Azure AD Connect Installation Requirements/Best Practices
- If you plan to use your domain like renjithmenon.com you it is recommended to register the domain to get verified .
- Non-verified domain by default supports up to 50k objects but when you verify the domain the limit is increased to 300k objects. If you need more than 300k you can open a support request to get it increased.
- If you need more than 500k objects then you need to have a license such as Office 365, Azure AD basic, Azure AD premium, or Enterprise Mobility and Security.
- It is recommended to run the IdFix tool in your On-Premise AD prior to the AD Connect installation. The account that you choose for the IdFix installation should have write access to the Active directory.
- Ad schema version and forest level must be Windows server 2003 or later. The domain controllers can be any version if the schema and forest level requirements are met.
- If you are planning to have password write back feature then you must have the Server 2008 with latest server pack installed domain controllers.
- Read only Domain controller (RODC) is not supported for installing the Azure AD Connect .
- It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).
- It is not supported to use on-premises forests/domains using “dotted” (name contains a period “.”) NetBios names.
- It is recommended to enable the Active Directory recycle bin.
- Azure AD connect should be installed only in Windows server standard or above.
- Azure AD Connect server must have a full GUI installed. No server cores!
- Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain.
- If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.
- If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later.
- The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0or later installed. More over it should be fully patched with latest windows updates.
- he Azure AD Connect server must not have PowerShell Transcription Group Policy enabled.
- If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.
- If Active Directory Federation Services is being deployed, you need SSL Certificates.
- If Active Directory Federation Services is being deployed, then you need to configure name resolution.
- If your global administrators have MFA enabled, then the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You are prompted to add this site to the trusted sites list when you are prompted for an MFA challenge and it has not added before. You can use Internet Explorer to add it to your trusted sites.
- If you will manage more than 100,000 objects then it is recommended to have separate SQL server rather than installing a SQL express edition.
- An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. This account must be a school or organization account and cannot be a Microsoft account.
- If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your local Active Directory.
- The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints.
- If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers, then see Azure AD Connect Ports for more information.
- If your proxy or firewall limit which URLs can be accessed, then the URLs documented in Office 365 URLs and IP address ranges must be opened.
To read more on this topic go here
One Response