This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 21%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I'm attempting to install and enrol the Intune Connector for AD on a member server in our domain. The server had the legacy connector installed and running successfully and I've uninstalled before downloading and installing the update connector.
Attempting to sign into the connector has resulted in a pause and then back to the Enrolment tab.
The ODJConnectorUI.log shows:
ODJ Connector UI Information: 0 : Executing IsMachineEnrolled method
*DateTime=2025-04-02T10:18:32.4560979Z*
ODJ Connector UI Error: 2 : ERROR: Failed to check if machine is already enrolled. Detailed message is: Object reference not set to an instance of an object.
*DateTime=2025-04-02T10:18:32.4580985Z*
ODJ Connector UI Information: 0 : User clicked on SignIn
*DateTime=2025-04-02T10:18:34.0604484Z*
ODJ Connector UI Information: 0 : Navigating to URL https://portal.manage.microsoft.com/Home/ClientLogon
*DateTime=2025-04-02T10:18:34.1444540Z*
ODJ Connector UI Information: 0 : Browser loaded page https://login.microsoftonline.com/common/oauth2/authorize?client_id=74bcdadc-2fdc-4bb3-8459-76d06952a0e9&redirect_uri=https%3A%2F%2Fportal.manage.microsoft.com%2Fsignin-oidc&response_type=code&prompt=select_account&scope=openid profile&response_mode=form_post&nonce=638791859143581307.OGY4NjUyMDMtMDY0YS00ZWE0LWFkNTItNWVlOTNkMmM1OGQyN2U1MGYxZjEtNDk0YS00OThlLThkYjQtYzdhOTgyMzg1ZmU0&display=host&state=CfDJ8Ji1hs71b9ZDlZfpMprk6xWlOKdzjKYJ0BYdxLP5A7zd79QRF83iSe3X1JH9yUSFjVSb4uWWhxdI7A0UeHoNvAYdicyHnbapL1FaTpZIxbbLwN8tTi3iIuhVhwsswF67a6D5mxIhY4tzFBvUPKg8qsJdZMj8G-cmuQ3FQ98hYNX8d6po4XeO7AVY-f5San6oGhxAVk0mXR-y0DTXpQ33Bx6G2mYGhsJy6KKvC8yiZi47r8osEgW1fWErTzamLr_oJdPIU9T-Hh6aAV16iWIF9MTKWiajj9uw_HMTE6I4RriyJfI2TwiaUSqmzCJ0mH0o9meHrawme1A7kPdbgh_Gc0hgbg7ZMTIWqzJHemVnPXqrKw7D9PaWxkf-iIST6Y4ivg&x-client-SKU=ID_NET472&x-client-ver=8.3.0.0
*DateTime=2025-04-02T10:18:34.9712594Z*
ODJ Connector UI Information: 0 : Browser loaded page https://portal.manage.microsoft.com/Home/ClientLogonSuccess
*DateTime=2025-04-02T10:18:49.9886841Z*
ODJ Connector UI Information: 0 : Getting the URL for EnrollmentService from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
*DateTime=2025-04-02T10:18:50.2627010Z*
ODJ Connector UI Information: 0 : Received Url for EnrollmentService as https://fef.msub03.manage.microsoft.com/StatelessEnrollmentService from RestUserAuthLocationService.
*DateTime=2025-04-02T10:18:50.2627010Z*
ODJ Connector UI Information: 0 : Getting the URL for RAODJPlusFEGatewayService_FEF from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
*DateTime=2025-04-02T10:18:50.2627010Z*
ODJ Connector UI Information: 0 : Received Url for RAODJPlusFEGatewayService_FEF as https://fef.msub03.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService from RestUserAuthLocationService.
*DateTime=2025-04-02T10:18:50.2627010Z*
ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.
