fbpx
Active Directory & Office 365 Reporting Tool

How to Install and Setup Azure AD Connect (Step by Step). Before you install Azure AD Connect, you must check that your environments meet certain requirements. So, the first section of this guide provides various prerequisites and requirements to ensure a successful installation. 

There are also steps provided to check that your on-prem AD server or Azure AD tenant account meets the stated requirement or prerequisite. 

Once you verify that your on-premises and Azure AD environments meet the outlined requirements, proceed to the second section, where there is detailed guide to install and set up Azure AD Connect. 

Azure AD Connect Installation and Setup Prerequisites

Before you download and install Azure AD Connect, there are a host of requirements your on premise AD and Azure environments must meet. 

In the subsequent subsections, there are different requirements and provided guidance on how to determine if it is satisfactory.

General Installation Requirements

The Azure AD Connect installation has some general and specific requirements. Please find it below:

1. The Azure AD Connect Server Must be Joined to Your On-prem AD Domain

The server must be running Windows Server 2016 or newer. To check the Edition of the server, right click the Windows Start menu and select Run. Then, enter winver and click OK. 

The second screenshot shows the result of winver – my server is Windows Server 2019! 

When I published this article in March 2023, installing Azure AD Connect on Windows Server 2022 was not yet supported. So, if your winver command returned Windows Server 2022, check if Microsoft has started supporting it and if it is not, change the server you plan to install AD Connect.  

2. The Server Must Run a Minimum .NET Framework Version of 4.6.2.

To check the .NET Framework version of your server, search for and open Windows PowerShell. Then, enter the command below into PowerShell and press Enter on your keyboard. 

				
					Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version, Release -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, Version, Release

				
			

The command displays the versions of the .Net Framework on your server. If yours – like mine – is above 4.6.2, proceed to the next requirement check. 

3. The Azure AD Connect Server Must Meet a Specific PowerShell Execution Policy Prerequisites

When you install Azure AD Connect, the installation wizard runs signed PowerShell scripts as part of the installation. So, the PowerShell Execution Policy must be configured to allow those scripts to run; otherwise, the installation fails. 

To check the current ExecutionPolicy on the server, you plan to install AD Connect for Azure, run the Get-ExecutionPolicy command on a PowerShell console. 

				
					Get-ExecutionPolicy
				
			

If the command returns “RemoteSigned,” then you’re good to go. Otherwise, use group policy to set ExecutionPolicy to “RemoteSigned” by navigating to the location below. 

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell

 

Then, double-click the “Turn on Script Execution” policy to open its settings. When the policy opens for editing, select the “Enabled” option.

Finally, from the “Execution Policy” dropdown list, choose “All local scripts and remote signed scripts.”

When you’re done click OK. 

4. Other Essential AD Connect Installation Requirements

You cannot install AD Connect on a server Core as this is not supported. 

So, your proposed AD Connect server must be running a full GUI. Secondly, you cannot install AD Connect on a server running Small Business Server or Windows Server Essentials before Server 2019 – Windows Server Essentials 2019 is supported. 

Network Connectivity Prerequisites

This is the most important requirement. Without connectivity between your on prem Active Directory domain joined server and Azure AD, you cannot successfully install and set up Azure AD Connect. 

So, based on this, check the following connectivity prerequisites:

1. DNS Name Resolution Requirement Check

First of all, check that your internal DNS resolves all relevant domain names in your Microsoft 365 Admin center account. To see a list of domains in your Microsoft 365 admin center, visit this link – https://admin.microsoft.com/AdminPortal/Home#/Domains (link opens in a new browser tab). 

Then, sign in with your Office 365 or Azure account. 

The page displays all domain names you previously registered in your account. Moreover, the page also displays status of the domains. 

Ensure that the Azure AD domain for your AD Connect installation and synching has a green tick with the word “Healthy” in the Status column. 

My screenshot below shows my Office 365 domain, Itechguides.com. As you can see, the Status column shows the domain as “Health”. If your default Office 365 domain name shows errors, fix it before you proceed.

My on-prem AD domain name is corp.itechguides.com.

If you haven’t yet added the AD domain name of your on premisses AD to your Azure AD domain name list, and you wish to sync users, you must that the exact domain name now. 

I mention this again in the installation and select up section of this guide. 

To confirm that your local DNS server resolves these domain names, log in to the server you intend to install the Azure AD Connect, open the command prompt, enter the nslookup command press enter. 

				
					nslookup
				
			

When the nslookup prompt opens, enter the domain names one at a time and press Enter. The nslookup command prompt should display the Fully Qualified domain name of the domain and its IP address – see my screenshots below. 

If you successfully resolve the names from the server you plan to install Azure AD Connect, proceed to the second requirement check below. 

