Azure Active Directory Connect (a.k.a. AAD Connect) is a tool provided by Microsoft to connect your Windows Server Active Directory to Microsoft Azure AD. It incorporates all the features provided by preceding synchronization tools (Azure AD Sync and Dir Sync) and provides many advance features natively. Future release of AAD Connect is about to provide many FIM 2010 R2 (Forefront Identity Manager) and MIM 2016 (Microsoft Identity Manager) features such as connect to single or multiple on-premises LDAP directories, connect to on-premises AD and on-premises LDAP directories, connect to custom systems (i.e. SQL, Oracle, MySQL etc.) and connect to on-premises HR Systems (i.e. SAP, Oracle, eBusiness, Peoplesoft).
Here is the system pre-requisite to install AAD Connect:
- At least Windows Server 2008 or later. (Note: If using Windows Server 2008 or 2008 R2 then apply the latest updates and hotfixes before starting the installation.)
- Windows Server Standard edition or above, Essential is not supported.
- Full GUI version of Windows Server, server core is not supported.
- Server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
- At least Windows Server 2008 R2 SP1 or later if you have plan to use password synchronization feature.
- At least Windows Server 2012 or later if you have plan to use group managed service account feature.
- Server must not have PowerShell Transcription Group Policy enabled.
Now let’s have a look on how to install and configure AAD Connect. I am using Windows Server 2016 for AAD Connect server and will use local SQL server 2012 express edition. SQL Server 2012 express edition is a default DB option and recommended for small to medium AD environment with up to 100K AD objects. Otherwise, you can use SQL server instance with “customize” option at the time of installation.
First, go to your Azure AD tenant and create an account with global administrator directory role. This global administrator account will be used to configure AAD Connect.
Once user is created, login to the https://portal.azure.com to set the new password.
Now, open https://portal.azure.com on AAD Connect server and login with global administrator account.
Now click on Azure Active Directory in the left panel.
Now, Click on Azure AD Connect.
Now, click on “Download Azure AD Connect”. (Note: you can also download it directly from the web.)
Now, Run the executable file to install the Azure AD Connect tool.
Once installation is completed, a new wizard will open. Accept the term and conditions and click on continue.
Now, you have two options either go with express settings or click on customize. If your AAD Connect server is not domain joined then you will not have a choice to go with express settings.
Installation using express settings is too simple. You just need to make sure your AAD Connect server is domain joined and then follow the steps.
In this blogpost let me show you how to install AAD Connect with customize option. There are four optional self-explanatory configuration choices but I’m not going to select anyone for customization. However, I’ll explain these options in next step.
If you select first two options for customization then you need to provide an installation location path for “Specify a custom installation location” option and SQL server name and instance name for “Use an existing SQL Server” option. As well as you need to make sure required ports are open to connect to SQL Server.
“Use an existing service Account” customization option requires either Managed Service Account credentials or service account credential that is part of the domain in Domain Account option to connect with remote SQL Server. Make sure the user who is running the installation has SA role in SQL so that a login for the service account can be created. By default, AAD Connect creates four sync groups in local server but if you would like to select your own groups then specify those here and make sure those groups are local to the server, not in domain.
In my installation, I am not performing any optional configuration. Click on Install.
Once Installation starts, will take couple of minutes.
In User sign-in window select the sign on method and click Next.
Enter the credential of Azure AD global administrator. This step will verify your credentials.
Now, you need to connect your Widows Server Active Directory forest. This step is quite simple if your AAD Connect server is domain joined. Enter your forest fqdn and click on Add Directory.
Now, you have two option either create new AD account using Enterprise Admin credential or use existing account. In my case, I am creating a new AD account.
You may find the following error while creating a new account.
[Workaround: Go to your Active Directory and you will find a newly created user with MSOL_****** in Users container. Reset the password and copy the user name. While doing it please make you are assigning required permission (read and write) to this user.]
For Password Sync: Replicate Directory Changes and Replicate Directory Changes All
For Password Writeback: Reset password
Enter the MSOL_***** credential under “Use existing AD account”.
Now, you can see that forest has been added under configured directories. Click on Next.
In Azure AD sign-in configuration you will find your Active Directory UPN Suffix but in Azure AD Domain section you can find three different states (Verified, Not Verified and Not Added).
If you want to change the Azure AD Domain status, go to the Azure portal and add custom domain. However, while adding custom domain you can verify your domain as well. In my case, I didn’t verify it.
Refresh, now you can see that status has been changed from “Not Added” to “Not Verified”. Select “continue without any verified domains” and click on Next.
Select required option and click on Next.
Select “Let Azure manage the source anchor for me” and click on Next.
Select required option and click on Next.
Select required features and click on Next.
Click on Install.
Configuration will take couple of minutes.
Once configuration completes, you will get this wizard. Click on Exit.
Now, you Windows Server Active Directory has been synced with Azure AD. If you want to do any customization after initial setup, you can open Azure AD Connect and make the necessary changes.