locked
Windows 2016 ADFS Installation Error - System.DirectoryServices.DirectoryServicesCOMException (0x80072030) RRS feed

  • Question

  • Windows 2016 ADFS Installation Error - System.DirectoryServices.DirectoryServicesCOMException (0x80072030)

    When installing of a new ADFS Farm on a Windows 2016 server I get this error message during the stage `Configuring private key store,,,`

    Message : Unable to configure the private key store. The server is not operational.
              
    Context : DeploymentTask
    Status  : Error
    
    After enabling debug logging for ADFS here's the XML of the information event:
    
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
      <EventID>44</EventID>
      <Version>0</Version>
      <Level>4</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000100</Keywords>
      <TimeCreated SystemTime="2019-02-25T21:24:23.860524400Z" />
      <EventRecordID>94</EventRecordID>
      <Correlation ActivityID="{365EC653-CD4D-0019-A6CA-5E364DCDD401}" />
      <Execution ProcessID="5976" ThreadID="6140" ProcessorID="25" KernelTime="152" UserTime="230" />
      <Channel>AD FS Tracing/Debug</Channel>
      <Computer>SERVER_NAME.MY_DOMAIN.com</Computer>
      <Security UserID="USER_SID" />
      </System>
    - <UserData>
    - <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Could not bind to DN:'CN=RANDOM_ID,CN=ADFS,CN=Microsoft,CN=Program Data,DC=MY_DOMAIN,DC=com'. Got exception:'System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.RefreshCache() at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName) at System.DirectoryServices.DirectoryEntry.get_NativeGuid() at System.DirectoryServices.DirectoryEntry.get_Guid() at Microsoft.IdentityServer.CertificateManagement.DkmFactory.CheckExistence(String distinguishedName, String& dcName)'. Concluding that the said DN does not exist.</EventData>
      </Event>
      </UserData>
      </Event>


    And the error event:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
      <EventID>12</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000004</Keywords>
      <TimeCreated SystemTime="2019-02-25T21:24:44.876882200Z" />
      <EventRecordID>95</EventRecordID>
      <Correlation ActivityID="{365EC653-CD4D-0019-A6CA-5E364DCDD401}" />
      <Execution ProcessID="5976" ThreadID="6140" ProcessorID="25" KernelTime="152" UserTime="230" />
      <Channel>AD FS Tracing/Debug</Channel>
      <Computer>SERVER_NAME.MY_DOMAIN.com</Computer>
      <Security UserID="USER_SID" />
      </System>
    - <UserData>
    - <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Error: Exception: The server is not operational. StackTrace: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.RefreshCache() at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName) at System.DirectoryServices.DirectoryEntry.get_NativeGuid() at System.DirectoryServices.DirectoryEntry.get_Guid() at Microsoft.IdentityServer.CertificateManagement.DkmUtility.CheckExistence(String distinguishedName) at Microsoft.IdentityServer.Configuration.Providers.DkmProvider.DoesDkmGroupExist(DkmConfiguration settings) at Microsoft.IdentityServer.Configuration.Tasks.DKMSetup.DKMSetupTask.DoSetupDKM(IDKMSetupContext context) at Microsoft.IdentityServer.Deployment.Core.Tasks.ConfigurationTaskBase.Execute(IDeploymentContext context, IProgressReporter progressReporter)</EventData>
      </Event>
      </UserData>
      </Event>


        Here's the PowerShell command that generates the error event.
        These events happen during the UI and PowerShell installation processes.

        Install-AdfsFarm `
          -CertificateThumbprint $CertificateThumbprint `
          -FederationServiceDisplayName $FederationServiceName `
          -FederationServiceName $FederationServiceName `
          -GroupServiceAccountIdentifier "$DOMAIN\$($ServiceAccount.Name)`$" `
          -OverwriteConfiguration:$true

    I'm using a group Managed Service Account which I can validate working in running the same commands to successfully create an ADFS Farm using a Windows Server 2019 VM.  Unfortunately, I my cloud provider only offers Windows Server 2016.

    Internet searches demonstrate that this is a known issue, but I haven't been able to find a resolution yet. So far I've tried:

    • Creating new AD user account for the installation
    • Creating a new group Managed Service Account
    • Confirming the existence and permissions to (and to child objects of) `CN=ADFS,CN=Microsoft,CN=Program Data,DC=MY_DOMAIN,DC=com`
    • Fresh instances and configurations
    Monday, February 25, 2019 9:47 PM

Answers

  • I finally found a simple explanation to this... The Domain Admin account used was not properly assigned permissions.

