We're going to see the steps on how to install and configure Azure Active Directory Connect tool on domain controller (Windows Server) to sync on premises active directory users with Azure Active Directory.

Installation Prerequisites

A domain-joined host server running Windows Server 2016 or greater with a minimum of 4-GB RAM and .NET 4.7.2+ runtime. One can visit this link for detailed configuration. Windows 10 or later machine domain joined to domain controller.

1. Before we start the Azure AD Connection with our on premise AD user should have an user on Azure with Global Administrator role. For Example we have a user here having 1 role assigned (Global).

   

   
   

2. Download .NET 4.7.2+ (or any latest) framework runtime: Download

3. Create a new EntraID tenant in order to Sync a new domain/OU and add the Global Admin user under this tenant.

4. Make Google Chrome as your default browser instead of Edge for better experience.

5. Create a user on your on Premise AD with following permissions, if you want to use existing AD user (at step 12: AD Forest Account) and select “Use existing AD account” option.

   

Steps for Installing Azure AD Connect

1. Sign in to the Azure portal using an account with global administrator permissions.

2. In our Azure active directory as we can see Azure AD Connect is not enabled.

   

   Open IMAGE 0.png

   

3. Click on go to Azure AD Connect link to download the latest version of Azure AD setup. One can copy the url and download directly into their domain controller.

   

   Open IMAGE 1.png

   

4. This is a msi package which we need to install on our domain controller, after downloading the Azure AD Connect run this setup to start the installation.

   

   Open IMAGE 2.png

   

5. If you get following error while start AD Connect, please review this Help Document.

6. 

   You can use the following PowerShell script to enforce TLS 1.2 on your Microsoft Entra Connect server.

   If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
   {
       New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
   }
   New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
   New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
   
   If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
   {
       New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
   }
   New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
   New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
   
   If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
   {
       New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
   }
   New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
   New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null
   
   If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
   {
       New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
   }
   New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
   New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null
   
   Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take affect.' -ForegroundColor Cyan

7. Agree to the license terms and click on Continue

8. Since we don't have a verified domain in our Azure active directory and we are using our local domain which is non-routable domain for Microsoft Azure active directory therefore we can see warning. So now click Customize for custom installation.

   Open IMAGE 3.png

   

    

9. Once you have completed your selection as per your requirement click Install. In our case we are leaving all details as it is, we are not going to select any options.

   

   Open IMAGE 4.png

   

10. Then we’ll get a variety of sign in options options available here and we need to select the right one for our organization, however most organization pick Password Hash Synchronization and click Next.

    

    Open IMAGE 5.png

    

11. Here, enter Azure global administrator's username and password and click next, then it will connect to Microsoft to verify the username and password.

    

    Open IMAGE 6.png

    

12. We will then need to add a local active directory in the Connect your directories screen under forest selector directory and then click on Add Directory to add a local active directory and click on Next. To find the domain name of local directory go to Server Manager > Local Server on domain controller.

    

    Open IMAGE 7.png

    

13. In a pop-up window we will be prompted to select either create a new account or use existing account. This account will be used for directory synchronization. We will use our local administrator's credential (ex: authdc\administrator) to add an active directory connection and click Ok and then click Next.

    Note: Create an user on your On-Premise AD with following permissions if you want to use existing AD user and select Use existing AD account.

    

    Open IMAGE 8.png

    

14. Select Continue without matching all UPN suffixes to verified domains checkbox and then click Next.

    

    Open IMAGE 9.png

    

15. On the Domain and OU filtering, we can leave everything as default to sync the entire active directory data and click Next.

    

    Open IMAGE 10.png

    

16. Leave the default settings for the basic setup and click Next.

    

    Open IMAGE 11.png

    

17. Click Next

    

18. On the Optional features tab select any additional feature, if required and click Next.

    

    Open IMAGE 12.png

    

19. Make sure you have selected checkbox for Start the synchronization process when configuration completes and then click Install.

    

    Open IMAGE 13.png

    

20. Azure AD Connect configuration completed and synchronization process has been
    started. Now click Exit.

    Open IMAGE 14.png

    

     

21. Now go to Azure portal. Under Azure Active Directory you will see Azure AD Connect as enabled.

    

    Open IMAGE 15.png

    

22. Click on users, here we can see the users from our on premises active directory under On-premise sync enabled column.

    

    Open IMAGE 16.png

    

23. Alternatively, go to windows server 2016, then click on start menu and click on Synchronization Service. Here we can find that it already started the synchronization.

    

    Open IMAGE 17.png