Description of Issue(s) Experienced:

Encountered the following error messages after upgrading Azure AD Connect on a Windows 2012 member server running Exchange Server 2013 in hybrid configuration. This server is responsible for executing periodic directory synchronization fo the on-premises Active Directory to Azure AD (Office 365). The AAD Health Sync Agent monitors the process and sends notification alerts via email to global administrators if there are any issues.

PS C:\>

PS C:\> $azureUserName="globaladmin@TenantID.onmicrosoft.com"

PS C:\>

PS C:\> $azurePassword="**********"

PS C:\>

PS C:\> $azureSecurePassword = ConvertTo-SecureString $azurePassword -AsPlainText -Force

PS C:\>

PS C:\> $azureCreds = New-Object System.Management.Automation.PSCredential $azureUserName, $azureSecurePassword

PS C:\>

PS C:\> Register-AzureADConnectHealthSyncAgent -Credential $azureCreds

2018-05-31 13:53:54.349 ProductName: Microsoft Azure AD Connect Health agent for sync, FileVersion: 3.0.164.0, Current

UTC Time: 2018-05-31 13:53:54Z

2018-05-31 13:53:54.349 enableRegiration: True

2018-05-31 13:53:54.349 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService

/

2018-05-31 13:53:54.364 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

2018-05-31 13:53:54.364 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService

/

2018-05-31 13:53:54.364 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

2018-05-31 13:53:54.786 AHealthServiceApiVersion: 2014-01-01

2018-05-31 13:53:56.112 Detecting AadSyncService roles...

2018-05-31 13:53:57.063 Detected the following role(s) for ContinuumInnovations.onmicrosoft.com:

2018-05-31 13:53:57.063     Microsoft Azure Active Directory Sync Services

2018-05-31 13:54:02.976 Aquiring Monitoring Service certificate using tenant.cert

Register-AzureADConnectHealthSyncAgent : Failed configuring Monitoring Service using command: C:\Program

Files\Microsoft Azure AD Connect Health Sync

Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft

Azure AD Connect Health Sync Agent\tenant.cert" version="1.1.819.0"

At line:1 char:1

+ Register-AzureADConnectHealthSyncAgent -Credential $azureCreds

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Register-AzureADConnectHealthSyncAgent], InvalidOperationException

+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.AadConnect.Health.AadSync.PowerShell

.ConfigurationModule.RegisterAzureAdConnectHealthSyncAgent

PS C:\temp> .\AADConnect-CommunicationsTest.ps1

Security warning

Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your

computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning

message. Do you want to run C:\temp\AADConnect-CommunicationsTest.ps1?

[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R

Running all tests.

[2018-07-20 09:54:37] [SUCCESS] :: Successfully logged on to Azure Active Directory as .

[2018-07-20 09:54:37] [SUCCESS] :: User is a member of Global Administrators.

[2018-07-20 09:54:37] [SUCCESS] :: Successfully resolved _ldap._tcp.CONTINUUMNET.COM.

[2018-07-20 09:54:37] [SUCCESS] :: Successfully resolved BOSDC2.CONTINUUMNET.COM.

[2018-07-20 09:54:37] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:53.

[2018-07-20 09:54:37] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:135.

[2018-07-20 09:54:37] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:389.

[2018-07-20 09:54:38] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:445.

[2018-07-20 09:54:38] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:3268.

[2018-07-20 09:54:38] [INFO] :: Testing CRL endpoint tests (Invoke-WebRequest).

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl.

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl.

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://ocsp.verisign.com.

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://ocsp.entrust.net.

[2018-07-20 09:54:38] [INFO] :: Testing Required Resources (TCP:443).

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to adminwebservice.microsoftonline.com [13.106.56.10]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [23.100.72.34]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [23.100.72.33]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.1.18]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.193.138]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.1.16]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.1.17]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [65.52.193.139]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [23.100.72.36]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [65.52.1.19]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [23.101.165.170]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [23.100.72.35]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [23.100.72.33]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.1.18]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.1.17]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.193.137]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.1.16]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.193.138]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [23.100.72.34]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.193.136]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to secure.aadcdn.microsoftonline-p.com [104.88.91.203]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to management.core.windows.net [23.102.135.246]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to bba800-anchor.microsoftonline.com [157.55.130.72]:443

[2018-07-20 09:54:40] [INFO] :: Testing Optional Resources (TCP:443).

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to management.azure.com [52.235.62.51]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [23.101.165.170]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [65.52.193.139]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [23.100.72.36]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [23.100.72.35]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [65.52.1.19]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [65.52.193.139]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [23.100.72.36]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [23.100.72.35]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [65.52.1.19]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [23.101.165.170]:443

[2018-07-20 09:54:40] [INFO] :: Testing Required Resources Endpoints (Invoke-Webrequest).

