How to install AAD Connect – Customized installation

In this Article, Will show you how to install the Azure AD Connect 1.1 using Customised Settings.

Prerequisites for Azure AD Connect

Before you install Azure AD Connect, you need to keep the following Prerequisites ready.

Azure AD

  • An Azure subscription or an Azure trial subscription. This is only required for accessing the Azure portal and not for using Azure AD Connect. If you are using PowerShell or Office 365 you do not need an Azure subscription to use Azure AD Connect. If you have an Office 365 license you can also use the Office 365 portal. With a paid Office 365 license you can also get into the Azure portal from the Office 365 portal.
  • Add and verify the domain you plan to use in Azure AD. For example if you plan to use contoso.com for your users then make sure this domain has been verified and you are not only using the contoso.onmicrosoft.com default domain.
  • An Azure AD directory will by default allow 50k objects. Once you verify your domain, the limit will be increased to 300k objects. If you need need more objects in Azure AD you need to open a support case to have the limit increased. If you need more than 500k objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility Suite.

On-premises servers and environment

  • The AD schema version and forest functional level must be Windows Server 2003 or later.
  • If you’re planning to use the feature password writeback the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2) then you must also apply hotfix KB2386717.
  • The domain controller used by Azure AD must be writable. It is not supported to use a RODC (read-only domain controller) and Azure AD Connect will not follow any write redirects.
  • Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server if using express settings. If you use custom settings, the server can also be stand-alone and does not have to be joined to a domain.
  • If you install Azure AD Connect on Windows Server 2008, make sure to apply the latest hotfixes from Windows Update. The installation will not be able to start with an unpatched server.
  • If you’re planning to use the feature password synchronization, the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.

Accounts

  • An Azure AD Global Administrator account for the Azure AD directory you wish to integrate with. This must be a school or organization account and cannot be a Microsoft account.
  • An Enterprise Administrator account for your local Active Directory if you use express settings or upgrade from DirSync.
  • Accounts is Active Directory if you use the custom settings installation path

Connectivity

  • The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory as well as the Azure AD endpoints.
  • If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers then see Azure AD Connect Ports for more information.
  • If your proxy limits which URLs which can be accessed then the URLs documented in Office 365 URLs and IP address ranges must be opened in the proxy.
  • If you are using an outbound proxy for connecting to the Internet, the following setting in theC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.configfile must be added for the installation wizard and Azure AD Connect sync to be able to connect to the Internet and Azure AD. This text must be entered at the bottom of the file. In this code, <PROXYADRESS> represents the actual proxy IP address or host name.
Copy
<spanclass="tag"style="color: maroon;">&lt;system.net&gt;</span><spanclass="tag"style="color: maroon;">&lt;defaultProxy&gt;</span><spanclass="pln"style="color:#000000;">
            &lt;proxy
            usesystemdefault="true"
            proxyaddress="http://</span><spanclass="tag"style="color: maroon;">&lt;PROXYADDRESS&gt;</span><spanclass="pln"style="color:#000000;">:</span><spanclass="tag"style="color: maroon;">&lt;PROXYPORT&gt;</span><spanclass="pln"style="color:#000000;">"
            bypassonlocal="true"
            /&gt;
        </span><spanclass="tag"style="color: maroon;">&lt;/defaultProxy&gt;</span><spanclass="tag"style="color: maroon;">&lt;/system.net&gt;</span>
  • If your proxy server requires authentication, then the service account must be located in the domain and you must use the customized settings installation path to specify a custom service account. You also need a different machine.config; with this change in machine.config the installation wizard and sync engine will respond to authentication requests from the proxy server. In all installation wizard pages, excluding the Configure page, the signed in user’s credentials are used. On the Configure page at the end of the installation wizard, the context is switched to the service accountwhich was created by you. The machine.config section should look like this.
<spanclass="tag"style="color: maroon;">&lt;system.net&gt;</span><spanclass="tag"style="color: maroon;">&lt;defaultProxy</span><spanclass="atn"style="color: red;">enabled</span><spanclass="pun"style="color:#000000;">=</span><spanclass="atv"style="color:#0000ff;">"true"</span><spanclass="atn"style="color: red;">useDefaultCredentials</span><spanclass="pun"style="color:#000000;">=</span><spanclass="atv"style="color:#0000ff;">"true"</span><spanclass="tag"style="color: maroon;">&gt;</span><spanclass="pln"style="color:#000000;">
            &lt;proxy
            usesystemdefault="true"
            proxyaddress="http://</span><spanclass="tag"style="color: maroon;">&lt;PROXYADDRESS&gt;</span><spanclass="pln"style="color:#000000;">:</span><spanclass="tag"style="color: maroon;">&lt;PROXYPORT&gt;</span><spanclass="pln"style="color:#000000;">"
            bypassonlocal="true"
            /&gt;
        </span><spanclass="tag"style="color: maroon;">&lt;/defaultProxy&gt;</span><spanclass="tag"style="color: maroon;">&lt;/system.net&gt;</span>

