This is just a short blog article on a problem I experienced when upgrading Azure AD Connect from a previous version. This was a small environment where the Azure AD Connect server was running on the Domain Controller.
When starting the upgrade process I noticed that a message was displayed that a “Group with name ADSyncAdmins was not found in the Machine context”. When I clicked to Upgrade anyway, an error message was displayed that it was “Unable to upgrade the Synchronization Service”:
Looking into the event log, I found this error:
Product: Microsoft Azure AD Connect synchronization services — Error 25037.The groups entered do not all exist or cannot be found. Verify that each group name is correct, and then try again.
Since this was a Domain Controller, and there is no Local Users and Groups, I created the ADSyncAdmins group in Active Directory, as a Domain Local Security group. Trying the upgrade again, I got a new group that was missing:
So I ended up creating these 4 groups that was missing:
- ADSyncAdmins
- ADSyncBrowse
- ADSyncOperators
- ADSyncPasswordSet
After that I was able to successfully finish the upgrade of Azure AD Connect.
My AD Sync service is running as an account in the FIMSyncAdmins group (we came from dirsync before ADsync). Did you have to populate any of the groups you created after the upgrade?
No, I didn’t need to populate the groups other than creating them, the Azure AD Connect wizard handled the rest.
Pingback: Upgrade Azure AD Connect to latest version - Missing "ADSync.." groups? - Reviews Health
Good article!!