Error upgrading Azure AD Connect on a Domain Controller

Whilst in production and for customers I always recommend installing the Azure AD Connect on a dedicated machine, in my lab however I’m a little constrained with resources so therefore have installed it on the Domain Controller, which up to now has been fine.

Today I decided to upgrade to the latest version (1.1.119.0 as of writing) so I duly downloaded the setup and proceeded with the in place upgrade having successfully done so in the past.

This time it would error out and advise reading the logs, in which I found:

Error 25037.The groups entered do not all exist or cannot be found.

On a standard server the AD Connect will create local security groups to manage access, however since I was using a domain controller this wasn’t possible and nor was I prompted to select custom groups.

So as it is a lab I tried uninstalling it and the supporting components before performing a clean install and lo and behold it installed correctly.

I can only presume the setup process is slightly different during the upgrade and it can’t cope with the domain controllers lack of local security groups.

Please remember, if you are doing this to make a note (or take a backup) of any changes in OU filtering or rule changes from the default prior to uninstalling.

Skype for Business Prerequisites

Since Skype for Business Server is more evolutionary than revolutionary the installation software prereq’s are the same and can be found at https://technet.microsoft.com/en-us/library/dn951388.aspx

  • Windows Server 2012 SP1 or higher – 2008 r2 is supported for in place upgrades but shouldn’t be used for new deployments due to it reaching end of mainstream support.
  • Hotfix https://support.microsoft.com/en-us/kb/2982006/ is required for Windows Server 2012 R2
  • Windows PowerShell – already included in Server 2012 and later
  •  .NET Framework 4.5 (with HTTP Activation selected)
  • .NET Framework 3.5
  •  Windows Identity Foundation
  •  Windows Media Format Runtime
  •  Active Directory RSAT
  •  Silverlight
  •  IIS

Most of these can be enabled by running:

add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client