After this installation of Azure AD Connect on a Windows Server 2012 R2 machine, the AD Connect health agent doesn't register. The services on the machine stay disabled and not started. I've read that I need to run the Powershell command:
Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -StagingMode:$false
However, this doesn't work as it comes back with "Configuration failed"
2018-04-17 01:40:54.893 Aquiring Monitoring Service certificate using tenant.cert Configuration Failed To retry configuration, type: Register-AzureADConnectHealthSyncAgent Monitoring will not start until configuration is successful. To review installation steps and requirements, please visit: http://go.microsoft.com/fwlink/?LinkID=518643 Detailed log file created in temporary directory: C:\Users\admin.inova\AppData\Local\Temp\AdHealthAadSyncAgentConfiguration.2018-04-16_19-40-21.log Register-AzureADConnectHealthSyncAgent : Failed configuring Monitoring Service using command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="1.1.751.0" At line:1 char:1+ Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -St ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Register-AzureADConnectHealthSyncAgent], InvalidOperationException+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.AadConnect.Health.AadSync.PowerShell .ConfigurationModule.RegisterAzureAdConnectHealthSyncAgent
There is no Proxy server used, which can be seen in the log files too:
2018-04-17 01:40:21.175 User Context outbound connections to https://management.azure.com/providers/Microsoft.ADHybridHealthService/ will use proxy address https://management.azure.com/providers/Microsoft.ADHybridHealthService/ (if equal, no proxy is used)
2018-04-17 01:40:21.175 Service Context: Outbound connections to https://management.azure.com/providers/Microsoft.ADHybridHealthService/ will use proxy address https://management.azure.com/providers/Microsoft.ADHybridHealthService/ (if equal, no proxy is used)
So, when I try to run the test-azureadconnecthealthconnectivity, I get the following:
PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync Test-AzureADConnectHealthConnectivity's execution in details are as follows: Starting Test-AzureADConnectHealthConnectivity ... Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ... AAD CDN connectivity is skipped. Connecting to endpoint https://login.microsoftonline.com Endpoint validation for https://login.microsoftonline.com is Successful. Connecting to endpoint https://login.windows.net Unhandled exception occurred: The operation has timed out Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful. Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful. Connectivity Test Step 1 of 3 - Failed to connect some service endpoints, please investigate. Connectivity Test Step 2 of 3 - Blob data upload procedure begins ... Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect. at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionS cope scope) at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.LoadI dentityInfo() at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.TestI nsightServiceDataUploadProcedure() at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.Proce ssRecord()
I've used the same account with the registration command as I used with installation of the Azure AD Connect software, of which the sync is running without problems.
There is MFA enabled on that account, but I do not see an issue there.
Hope somebody can assist.