*DateTime=2025-04-02T10:18:50.3177048Z*
ODJ Connector UI Information: 0 : MSA name : msaODJotY4G
*DateTime=2025-04-02T10:18:50.6357287Z*
ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: MSA account msaODJotY4G is not valid!
at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.ManagedServiceAccountUtilities.CreateManagedServiceAccount(String domainName, String precreatedMsaAccount)
at ODJConnectorUI.EnrollmentTab.CreateMsa(String domainName, StepsStarted& stepsStartedFlag)
at ODJConnectorUI.EnrollmentTab.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)
*DateTime=2025-04-02T10:18:50.8667425Z*
ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True
*DateTime=2025-04-02T10:18:50.8687426Z*
ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True
*DateTime=2025-04-02T10:18:50.8797424Z*
ODJ Connector UI Information: 0 : Sending telemetry to ODJService
*DateTime=2025-04-02T10:18:50.9047425Z*
ODJ Connector UI Information: 0 : RAODJPlus Service URL: https://fef.msub03.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService/odjConnectorTelemetry/uploadTelemetry
*DateTime=2025-04-02T10:18:50.9047425Z*
ODJ Connector UI Information: 0 : Successfully sent request to RAODJPlusFEGatewayService_FEF
*DateTime=2025-04-02T10:18:51.5427600Z*
ODJ Connector UI Information: 0 : Response from ODJService: OK
*DateTime=2025-04-02T10:18:51.5427600Z*
ODJ Connector UI Error: 8 : Removing Managed Service Account ...
*DateTime=2025-04-02T10:18:51.5447596Z*
ODJ Connector UI Error: 8 : Successfully removed Managed Service Account
*DateTime=2025-04-02T10:18:51.5457591Z*
ODJ Connector UI Error: 8 : Returning to the home page
*DateTime=2025-04-02T10:18:51.5457591Z*
The Intune | ODJConnector | Operational log is reporting:
ODJRequestHandlingPipelineDownload_Failure: Failed to download ODJ requests.
InstanceId:D0039F3A-05ED-4B89-BD6E-98573D3D371A,
DiagnosticCode:Unknown_Error,
DiagnosticText:We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."]
My on-prem account has create permissions to the Managed Service Accounts OU and the account is created there. The signed in Entra ID account has an Intune license and the Intune Administrator role
So, what am I missing?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Jeff Smith, Thanks for posting in Q&A. From the error message, it seems the enrollment is failed to check. Please go to Intune portal, Devices > Windows > Enrollment > click Intune Connector for Active Directory under Windows Autopilot. Check if the previous connector is still there.
According to the following information to avoid uninstalling not complete, please follow these steps to uninstall:
When comparing with the previous connector, updated Intune Connector for Active Directory uses a Managed Service Account (MSA) instead of a SYSTEM account. And the Domain account we install the new connector on the server needs with local administrator privileges and permission to create msDS-ManagedServiceAccount objects in the Managed Service Accounts container. I notice you already grant create msDS-ManagedServiceAccount objects permission. Please ensure it also has local administrator privileges on the server.
Meanwhile, make sure all the requirements are met.
After that, try to install the new connector again by following the steps in this link:
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your answer.
I think I've met the requirements and followed all the suggestions. Except for one thing: even though I followed the recommended advice on uninstalling the old connector, it is still in Intune. In fact, yesterday it's status changed to inactive but today it is showing as active though the last sync time is displayed as before I uninstalled it.
Would this be stopping the enrolment? And what would I do to resolve it?
Further update. After one of our on-prem infrastructure guys tweaked the permission on my on-prem admin account, I am now able to enrol the connector. However when I click on Configure Manager Service Account button I get the following error:
The log shows the creation of the msa and it being granted permissions to registry keys and access to the "ODJConnector" certificate store. However, following this the log reports:
ODJ Connector UI Information: 0 : Starting to revoke the permission of the Managed Service Account with the name "msaODJn1DhW" to create computer objects in all Organizational Units.
DateTime=2025-04-03T13:58:59.7391049Z
ODJ Connector UI Error: 0 : Failed to revoke the Managed Service Account with the name "msaODJn1DhW" permission to create computer objects in the Organizational Unit due to the following error: A constraint violation occurred.
.
DateTime=2025-04-03T13:59:00.0608708Z
Followed by all the previously granted permissions being removed and the account successfully deleted.
I have edited the following line to the ODJConnectorEnrollmentWizard.exe.config file to point the connector to our test OU:
<add key="OrganizationalUnitsUsedForOfflineDomainJoin" value="OU=InTune Testing,OU=IT Development and Test,DC=,DC=******" />
Would the spaces in the names of the OUs need special treatment?
@Jeff Smith, Thanks for the reply. I am glad the enrollment can be successful after tweaking the permission. For the MSA account creating error, it sems caused by the previous Managed Service Account "msaODJn1DhW". And now it is deleted.
For the spaces in the names of Organizational Units (OUs), based as I know it will not typically cause issues, but it's important to ensure that the formatting is correct. if you are confused of this, you can try a simple name to test.