We recently ran into some trouble with our Azure AD Connect Service, where the Azure AD Connect service would not start after a reboot, forcing us to re-install the application, only for it to break on the next reboot. After giving some time to this issue we managed to fix this permanently and I want to share that with you here.
This customer was one of our very old clients, as such, we have been maintaining their infrastructure for a very long time and have gone through much technical staff during that time. As this client’s Active Directory had been upgraded from the days of the SBS server, as you can imagine, there are many old and redundancy policies being applied, which just have not had the time devoted to them to sort out.
Azure AD Connect Services Fails to Start
So the problem we found was that each time the server reboots the Azure AD Connect Service would fail to start, causing a colleague of mine to re-install AD Connect, each time our RMM tools would identify the service not running.
Looking a little further into this the service account would lose its permission to log on as a service. The first place I would look for why this was happening was group policy and I found I was right on the money. Someone, likely back in the days before Azure AD Connect, had edited the default domain controllers group policy and manually set the user rights assignment for logon as a service. Oh… and did I say you shouldn’t be installing Azure AD Connect on your domain controllers? yes, don’t do that either.
For us the resolution was simple, just add the NT Service\AD Sync account to the logon as service user rights assignment group policy.
The Resolution
Step 1 – Open Group Policy on your domain controller. This can be found under Administrative Tools, then Group Policy.
Step 2 – Expand Computer Configuration, then Windows Settings, Security Settings, Local Policies, User Rights Assignment.
Step 3 – Find the Log on as a service policy and select Add User or Group.
Step 4 – Find the user NT SERVICE\AD Sync and select OK and Apply.
Step 5 – Open the service management console (services.msc) and find the Azure AD Sync service.
Step 6 – Double click on the AD Sync Service to open the service properties, select the Log On tab and ensure ‘This account is set to the NT SERVICE\AD Sync account. If you have not modified this since installation it should already be set and the service should be running again.
Summary
Thank you for taking the time to read my post. Hopefully, now you have overcome any service logon issues that you may encounter with Azure AD Sync. Azure AD Connect is a huge tool as most IT staff only just touch the surface of it. Be sure you check out some other useful posts on Azure AD Connect I have written.
The Azure AD Connect Powershell commands you should know
Thank you, this solution worked perfectly has saved my time.