2. Proxy Server Prerequisite Check:

If your organization connects to the internet via a proxy server, you must make the modifications described in this section. Firstly, open C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config with a notepad. 

Then, enter the code below before the </configuration> of the machine.config file. Change <PROXYADDRESS>:<PROXYPORT> to the actual Proxy address and port that you use to connect to the internet. 

<system.net>

        <defaultProxy>

            <proxy

            usesystemdefault=”true”

            proxyaddress=”http://<PROXYADDRESS>:<PROXYPORT>”

            bypassonlocal=”true”

            />

        </defaultProxy>

    </system.net>

Another important proxy server requirement is authentication. If your proxy server requires authentication, create a group Managed Service Account (gMSA) that you use for the AD Sync. 

If you use a proxy to connect to the internet, create a gMSA now. Then, modify the code you added to machine.config file earlier to look like this. 

Perform these tasks now, as you will require them for the installation section of this guide. 

<system.net>
<defaultProxy enabled=”true” useDefaultCredentials=”true”>
<proxy
usesystemdefault=”true”
proxyaddress=”http://<PROXYADDRESS>:<PROXYPORT>”
bypassonlocal=”true”
/>
</defaultProxy>
</system.net>

Try our Active Directory & Azure AD Connect Reporting Tools

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

On-Premise Active Directory Requirements

Make sure that your on prem AD Domain meets the following prerequisites:

1. AD Schema Version and Forest Functional Level Must Be Windows Server 2003 or Above

To display the AD schema version of the Server you plan to install AD Connect, run the following commands in Windows PowerShell.

				
					(Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion).objectVersion
				
			

The command returns a number between 13 (for Windows 2000 Server) and 88 (for Windows Server 2019 and Windows Server 2022). The screenshot below shows that mine is 88, confirming that my DC is running on Windows Server 2019. 

So, for your AD schema to meet this requirement, the last command must return a minimum of 30 (Windows Server 2003). For a list of the schema version numbers for all of Microsoft’s Windows Server Operating Systems, visit Finding the current Schema Version.

Before you move on to the next checks, confirm that the forest functional level of your on-premise AD forest is at least Windows Server 2003. To get this information, run the command below in PowerShell. 

				
					(Get-ADForest).ForestMode
				
			

Also get this information from Active Directory Domains and Trusts.

2. The Domain Controller for Azure AD Must Be Writable

Azure AD does not support read only domain controllers. 

So, as part of your prerequisite checks, verify that the DC you plan to use for Azure AD sync is writable. 

3. Enable Active Directory Recycle Bin (Optional)

This is an optional but recommended requirement. Enabling Active Directory Recycle Bin makes it easy for you to recover deleted objects. 

Enabling AD Recycle Bin is irreversible. So, before performing this optional task, ensure you have opened the previous link and read the content. Then, consider the implication for your environment before you proceed. 

To enable Active Directory Recycle Bin, open the Active Directory Administrative Center. Then, right-click your root domain name and select, Enable Recycle Bin. 

Step by Step Installation and Setup of Azure AD Connect

Before you proceed with the steps in this section, if you’re installing and setting up Azure AD Connect in a production environment, ensure that you’ve followed the prerequisite guidelines outlined in the last section. 

When you’re ready to proceed, follow the steps below to install and setup Azure AD Connect.

1. Download the Azure AD Connection MSI installation File

From the domain joined Windows server you plan to install AD Connect, click the Microsoft Azure Active Directory Connect download link. 

Then, click the Download link to download the MSI package file. 

2. Double click the AzureADConnect.msi File

The Azure AD Connect installation begins when you double click the MSI file. On the welcome page, agree to the license terms, and click Continue. 

3. The Installation Wizard Selects "Express Settings"

Read the actions that the installation wizard performs with the Express Settings and if you’re happy with it, click “Use express settings.”

Otherwise, to customize the installation, click “Customize.” 

4. Customize the "Install required components" Page

If you selected the “Customize” option, the next screen displays the options to customize the install requirements. The titles of the available customization options are self explanatory. 

To customize an option, check the checkbox next to it. When you finish your customizations, click the Install. 

5. Select Options in the "User sign-in" Page

Select how you want your on premises AD users to sign in to Azure AD on this page. To read more about each option please read Azure AD Connect user sign-in options.

For this guide, I select the first option – Password Hash Synchronization. Selecting this option allows your users to use their on premisses AD username and password to sign on to Azure AD.  

6. Sign in to Azure AD

Then loads the “Connect to Azure AD” page. Enter your Office 365 username in UPN format (UserName@DomainName.com); then enter your password and click Next. On the next page of the installation wizard, you connect to your on-premises AD domain. 

