Your Ultimate Guide to Configuring Azure AD Connect

Azure AD Connect Installation and Setup Prerequisites

Before downloading and installing Azure AD Connect, ensure your on-premises Active Directory (AD) and Azure environments meet the necessary requirements. This guide outlines the prerequisites and steps to confirm readiness.

General Installation Requirements

1. Server Domain and OS Requirements

The server must be joined to your on-premises AD domain and run Windows Server 2016 or newer.
To check the server version, press Win + R, type winver, and click OK.

2. .NET Framework Version

Azure AD Connect requires at least .NET Framework 4.6.2.

To verify, open PowerShell and run:

Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version, Release -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, Version, Release

Ensure the installed version meets or exceeds the minimum requirement.

3. PowerShell Execution Policy

Azure AD Connect requires PowerShell scripts to run, so the execution policy must be set to RemoteSigned.
To check, run:
```
Get-ExecutionPolicy
```
If it returns a different policy, use Group Policy to change it:
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.
- Enable the Turn on Script Execution policy and select All local scripts and remote signed scripts.

4. Additional Server Requirements

Azure AD Connect cannot be installed on a Server Core or older versions of Windows Server Essentials.
Ensure the server has a full GUI and is not running Small Business Server.

Network Connectivity Prerequisites

1. DNS Resolution

Verify that your internal DNS resolves all domain names registered in your Microsoft 365 Admin Center account.
Use the nslookup command to confirm domain name resolution for both on-premises AD and Azure AD.

2. Proxy Server Configuration

If your organization uses a proxy server, modify the machine.config file located at C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\.

Add the following code, replacing <PROXYADDRESS> and <PROXYPORT> with your proxy details:

<system.net>
  <defaultProxy>
    <proxy
      usesystemdefault="true"
      proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
      bypassonlocal="true"
    />
  </defaultProxy>
</system.net>

For authenticated proxies, use a group Managed Service Account (gMSA) and update the configuration accordingly.

On-Premises Active Directory Requirements

1. Schema Version and Forest Functional Level

The AD schema version must be Windows Server 2003 or higher. Use PowerShell to verify:

(Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion).objectVersion

- The forest functional level must also be Windows Server 2003 or higher. Check it with:
```
(Get-ADForest).ForestMode
```

2. Writable Domain Controller

Azure AD Connect does not support read-only domain controllers (RODC). Ensure the selected domain controller is writable.

3. Enable Active Directory Recycle Bin (Optional)

Enabling the AD Recycle Bin simplifies object recovery but is irreversible. Consider the implications before enabling it via the Active Directory Administrative Center.

Step-by-Step Installation and Setup

1. Download Azure AD Connect

Download the installation package from the Microsoft Azure AD Connect page.

Click here to download the latest AD Connect Version. (2.4.27.0).

2. Run the Installer

Double-click the downloaded file, accept the license terms, and choose either Express Settings or Customize for advanced options.

If you wants to import the configuration from another server to have the same config, Check my previous Post to configure the Staging Server.

How To Upgrade Azure AD Connect

3. Configure User Sign-In

Choose a sign-in method, such as Password Hash Synchronization, to allow on-premises AD credentials to authenticate with Azure AD.

Which permissions you require depends on the optional features you enable. If you have multiple domains, the permissions must be granted for all domains in the forest. If you don’t enable any of these features, the default Domain User permissions are sufficient.

4. Connect Directories

Add and configure your on-premises AD domain. Use an account with Enterprise Admin privileges to enable synchronization.

Note :- The domain which we are syncing to cloud should be an verified domain if we are using the domain which is not verified in azure then portal will add onmicrosoft.com suffix after your domain name. For Example :

5. Select OU and Domain Filtering

Choose specific organizational units (OUs) or domains to sync, or sync all by default.

6. Configuring Unique Identification for On-Prem Users in Azure AD

To configure how Azure AD uniquely identifies your on-premises Active Directory users, follow these steps:

Identify Unique User Attributes:
If your Active Directory users have unique identifiers, such as sAMAccountName, it is advisable to use the default option under the section titled “Select how users should be identified in your on-premises directories.” This ensures a consistent and reliable mapping of user identities.
Azure AD Identification Defaults:
Similarly, it is recommended to accept the default setting in the “Select how users should be identified with Azure AD” section. This setting ensures seamless synchronization and integration between your on-premises Active Directory and Azure AD.
Proceed to the Next Step:
Once you have reviewed and confirmed the settings for both sections, click Next to continue with the setup process.

7. Configuring Initial Sync in Azure AD Connect

To set up how Azure AD Connect performs the initial synchronization of your users and devices, follow these steps:

Choose Between Test Sync or Full Sync:
- If you are piloting your deployment, create an AD Security Group that contains the users and devices you want to test.
- On the Filter users and devices page, choose the Synchronize selected option. Enter the name of the AD group you created, select Resolve, and then click Next to proceed.
Full Synchronization (Default):

If you are ready to sync all users and devices from the containers selected in step 10, choose the default option: Synchronize all users and devices.
Click Next to continue.

8. Configuring Additional Features and Finalizing Azure AD Connect Installation

Select Additional Features:
- On the Additional Features page, review the options available.
- To learn more about any feature, click the help (?) icon next to it.
- Check the features you want to enable based on your organization’s requirements.
Review Your Configuration:
- On the final page, review all your selections to ensure they align with your deployment strategy.
Synchronization Settings:
- By default, the Start the synchronization process when configuration completes checkbox is selected.
- For production environments, it is strongly recommended to also check the Enable staging mode checkbox to test the configuration without immediately impacting your environment.
Install the Configuration:
- For this demonstration, I’ll accept the defaults (synchronization starts immediately without staging mode).
- Click the Install button to complete the setup.

Once installed, Azure AD Connect will begin syncing users and devices based on the options you configured.

8. Verify Synchronization

Confirm that selected users and groups are successfully synchronized from on-premises AD to Azure AD.

Conclusion

Azure AD Connect is essential for synchronizing on-premises AD with Azure AD. While the setup involves careful planning and prerequisite checks, following this guide ensures a smooth installation and configuration process.