Skip Navigation LinksDirSync-Error-1069

​​

One or more Azure Active Directory Connect services don't start ​​

Windows could not start the Forefront Identity Manager Synchronization Service on the Local Computer


https://support.microsoft.com/en-us/kb/2995030 


Error 1069: The service did not start due to a logon failure.

 Error 1006: "Windows could not start the Microsoft Azure AD Sync service on" 

DirSync / AAD Sync / AAD Connect ​runs just fine upon initial install or re-install. However after a reboot or after a couple days the Forefront Identity Manager Synchronization Service does not start and will not start. It gives an error

Windows could not start the Forefront Identity Manager Synchronization Service on the Local Computer. Error 1069: The service did not start due to a logon failure.



If try open "C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe", It gives an error stating:



Unable to connect to the Synchronization Service.

Some possible reasons are:

1) The service is not st​arted

2) Your account is not a member of the required security group.

See the Synchronization Service documentation for details.

Service name: FIMSynchronizationService

Service name: MSOnlineSyncScheduler

 

Can reinstall DirSync and it works but this is not a long term solution (same issue happens after a couple days).

 

If you're using the Azure Active Directory Sync tool

  1. Click Start, type services.msc in the search box, and then press Enter.
  2. In the list of services, right-click Microsoft Azure AD Sync, and then click Properties.
  3. Click the Log On tab.
  4. Make sure that the account is set to the directory synchronization service account. For example: AAD_<nnnnnnnnnnnn> or MSOL_<nnnnnnnnnnnn>.
  5. If the account is not set to the directory synchronization service account, select the directory synchronization service account.

    The directory synchronization service account is located in the Users organizational unit (OU) of the forest domain. If this account is in another location, move it to the Users OU of the forest domain. 

    Note If the account does not exist, run the Azure Active Directory Sync tool Configuration Wizard.

If you're using Azure Active Directory Sync (AAD Sync) Services

  1. Click Start, type services.msc in the search box, and then press Enter.
  2. In the list of services, right-click Windows Azure Active Directory Synchronization Service, and then click Properties.
  3. Click the Log On tab.
  4. Make sure that the account is set to the directory synchronization service account. For example: AAD_<nnnnnnnnnnnn> or MSOL_<nnnnnnnnnnnn>.
  5. If the account is not set to the directory synchronization service account, select the directory synchronization service account.

    The directory synchronization service account is located in the Users OU of the forest domain. If this account is in another location, move it to the Users OU of the forest domain. 

    Note If the account does not exist, run the Azure Active Directory Synchronization tool Configuration Wizard.
  6. Repeat steps 2–5 for the Forefront Identity Manager Synchronization Service.


Resolution:

 

  • Find the username (it started with AAD_) of the User that is being used to login to the service listed in Services.msc under  

    Check the service: Forefront Identity Manager Synchronization Service the user "AAD_<nnnnnnnnnnnn>" needs to be listed as "Log On As"​

image001.png

Check the service: Windows Azure Active Directory Sync Service the user AAD_<nnnnnnnnnnnn>​ needs to be listed as "Log On As"

image002.png

Using Windows Server 2008 R2 click search and then type "Edit Group Policy"

image003.png

Using Windows Server 2012 R2 click search and then type "Edit Group Policy"

image004.png

olution 2: Make sure that the directory synchronization account is set to log on as a service in Group Policy

To make sure that the directory synchronization account is configured to log on as a service in the local policy, follow these steps:
  1. Click Start, type gpedit.msc in the search box, and then press Enter.
  2. Expand Computer Configuration, expand Window Settings, expand Security Settings, expand Local policies, and then click User rights assignment.
  3. Confirm that the directory synchronization service account is added to the following policies:

    Log on as a service

    Log on as batch job

    Log on locally


  4. If you made changes to the local policy, restart the computer to apply the changes.


Add that user to the local "Administrators" user group Open the Default domain GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Open "Log on as a service" and add the computer's local "Administrators" user group

Open "Log on as batch job" and add the computer's local "Administrators" user group

Open "Log on locally" and add the computer's local "Administrators" user group

image005.png 

Type "Administrators" or "Enterprise Admin" and then select "Check Names" click "OK"

Type the directory synchronization service account. For example: AAD_<nnnnnnnnnnnn> or MSOL_<nnnnnnnnnnnn>.​


image006.png

Solution 3: Reinstall the directory synchronization appliance

If neither Solution 1 nor Solution 2 resolves the issue, remove and then reinstall the directory synchronization appliance. 

For example, if you're using the Azure Active Directory Sync tool, remove and then reinstall it. Or, if you're using AAD Sync, remove and then reinstall it.​​


https://support.microsoft.com/en-us/kb/2995030