7. Select the On-Prem AD Domain(s) You Want to Sync

On the “Connect your directories” page, click “Add Directory.” Then, on the “AD forest account” page, allow Azure AD Connect to create an account for you by selecting “Create new AD account.” This is Microsoft’s recommended option. 

Next, input a user from the on premises Active Directory who is a member of the Enterprise Admin group, type the user’s password, and then click on OK. Please refer to my second screenshot provided below for a visual reference.

8. Confirm Your Selection, then Proceed with the Installation

After successfully adding your on prem AD user, the Azure AD installation wizard returns you to the “Connect your directories” page. The page should display the on premises AD domain name you want to sync to Azure AD. 

If you’re happy with the added domain name, proceed with the installation and configuration of Azure AD Connect by clicking Next. 

9. Configure Azure AD Sign-in Options for On-Prem Users

Then, on the “Azure AD sign-in configuration” screen, select how you want your on-premises Active Directory users to sign in to Azure AD. The default option is to use userPrincipalname. 

The Azure AD installation and configuration wizard selects the UPN option by default.

As see from my first screenshot below, for on prem AD users to sign in to Azure AD with the same account, the on-prem AD domain name MUST be added and configured on the Office 365 domain page. 

I have just added my on prem AD domain name into my Office 365 registered domain list, then I clicked the “Refresh” icon. 

On my second screenshot below, because the wizard can now see the same domain name on Azure AD as the on premises AD domain name, the Azure AD Domain column of the “Azure AD sign-in configuration” page is now showing Verified. 

When you get this screen to look like the last screenshot, click Next to proceed.  

10. Configure "Domain and OU filtering"

Next is to determine the OUs and containers that you want to sync to Azure AD. 

Azure AD Connect selects “Sync all domains and OUs” by default. However, you can select the “Sync selected domains and OUs” to sync specific containers. 

In my setup, I am synching only one OU – “Writers” OU. The second screenshot below demonstrates this step. 

11. Configure How Azure AD Will Uniquely ID On-Prem Users

Setup how Azure uniquely identifies your on prem AD users. If your Active Directory users have unique identifiers like sAmAccountNames, select the default option in the “Select how users should be identified in your on-premisses directories” section. 

I strongly recommend that you accept the default in the “Select how users should be identified with Azure AD.” section. When you’re done, click Next. 

I am accepting the defaults in both sections. 

12. Setup How Azure AD Connect Performs Initial Sync

Decide if you need to perform a test sync or sync all users and devices. If you are piloting your deployment of Azure AD Connect, create an AD Security group and add the users and devices you want to test to the group. 

Then, on the “Filter users and devices” page, select the “Synchronize selected” option, enter the name of the AD group and select resolve. Finally, click Next to proceed. 

Alternatively, if you’re ready to sync all items in the containers you selected in step 10 earlier, accept the default option, – “Synchronize all users and devices,” – then click Next to continue. For this demo, I have selected this option. 

13. Add Some Optional Features As Required

On this last page, check the additional features you wish to add. To read about each feature, click the help (?) icon. When you finish, click Next.

Then, on the final page, review your selections. 

The “Start the synchronization process when configuration completes” checkbox is checked by default. If you’re installing this in a production environment, I strongly recommend also checking the “Enable staging mode” checkbox. 

For my demo installation though, I’ll accept the defaults and click the “Install” button. 

14. Wait for Azure AD Connect to Install and Setup

Now sit back while you wait for the Azure AD Connect to install and set up your selected options. If you followed this guide from the beginning, everything should go according to plan, and you should receive the “Configuration complete page” – see the second screenshot below. 

At this stage, you exit the installation wizard by clicking the “Exit” button on the bottom right of the “Configuration complete” page.  

15. Review Your Installation

Finally, confirm that users in the containers you selected in step 10 have successfully synched from your on prem AD to your Azure AD. In my demo, I selected to sync users in the “Writers” OU to Azure AD. 

To show you that the users in my “Writers” OU were successfully synched to my Azure AD Office 365 tenant, I have put the images of both my on-prem AD and Azure AD in an image below. 

This OU has two users. 

How to Install and Setup Azure AD Connect Conclusion

If you have an on premises Active Directory and an Azure AD tenant account, it makes sense to synchronize both. This is where Azure AD Connect comes in. 

Although the installation of Azure AD Connect requires some planning and time, it is pretty smooth when you prepare your environments to meet the requirements.  That’s what we have done in this article. 

If you followed the steps in the article, I am confident you would have successfully planned, installed, and set up Azure AD Connect. Thanks for reading!

InfraSOS-AD-Tools

Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Picture of Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Comment (1)

  1. Iswariya G
    July 31, 2023

    thank you so much. the article is very helpful

Leave a comment

Your email address will not be published. Required fields are marked *