Under specific circumstances, the installation of the Synchronization Engine will fail when installing AADSync with the error Unable to install the Synchronization Service. The following article provides background on the error, the cause and the resolution.
Background
After installing the AADSync product and running the configuration wizard the installation step “Installing Sync Service” will fail with a simple error message of: Unable to install the Synchronization Service. Please see the event log for additional details.
When you check the event logs the following errors will be listed:
Message: Product: Microsoft Azure AD Sync — Error 25050.The Microsoft Azure AD Sync setup wizard cannot set Windows Management Instrumentation (WMI) permissions. Ensure you have the correct permissions for this operation, and then try running this wizard again. To run WMI remotely, you must manually set the remote enable permission. Invalid namespace
Message: Logon failure: the user has not been granted the requested logon type at this computer
Message: System.Exception: Unable to install the Synchronization Service. Please see the event log for additional details. —> System.ComponentModel.Win32Exception: Logon failure: the user has not been granted the requested logon type at this computer
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.TypeDependencies.ProcessStartBeginOutputReadAndWaitForExit(Process process)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore (String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass3f.<AddSyncSchedulerTask>b__3e()
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore()
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
— End of inner exception stack trace —
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException (String exceptionFormatString, String taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.SetupAdapter.TypeDependencies.GenericDirectorySyncSetupInstall (String pathToSetupFiles, String installationPath, ProgressChangedEventHandler progressChangedEventHandler)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.InstallOrUpgradePageViewModel.SetupTask (Object sender, DoWorkEventArgs args)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction (Action action, Boolean isProgressIndeterminate)
Cause
The error is caused when the local generated AADSync account does not have the required permissions to complete the setup of the Sync Service. The AADSync service account will be an local computer account with the prefix “AAD_” and a random trailing number/letter string. In my case the account is: AAD_42dbe4a2a688.
This account is be default placed in the Backup Operators built-in group in order to have the required permission to complete all the installation and operations.
By default if Backup Operators group is granted the Allow log on locally permission under the Local Security Policy on the server. If this policy is however changed to not include the privileges, the installation will fail.
Resolution
Note: Once possible option to resolve the issue is to place the local “AAD_xxxxxxxxxx” account in the local computer Administrators group. This is however not possible since the AADSync installation will remove this group assignment to enforce best practice.
The correct fix is to check you Group Policy settings applied to servers and ensure that the Backup Operators group is granted the Allow log on locally privilege on the AADSync server.