[2018-07-20 09:54:41] [SUCCESS] :: Successfully connected to https://adminwebservice.microsoftonline.com/provisioningservice.svc.

[2018-07-20 09:54:41] [SUCCESS] :: Successfully connected to https://login.microsoftonline.com.

[2018-07-20 09:54:48] [SUCCESS] :: Successfully connected to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc.

[2018-07-20 09:54:48] [SUCCESS] :: Successfully connected to https://login.windows.net.

[2018-07-20 09:54:48] [SUCCESS] :: Successfully connected to https://secure.aadcdn.microsoftonline-p.com/ests/2.1.5975.9/content/cdnbundles/jquery.1.11.min.js.

[2018-07-20 09:54:48] [INFO] :: Testing Optional Resources Endpoints (Invoke-Webrequest).

[2018-07-20 09:54:49] [SUCCESS] :: Successfully connected to https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc.

[2018-07-20 09:54:49] [INFO] :: Testing Seamless SSO Endpoints (TCP:443).

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.193.138]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.1.16]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.1.17]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [23.100.72.34]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [23.100.72.33]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.1.18]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.1.16]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.1.17]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [23.100.72.34]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [23.100.72.33]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.1.18]:443

[2018-07-20 09:54:50] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.193.138]:443

[2018-07-20 09:54:50] [ERROR] :: Error resolving or connecting to 0.register.msappproxy.net [52.173.21.84]:443

[2018-07-20 09:54:50] [ERROR] :: Error resolving or connecting to 0.registration.msappproxy.net [52.173.21.84]:443

[2018-07-20 09:54:50] [INFO] :: Testing Additional Resources Endpoints (Invoke-Webrequest).

[2018-07-20 09:54:50] [WARN] :: Error resolving or connecting to watchdog.servicebus.windows.net [70.37.104.240]:5671

[2018-07-20 09:54:51] [INFO] :: Checking TLS settings for Windows Server 2012.

[2018-07-20 09:54:51] [INFO] :: Done! Logfile is 2018-07-20_AADConnectConnectivity.txt.

Recent changes that could have possibly contributed to creating this issue were as follows:

1. Ran IISCrypto.exe to disable weak protocols (i.e. SSLv2 and SSLv3) and ciphers (i.e. RC2, RC4, DES, and 3DES) and enable strong protocols and ciphers (i.e. TLSv1.2, AES128, and AES256).
2. Enabled and then disabled FIPS compliant security using the steps summarized as follows:
   1. Using an account that has administrative credentials, log on to the computer.
   2. Click Start, click Run, type gpedit.msc, and then press ENTER.
   3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
   4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
   5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
   6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
   7. Close the Local Group Policy Editor.
   8. If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1
3. Added these two (2) registry keys:

   

Eventually we were not able to RDP to the Windows 2012 Server as a related issue experienced.

Resolution:

We resolved the issue by doing the following:

1. Navigating to the "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" folder.
   1. Modifying the security permissions on this folder (right-click on MachineKeys folder, click on properties, click on security tab, click on advanced, click on permissions, add full control permissions to Local Administrators group on the server, click on replace permissions check box). Note that you may need to take ownership of this folder in order to modify the permissions.
2. Creating a subfolder named "Archive".
3. Moving all the system files in this directory into the Archive subfolder (system files will have long alpha numeric names such as "f686aace6942fb7f7ceb231212eef4a4_ac81b1e3-5312-44a2-b264-124a1cc52d0f").
4. Launched an elevated Windows PowerShell.  Executed the following command to manually register the health sync agent: Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false.

After executing the preceding steps, the AAD Health Sync Agent was successfully registered and we could once again RDP into the Windows 2012 server successfully.

Tools / Resources Used:

PowerShell Commands

# The following command manually registers the Azure AD Connect Health Sync Agent.

Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false

# The following command tests/validates the Azure AD Connect Health Sync Agent connectivity.

Test-AzureADConnectHealthConnectivity -Role Sync -ShowResult

PowerShell Scripts

AADConnect-CommunicationsTest.ps1

Reference Links:

What actually happens when you enforce FIPS140-2 compliant encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx.

The official instructions to enable FIPS 140-2 compliance are at http://support.microsoft.com/kb/811833,

Article relating to resolving issues with connecting to Terminal Services via RDP: https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2014/02/20/event-id-1057-the-terminal-server-has-failed-to-create-a-new-self-signed-certificate/.