Friday, May 27, 2016

AAD Connect service failed to start with "Error 1069: The service did not start due to logon failure"

Scenario:
AAD Connect has been installed on a Domain Controller. After some time "Microsoft Azure AD Sync" service has stopped.


and failed to start with following error “Error 1069: The service did not start due to logon failure“.


AAD Connect was removed manually and reinstalled. This time, after restarting the server, AAD Connect functioned normally. However, after some time had passed, the same errors occurred again.

Resolution:
You may have "Group Policy Object" that has predefined set of accounts in "Log on as a service" group policy and applies to Domain Controller. 
In my case it was "Default Domain Controllers Policy" however you may have the same issue for "Default Domain Policy" or other group policy that applies to regular member server.
  • Find “Log on as a service” group policy setting is found under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  • Add "AAD_..." account or service account that you may defined during AAD Connect deployment to the list of allowed account to "Log on as a service" list.
  • Run "gpupdate /force" from the Command Prompt
  • Restart "Microsoft Azure AD Sync" service