Hardware requirements for Azure AD Connect

The table below shows the minimum requirements for the Azure AD Connect sync computer.

Number of objects in Active Directory CPU Memory Hard drive size
Fewer than 10,000 1.6 GHz 4 GB 70 GB
10,000–50,000 1.6 GHz 4 GB 70 GB
50,000–100,000 1.6 GHz 16 GB 100 GB
For 100,000 or more objects the full version of SQL Server is required
100,000–300,000 1.6 GHz 32 GB 300 GB
300,000–600,000 1.6 GHz 32 GB 450 GB
More than 600,000 1.6 GHz 32 GB 500 GB

The minimum requirements for computers running AD FS or Web Application Servers is the following:

  • CPU: Dual core 1.6 GHz or higher
  • MEMORY: 2GB or higher
  • Azure VM: A2 configuration or higher

Okay. Let’s begin the installation,

Getting started with Azure AD Connect using Customised settings

Azure AD Connect Custom settings is used when you want more options for the installation. It is used if you have multiple forests or if you want to configure optional features not covered in the express installation. Before you start installing Azure AD Connect, make sure to download Azure AD Connect.
Installing SQL for AAD Sync
Click on SQL Setup file and Click on New SQL Server stand-alone installation or add features to an existing installation
1
Enter the SQL Product Key and Click on Next
2
Click on Next
3
Click on Next
4
Click on Next
5
Select SQL Server Feature Installation and Click Next
6
You can add new instance or go with Default Instance. I have selected Default Instance
8
add administrators and Click on Next
9
Select the installation and configuration file path and Click on Install
10
Installation completed successfully.
11
12
Installing AAD Connect:
Run the setup and Select I Agree to the license terms and privacy notice and click on continue
13
Click on Customize
14
Ensure sysadmin is selected for the Database in the SQL Database Instance
15
Use an Existing SQL Server and Instance and Click on Install
16
Select Do not Configure and click on Next. Since we are focusing on only Directory Sync in this article
17
Enter your Office 365 Tenant credentials and Click on Next 
18
If you’re getting any error as shown below, Ensure you have added the proxy server settings in the Machine.Config File
19
23
Enter Credentials to connect your on-premises AD Enterprise Administrator Credentials and click on Next
24
Select the UserPrincipalName as uniquely identifying your users and click on Next. If you feel some other objects are unique, you can select it.
20
21
you can select any other features you need to install and Click on Next.
22
Now the connectivity check for Azure AD and On Premises AD is verified. You can select Start the synchronization process when the configuration completes and you can do it manually post installation completed.
Click Next to begin the installation,
27
configuration is completed successfully.
29
You can verify the last synced time in portal as well once the initial Full sync completed.
30
Verify service account got created for the AAD Connect in the portal
31
Once initial full sync got completed. You can see on-premises accounts are available in the AAD with Status Synced with Active Directory. 
32
You can open the miisclient from the mentioned path to check the sync status
33
You can verify the sync is happening properly.
34
Also can see how many objects are synced to AAD. Since I am doing it in test lab synced attributes are less here.
35

Author Bio

Radhakrishnan Govindan

Leave a Reply

Your email address will not be published. Required fields are marked *