How To Install Azure Ad Connect On Domain Controller

One of the cardinal components of setting up Office 365 is installing Azure Advertising Connect. This tool is used to connect your on-premises Active Directory to Azure Advert.

Information technology works past synchronizing a copy of objects in the directory, such as users, groups, contacts and devices from Active Directory to Azure Ad every xxx minutes. When you use Azure Advertisement Connect, your local Active Directory remains the principal copy and simply selected attributes, such every bit those needed to back up Exchange Hybrid, are written back. A full list of synced attributes is bachelor here.

Azure AD Connect supports many topologies, including a single Agile Directory, multiple Active Directories and even multiple Part 365 tenants.

Before we brainstorm, it'southward worth outlining that there is a variety of configuration options available and these should be considered if you have more basic requirements. For example, if you cannot synchronise hashes of passwords to the cloud, then you may wish to consider options similar pass-through authentication. If you still run older clients or exercise non plan to use Hybrid Azure AD bring together to provide unmarried sign-on to PCs, then you might wish to configure Seamless Sign-On.

In this guide, we're not going to cover every choice for installation of Azure AD Connect, as at that place'due south a multifariousness of ways to configure it.

The key purpose of this guide is if you are installing and configuring Azure Advert Connect to support using a tool like Microsoft Teams, and plan to update your configuration to back up wider needs in the time to come. Nosotros'll show yous how to install information technology in a similar manner to the Express selection which uses the about common deployment settings.

Prerequisites for installing Azure AD Connect

Before yous begin, ensure you come across the pre-requisites for installation. As a minimum, you need Windows Server 2022 or later, on a domain-joined server (or domain controller) with .NET Framework 4.v.1 and PowerShell, with at least 4GB RAM and a 70GB HDD. The server volition demand access to the internet, in particular access to the Azure Advert Connect service. IP ranges are listed here.

It is always recommended to analyse your Active Directory for issues that volition prevent accounts synchronising to Azure AD. The best way to do this, is to utilise the IDFix tool. The process to run this is documented here. In particular, it is common to ensure that the User Primary Name matches user'southward e-mail addresses for easy sign-in and to see the requirement of matching one of your Office 365 tenant's custom domains.

And, if you lot oasis't already, follow our guide on adding a custom domain to match (at a minimum) your primary SMTP domains (the ones you'll use for sign-in) and if you will be migrating mailboxes to Exchange Online, all domains you use to receive email.

Learn more: What is Azure Ad Connect Cloud Provisioning and should you plan to use it?

In this guide we'll testify you lot how to user Alternate Login ID for rapid identity provisioning to Part 365 applications like Microsoft Teams. If you are planning to utilise Exchange Hybrid, all the same, then you should programme to move to matching confronting the User Primary Proper noun at a later on date. This tin exist achieved fairly simply, by staging the switch of User Main Names to friction match user's Primary SMTP address, and then when consummate updating Azure AD Connect to employ the User Principal Name instead.

Steps for installation

Once pre-requisites are in place nosotros'll begin. First, download a re-create of Azure Ad Connect. You'll find this at the Microsoft Download site.

Side by side, run the installation tool on the server yous'll install Azure Advertizement Connect on to, so when given the opportunity, we'll choose the Customize choice, unless you want to install with the Limited Settings, which include synchronizing all accounts:

Adjacent, nosotros'll choose sign-in options. As mentioned higher up, we've got a variety of options available, and you need to select the right ane for your organization.

However, most organizations should choose Countersign Hash Synchronization, then choose Next:

Side by side, enter your Part 365 Global Administrator credentials. These will be used to create a synchronization account inside the Office 365 tenant, and non stored by the server:

Nosotros'll then need to add together our local Active Directory. In this guide, we're assuming you are using a single Advert to synchronise to Office 365. Choose Add together Directory:

At this point, use enterprise administrator credentials to add an Active Directory connection. The magician volition, similar with Function 365, create a synchronization account with the pre-requisite permissions, then choose OK, so Side by side.

On the next page of the wizard, we'll see the sign-in configuration already chosen and select the on-bounds attribute to use as the Azure AD username.

If y'all plan to employ Commutation Hybrid immediately, then you should select the default, userPrincipalName equally described before in the commodity – and ensure you have run IDFix and aligned your primary SMTP address values to the UPN.

In the example beneath, you'll see a alarm that volition show if you lot have a UPN suffix in your surroundings that is not routable, or not registered in your Role 365 tenant.

We see the warning beneath because the UPN suffix lab01.local is not routable and therefore cannot exist verified in the tenant. Even so nosotros exercise have the lab01.allabout365.com domain (which is also our Primary SMTP address registered), therefore nosotros can select Proceed without matching all UPN suffixes to verified domains.

If you cannot match your User Principal Name value to your custom domains right now and don't plan to enable Substitution Hybrid immediately – for example, if yous are planning on but enabling Microsoft Teams, or other services like SharePoint or OneDrive, and then you can workaround this using Alternate Login ID.

This is when your scenario matches the case user below. You'll see on the left the email value is using the correct custom domain, however y'all haven't notwithstanding been able to update the User logon name on the right to match the custom domain value.

To employ Alternate Login ID as a temporary measure, utilise the User Principal Proper name drib-downwardly to select the mail attribute:

Adjacent, we'll select the Domain and OU filtering options. You lot may not wish to synchronize every object in your Active Directory to Azure Advertizement and Office 365.

For mail service routing and Exchange Hybrid in particular you will want to synchronize (at a minimum) every recipient including mailboxes, mail users, mail service contacts and distribution groups.

However, you may non wish to synchronize leavers' accounts, service accounts and congenital-in accounts and non-mail service enabled security groups. Therefore, it's useful to use the Domain and OU filtering to select the OUs that contain valid recipients.

In the example below, nosotros know that all recipients are inside the People OU, and we'll simply select the Sync selected domains and OUs radio box, and then select the checkbox for the OU, so choose Side by side:

After completing the configuration and selecting whatsoever optional features to enable, we are ready to configure and perform our initial sync.

After the sync completes, navigate to the Microsoft 365 admin center to validate the synchronization task is completing successfully. You should see inside Users and Groups copies of your Active Directory objects.

If things don't expect right, so navigate to the Azure Advertizing Connect Health portal. This will provide yous the pick to monitor Sync errors that the service is experiencing. A adept result should show no sync errors to the service. Yous'll resolve sync errors by following the recommendations from IDFix.

Source: https://practical365.com/how-to-quickly-install-and-configure-azure-ad-connect/

Posted by: browningthoureprot.blogspot.com

Share this post