Monday, 19 January 2015

DirSync installation issues

It can be a little tricky to install DirSync in a multi-domain environment. To avoid complexity I normally try to install it in the root domain. I did so recently on a customer site but still had a little difficulty.

I always insist that the account used to install DirSync is a member of Domain Admins and Enterprise Admins (although Domain Admins membership is not specifically referred to in the official documentation).

This was the first error I encountered (after entering my Azure Global Administrator details):

"Unable to establish a connection to the authentication service".

The error suggested to me that I had a problem with Internet access. I verified that in fact I did not have Internet access. It seems that this customer disallowed Internet access to Domain Admins (disabling proxy access). Fair enough. I removed the installation account from the Domain Admins group. After all it was still a member of the Enterprise Admins group and Domain Admins group membership was not specifically called out as required.

Great. I was now able to authenticate with Azure and progress to the next dialog box. I entered the Enterprise Admin account details and I was able to progress to the final step.

Here we go - DirSync could not be configured. The error message did not make much sense either.

"The user name or password is incorrect".

I added the account back into Domain Admins and allowed the server to bypass the proxy for Internet Access.

Success. I was able to complete the installation and configuration.

Moral of the story - it seems that the DirSync installation account should be a member of both Domain Admins and Enterprise Admins, although I cannot find this documented anywhere.

No comments:

Post a Comment