In IT environments today, the cost to outlay equipment like servers, switches, routers, and so forth is quite hefty, along with that you need to employ people to be able to run your environment. Microsoft introduced a way to “extend” your on-premise environment to the cloud, and many companies have climbed aboard the Microsoft 365 juggernaut to eventually get rid of the on-premises servers like Exchange as everything now sits in the cloud. Cloud means you do not manage the hardware, but you can build your applications and have your domain in the cloud, and your staff can authenticate to it. Sounds simple enough? It is, really. Extending your on-premises Active Directory to Azure Active Directory can be done in a couple of steps. Just remember, you do need to pay for Azure Active Directory, it is not free. If you opt for the Basic version of Azure Active Directory, it is $1 per user per month. If you opt for the Premium version of Azure Active Directory, you are going to pay more. So how do I connect my on-premises Active Directory to Azure Active Directory? You need to run Azure ADSync/Azure AD Connect. I generally run this on a VM in the environment. It is your choice where you want to install it.
We are not going to run through the Windows setup of a machine as you should be familiar with this, but we will look at the AADSync part of it on how you can install it and what your options are to configure it. You can always go back later and make a change if you need to.
Just a word of advice: If you are running IDSYNC and you have your hybrid connection set up with two-way sync — meaning you can reset passwords in the cloud and it will sync down to the on-premises Active Directory or from the on-premises Active Directory to the cloud — they tend to fight with each other.
How do I get the setup files? It is simple. You can log in to the Azure Portal, and you can click on Azure AD Connect as highlighted below:
It will take you to the next page:
In the middle of this screen, you can see it says Azure AD Connect Sync is not installed, and it gives you a hyperlink to download it.
Once you have downloaded it, run the installer. It will start with the window below:
Below, you can see the progress of the installation. If you try to install this on Windows 10, for example, it will tell you that it’s not a Windows server.
After the installation is done, you will get a splash screen, as shown below, while it opens.
You are now presented with the Wizard for Azure Active Directory Connect.
You need to accept the license terms and then click Continue.
If you launch the product with a machine not joined to the domain, you get the error above. Click the Customize button to continue.
Above, you have some options. If nothing is selected, you can proceed with the installation. Click the Install button.
The installer will install Visual C++ 2013. Above is a progress window of the installation.
It will install other prerequisites. I could not capture all the windows as it is too quick. Above, you can see that Microsoft SQL Server command-line utilities are installing.
Finally, the Synchronization Service is installed. Don’t be alarmed if it just sits there; the installation will take a bit longer with a machine that has lower specs.
Once done, you now have the option to select your sign-on method. Hover over each blue question mark for more information. Once you have made your selection, then click Next.
You will now need to log in with the account that you login to the Microsoft 365 portal and Azure AD portal. You can get to one from the other. Click Next to continue.
If you didn’t join the machine to the domain, this is what you will see. Close the configuration window as you can resume it after you have joined the machine to the domain.
Now that you have joined the domain and rebooted, you are back at this window, and you can see that the forest field is now populated. Take note that tlab.local is showing, this will not resolve on the internet. Click Add Directory.
Enter in your enterprise admin details for the current domain. In this case, it will be tlab.local and then press OK.
Before you continue, you will need to add a UPN suffix to your domain and also update your accounts if you have a setup like this. I am not going to cover that in this article, but you can find out how to do it from here.
As you can see above, the additional UPN suffixes I added are showing and are verified. Select the attribute you want to use as the username and then tick the box to enable the Next button. Click Next.
In the window above, you can sync all domains and organizational units or selected ones. In bigger organizations, you will most likely select a dedicated user container. Click Next.
I didn’t make any changes here, but you can select what is the business requirement for you and then click Next.
In the window above, you can again filter users and devices or sync all. Make your selection and then click Next.
In the window above, you can now select optional features, you can leave the selection as is like I did and then click Next.
On the final screen above, you can now run the Install, and if you want to start the synchronization, you can by leaving the checkbox enabled. Click Install.
Progress window while the installer configures everything.
Configuration continuing above.
Configuration still on-going.
Now the installation/configuration is complete, and you will see it gives you a warning with a recommendation. You can now click Exit.
To view the sync status, you can click the Start button and then expand Azure AD, connect and click on Synchronization Service.
The window above will open, and you can see that it has already done a full import, sync, and export. Take note that the more objects you have to sync, the longer it will take.
If you log in to the Azure AAD Portal, you will now see that Azure AD Connect sync is now enabled. If you click on the button you will get the screen below:
As you can see above, Sync Status is enabled, and you can view the last sync time.
I created a test group called Azure AAD Group – Test and then ran a manual sync from the synchronization service.
You can see below the group synced across, and you can see that the source is Windows Server AD.
It is quite a long setup, but that is how you set up AAD Connect.