Having recently gone through the process of implementing a custom AADConnect staging installation for a large enterprise customer with more than 30,000 users, with a view to it serving as a fall back to an existing production AADConnect installation.
The requirement being to setup an Azure virtual machine running Windows 2016 Datacentre, AADConnect and SQL Server Standard 2017 (locally installed). Rather than SQL Express which comes by default but suffers limitations which preclude its use in large environments.
SQL Express Limitations:
- 1GB maximum memory used by the SQL Server Database Engine.
- The maximum size of each relational database is 10GB.
- The limit on the buffer cache for each instance is 1MB of RAM.
- The relational database engine is restricted to the lesser of 1 socket or 4 cores.
Circumstances of this custom staging mode installation:
- A locally installed SQL Server 2017 instance.
- The use of a custom group managed account with enterprise administrator rights.
Regardless, the requirement here was to make use of a group managed Azure Active Directory account, however this proved stubbornly problematic. With the following errors reported: “Unable to install Synchronization Service” on the installation screen and “The specified directory service attribute or value does not exist.” in the installation logs.
For troubleshooting purposes the installation log files can be found here: c:\ProgramData\AADConnect\
Things to consider having received this error:
- Whether the account being used to install the software truly has enterprise administrator rights.
- Whether the same account has log on and log on as a service rights on the local machine?
- Whether the account has administrator rights on the local machine?
- Are you using the latest version of the AADConnect install source?
- Whether the group managed account as well as the account you are logged in as, has SQL Server ‘sysadmin’ permissions ?
- Whether port 1433 is accessible on the host?
Solution:
Should this issue persist despite the recommendations above, the workaround is to use an account with Azure global administrator rights (for the installation) instead of a group managed account.