In this Article, Will show you how to install the Azure AD Connect 1.1 using Express Settings. Express Settings is the default option.
Prerequisites for Azure AD Connect
Before you install Azure AD Connect, you need to keep the following Prerequisites ready.
- An Azure subscription or an Azure trial subscription. This is only required for accessing the Azure portal and not for using Azure AD Connect. If you are using PowerShell or Office 365 you do not need an Azure subscription to use Azure AD Connect. If you have an Office 365 license you can also use the Office 365 portal. With a paid Office 365 license you can also get into the Azure portal from the Office 365 portal.
- Add and verify the domain you plan to use in Azure AD. For example if you plan to use contoso.com for your users then make sure this domain has been verified and you are not only using the contoso.onmicrosoft.com default domain.
- An Azure AD directory will by default allow 50k objects. Once you verify your domain, the limit will be increased to 300k objects. If you need need more objects in Azure AD you need to open a support case to have the limit increased. If you need more than 500k objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility Suite.
On-premises servers and environment
- The AD schema version and forest functional level must be Windows Server 2003 or later.
- If you’re planning to use the feature password writeback the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2) then you must also apply hotfix KB2386717.
- The domain controller used by Azure AD must be writable. It is not supported to use a RODC (read-only domain controller) and Azure AD Connect will not follow any write redirects.
- Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server if using express settings. If you use custom settings, the server can also be stand-alone and does not have to be joined to a domain.
- If you install Azure AD Connect on Windows Server 2008, make sure to apply the latest hotfixes from Windows Update. The installation will not be able to start with an unpatched server.
- If you’re planning to use the feature password synchronization, the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.
- An Azure AD Global Administrator account for the Azure AD directory you wish to integrate with. This must be a school or organization account and cannot be a Microsoft account.
- An Enterprise Administrator account for your local Active Directory if you use express settings or upgrade from DirSync.
- Accounts is Active Directory if you use the custom settings installation path
- The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory as well as the Azure AD endpoints.
- If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers then see Azure AD Connect Ports for more information.
- If your proxy limits which URLs which can be accessed then the URLs documented in Office 365 URLs and IP address ranges must be opened in the proxy.
- If you are using an outbound proxy for connecting to the Internet, the following setting in theC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.configfile must be added for the installation wizard and Azure AD Connect sync to be able to connect to the Internet and Azure AD. This text must be entered at the bottom of the file. In this code, <PROXYADRESS> represents the actual proxy IP address or host name.
<system.net><defaultProxy> <proxy usesystemdefault="true" proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>" bypassonlocal="true" /> </defaultProxy></system.net>
- If your proxy server requires authentication, then the service account must be located in the domain and you must use the customized settings installation path to specify a custom service account. You also need a different machine.config; with this change in machine.config the installation wizard and sync engine will respond to authentication requests from the proxy server. In all installation wizard pages, excluding the Configure page, the signed in user’s credentials are used. On the Configure page at the end of the installation wizard, the context is switched to the service accountwhich was created by you. The machine.config section should look like this.
<system.net><defaultProxyenabled="true"useDefaultCredentials="true"> <proxy usesystemdefault="true" proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>" bypassonlocal="true" /> </defaultProxy></system.net>
- Optional: A test user account to verify synchronization.
Hardware requirements for Azure AD Connect
The table below shows the minimum requirements for the Azure AD Connect sync computer.
|Number of objects in Active Directory||CPU||Memory||Hard drive size|
|Fewer than 10,000||1.6 GHz||4 GB||70 GB|
|10,000–50,000||1.6 GHz||4 GB||70 GB|
|50,000–100,000||1.6 GHz||16 GB||100 GB|
|For 100,000 or more objects the full version of SQL Server is required|
|100,000–300,000||1.6 GHz||32 GB||300 GB|
|300,000–600,000||1.6 GHz||32 GB||450 GB|
|More than 600,000||1.6 GHz||32 GB||500 GB|
The minimum requirements for computers running AD FS or Web Application Servers is the following:
- CPU: Dual core 1.6 GHz or higher
- MEMORY: 2GB or higher
- Azure VM: A2 configuration or higher
Okay. Let’s begin the installation,
Getting started with Azure AD Connect using express settings
Click on Use Express settings
Enter your Office 365 Tenant credentials and Click on Next
If you’re getting any error as shown below, Ensure you have added the proxy server settings in the Machine.Config File
Enter Credentials to connect your on-premises AD Enterprise Administrator Credentials and click on Next
Well, Now the connectivity check for Azure AD and On Premises AD is verified. You can select Start the synchronization process when the configuration completes and you can do it manually post installation completed.
Click Next to begin the installation,
configuration is completed successfully.
you can verify the last synced time in portal as well once the initial Full sync completed.
Verify service account got created for the AAD Connect in the portal
Once initial full sync got completed. You can see on-premises accounts are available in the AAD with Status Synced with Active Directory.
You can open the miisclient from the mentioned path to check the sync status
You can verify the sync is happening properly.
Also can see how many objects are synced to AAD. Since I am doing it in test lab synced attributes are less here.