Problem
You’ve successfully installed AD FS and DirSync on their respective Windows Server 2012 R2 servers and have confirmed that both are working as expected. However, you also realize that the services on the AD FS and DirSync servers no fail to start as soon as you restart the server:
DirSync
Service Name: FIMSynchronizationService
Display Name: Forefront Identity Manager Synchronization Service
Service Account: .AAD_d5b89680b957
Service Name: MSOnlineSyncScheduler
Display Name: Windows Azure Active Directory Sync Service
Service Account: .AAD_d5b89680b957
AD FS
Service Name: Adfssrv
Display Name: Active Directory Federation Services
Service Account: <nonGeneric>
Windows could not start the Active Directory Federation Services service on the Local Computer.
Error 1069: The service did not start due to a logon failure.
Solution
While there could be various reasons why this issue may occur, one of them is if you have a GPO configured in your domain that specifies what accounts are allowed to have Log on as service rights. In the environment I worked in, there was such a policy so when I launched the Local Computer Policy editor with gpedit.msc:
… I can see that the options to edit the Log on as a service configuration greyed out:
The reason why the AD FS and DirSync worked initially is because the install manually granted these service accounts the rights but a restart of the server removed them.
Troubleshooting this issue didn’t actually take me too much time but I can see that it could have if I missed this so I hope this will safe some time for anyone who may encounter the same issue.
One Response
This is the issue I am having exactly. Microsoft is acting like they have no idea how to resolve it. Can you tellme how your resolved this issue?
Thanks
Don