorer proxy settings were not read. Initial configuration using setup wizard may not be able to access online help. WinInet Error {0}	Event Viewer	The installation wizard could not read or change proxy settings in Internet Explorer. Verify that the proxy settings that are set in Internet Explorer are formatted correctly.
InternetSetOptionError	Internet Explorer proxy settings were not set. Initial configuration using setup wizard may not be able to access online help. WinInet Error {0}	Event Viewer	The installation wizard could not read or change proxy settings in Internet Explorer. Verify that the proxy settings that are set in Internet Explorer are formatted correctly.
RichCoexistenceNotAllowed	Current local directory does not have Exchange 2010 installed. Rich coexistence is not allowed.	Event Viewer	Install all the prerequisites for a hybrid deployment before you try to install the Directory Sync tool.

MORE INFORMATION

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.

Last Updated: Dec 28, 2016