Overview

Azure AD Connect (formerly known as Azure AD Sync or DirSync) is an tool designed to synchronize on-premises Active Directory with Azure Active Directory (Azure AD).

Requirement

  • Microsoft Azure / Entra ID tenant and account.
  • Verified domain.
  • Azure AD connect must be installed on domain joined server running on Windows 2016 and later.

Windows Server 2016, Windows Server 2019, Windows Server 2022 user winver to check the current version.

  • Account with Global Administrator account on Azure AD.
  • On-premise AD Account with Enterprise Admin group.
  • Hight recommended to enable the Active Directory recycle bin.
  • The Active Directory schema version and forest functional level must be Windows Server 2003 or later.

Unsupported Scenario:

  • The domain controller used by Microsoft Entra ID must be writable. Using a read-only domain controller (RODC) isn’t supported
  • Microsoft Entra Connect doesn’t follow any write redirects. Using on-premises forests or domains by using “dotted” (name contains a period “.”) NetBIOS names isn’t supported.

Preparation.

  • Use IdFix to identify errors such as duplicates and formatting problems in your directory before you synchronize to Microsoft Entra ID and Microsoft 365.
  • This requires minimum .NET Framework Version of 4.6.2. Run the following to display the current versions of the .Net Framework on your server.
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version, Release -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, Version, Release
  • Check AD schema and forest functional level.

AD Schema Version and Forest Functional Level Must Be Windows Server 2003 or Above

Get-ADForest | ft ForestMode
Get-ADDomain | ft DomainMode
  • Enable Active Directory Recycle Bin (This is optional, but highly recomended).

Installation

Express VS Custom Install

You have the option to select either Express or Custom Install. Refer to the following to help you decide the install type

Express

  • You have a single Active Directory forest.
  • You have less than 100,000 objects in your on-prem Active Directory.
  • Express will enable password hash synchronization from on-premises to - Azure for single sign.

Custom

  • You have more than one Active Directory forest.
  • You plan to use federation or pass through authentication.
  • You have more than 100,000 objects.
  • You want to use group-based filtering.