It can be a little tricky to install DirSync in a multi-domain environment. To avoid complexity I normally try to install it in the root domain. I did so recently on a customer site but still had a little difficulty.
I always insist that the account used to install DirSync is a member of Domain Admins and Enterprise Admins (although Domain Admins membership is not specifically referred to in the official documentation).
http://technet.microsoft.com/en-us/library/dn635310(v=office.15).aspx
This was the first error I encountered (after entering my Azure Global Administrator details):
"Unable to establish a connection to the authentication service".
The error suggested to me that I had a problem with Internet access. I verified that in fact I did not have Internet access. It seems that this customer disallowed Internet access to Domain Admins (disabling proxy access). Fair enough. I removed the installation account from the Domain Admins group. After all it was still a member of the Enterprise Admins group and Domain Admins group membership was not specifically called out as required.
Great. I was now able to authenticate with Azure and progress to the next dialog box. I entered the Enterprise Admin account details and I was able to progress to the final step.
Here we go - DirSync could not be configured. The error message did not make much sense either.
"The user name or password is incorrect".
I added the account back into Domain Admins and allowed the server to bypass the proxy for Internet Access.
Success. I was able to complete the installation and configuration.
Moral of the story - it seems that the DirSync installation account should be a member of both Domain Admins and Enterprise Admins, although I cannot find this documented anywhere.
No comments:
Post a Comment