Whilst in production and for customers I always recommend installing the Azure AD Connect on a dedicated machine, in my lab however I’m a little constrained with resources so therefore have installed it on the Domain Controller, which up to now has been fine.
Today I decided to upgrade to the latest version (220.127.116.11 as of writing) so I duly downloaded the setup and proceeded with the in place upgrade having successfully done so in the past.
This time it would error out and advise reading the logs, in which I found:
Error 25037.The groups entered do not all exist or cannot be found.
On a standard server the AD Connect will create local security groups to manage access, however since I was using a domain controller this wasn’t possible and nor was I prompted to select custom groups.
So as it is a lab I tried uninstalling it and the supporting components before performing a clean install and lo and behold it installed correctly.
I can only presume the setup process is slightly different during the upgrade and it can’t cope with the domain controllers lack of local security groups.
Please remember, if you are doing this to make a note (or take a backup) of any changes in OU filtering or rule changes from the default prior to uninstalling.