    Even if this account was part of the Domain Admins group, the Domain Admins group has been deleted from the BUILTIN\Administrators group in Active Directory. Then event if the account could write in "Program Data / ADFS" container, it was missing permissions to access the key store, which require "BUILTIN\Administrators" permissions in AD.

    Regards,


    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor

    Friday, March 15, 2019 2:20 PM

All replies

  • I engaged Microsoft Premier Support about this issue.  While waiting for a response, I created a new instance of Windows Server 2019 and successfully created a new 2019 ADFS Farm (Farm Behavior Level 4.0).  Although I suspected it would fail, I then attempted to join my Windows Server 2016 instance to that 2019 Farm. It failed.  Next I attempted to create a new 2016 ADFS Farm and it completed successfully. Subsequent testing of creating 2016 ADFS Farm have been successful.  I'm still waiting to hear more from Premier Support.

    Wednesday, February 27, 2019 10:40 PM
  • Hi,

    Any news ? We are having the exact same issue with a fresh ADFS 2016 farm (cumulative updates from 2019-01 installed).

    Permissions on local server and on Active Directory Program Data container are OK.

    Thanks for your help,


    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor


    Friday, March 8, 2019 10:51 AM
  • Premier support hasn't been able to replicate the issue.  Since building a new ADFS Farm with Windows Server 2019, every 2016 ADFS Farm I create completes successfully.  Since I cannot reproduce the issue, Premier Support seems to be unable to help or resolve.

    It may not be related to the successful 2016 ADFS Farm build, but ran across a forum post that said to install IIS.  Though the 2016 ADFS documentation says it is no longer reliant on IIS, I added this to my PowerShell script before building the ADFS Farm. 

    Install-WindowsFeature Web-Server, Web-WebServer, Web-Mgmt-Console, Web-Scripting-Tools –IncludeManagementTools

    If you aren't running this prior to trying to install the ADFS Farm, give it a shot and reply with the status. I'm curious to hear if it helps.

    Friday, March 8, 2019 7:12 PM
  • Hello,

    First thank you for your answer.

    Installing IIS didn't change the result unfortunately...

    Can you please tell me which updates did you install, and if 2019-01 CU was installed during your tests?

    Thank you


    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor


    Monday, March 11, 2019 1:00 PM
  • Maxime,

    There was no update for Windows Sever 2016 that allowed me to build a 2016 ADFS Farm. Oddly enough, it was creating a new instance with Windows Server 2019 and creating a 2019 ADFS Farm that allowed me to then create my 2016 ADFS Farm.  It's a good thing that Microsoft released Windows Sever 2019.

    Monday, March 11, 2019 3:20 PM
  • After another call from Premier Services, we determined to close the case without a resolution.  Since I cannot reproduce the issue, we cannot obtain further logs (event log and wireshark). Unfortunately, it seems that the ADFS product team requires this information before helping Premier Services with a ticket. What would be nice is that the installation service would provide better logging.  If the logs written by the service doesn't enable Microsoft to resolve the issue, an issue in and of itself is the verbosity and quality of the logs.

    Monday, March 11, 2019 6:35 PM
  • Thanks for the followup

    We are gonna open a ticket because we cannot use Windows Server 2019 in our organization yet.

    It would be awesome if you could share your ticket ID so we can start from something, I'm still able to reproduce the issue so we would be able to troubleshoot more.

    FYI, a Wireshark trace didn't help much.

    Thanks for your input, and I will keep you posted if we find something relevant.


    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor

    Tuesday, March 12, 2019 8:21 AM
  • I hope that you have better luck than I!  Our case number is 119022619714810. With title Windows Svr 2016 Standard | having an issue trying to install adfs on server 2016.

    • Edited by KevinDiM Tuesday, March 12, 2019 3:58 PM typo
    Tuesday, March 12, 2019 3:58 PM
  • I finally found a simple explanation to this... The Domain Admin account used was not properly assigned permissions.

    Even if this account was part of the Domain Admins group, the Domain Admins group has been deleted from the BUILTIN\Administrators group in Active Directory. Then event if the account could write in "Program Data / ADFS" container, it was missing permissions to access the key store, which require "BUILTIN\Administrators" permissions in AD.

    Regards,


    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor

    Friday, March 15, 2019 2:20 PM
  • I'm glad to hear that you found the resolution to your problem.  It certainly seemed like a permissions issue.

    In our deployment, the "Domain Admins" group is a member of "Builtin\Administrators".  so ¯\_(ツ)_/¯

    Friday, March 15, 2019 3:26 PM