Important AD Update: You Need to Install AAD Connect 1.6.2.4 ASAP
Are you currently on AAD Connect 1.6.2.0? If so, you need to act now!
Nathan O'Bryan MCSM
Active Directory Synchronization for Office 365 and Azure has been a vital, but fairly straight forward, part of Office 365 migrations for almost 5 years now. DirSync was updated to Azure Active Directory Sync, and AAD Sync was updated to Azure Active Directory Connect. In this blog post, I’m going to cover everything you need to know about deploying the newest version of AAD Connect.
Microsoft has put a fair amount of work into AAD Connect to ensure it meets the requirements of many varied organizations moving to the cloud. Part of this work has gone into making AAD Connect easy to deploy. While a default install of AAD Connect is indeed pretty simple, it’s important to understand that there are a lot of configuration options available for AAD Connect.
AAD Connect Deployment Options
If you are looking to deploy AAD Connect for a simple Office 365 deployment, the Express Settings options of AAD Connect will get you going quickly and easily. In the screenshot below you can see the default actions AAD Connect will take if you run the Express Settings. If these settings meet your requirements, then you’re just a couple of clicks away from finishing your setup.
One new feature with AAD Connect 1.1 is Auto Upgrade. If you choose an Express Setup, AAD Connect will be setup to check for, and install, the next version of AAD Connect automatically. While I think there is some value in the feature for some organizations, I would recommend caution in leaving it on.
If a new version of AAD Connect is pushed out that contains errors, the consequences could be significant. The Auto Upgrade feature is not, and cannot be, turned on if you choose a custom install.
If your requirements are more complex than that read on.
Reasons for a custom install
If you choose a Custom installation of AAD Connect, the next screen you’ll be presented with will look like this.
The four options listed are not the only reasons you may want to choose a Custom AAD Connect installation. Additional reasons include
- Setting up a multi-forest hybrid Exchange deployment
- Using AAD Connect to configure AD FS
- Filtering which users and groups are synchronized to Azure AD
- Deploying a “hot standby” AAD Connect server
I’m not going to have space in this blog post today to cover all the options, but I’ll run you though how I like to install AAD Connect, and give you the reasons for the decisions I make.
Before you get started
There are a few prerequisites we need to cover before we start installing AAD Connect. Here’s a list of the things we’ll need to setup.
- A tenant: We’ll need an Office 365, or Azure AD tenant setup.
- Verified Domain(s): Once you have your tenant, you’ll need to verify your domain(s). I use MCSMLab.com as my public domain, so that’s what I’ll be using as an example in this article.
- Know the number of AD objects (users and groups) you’ll be syncing: Azure AD will allow you to sync 50,000 objects by default. When you verify a domain, that limit is automatically upped to 300,000 objects.
- On-premises AD version: You on-premises Active Directory needs to be Windows Server 2003 or later. If you plan to use password writeback, your DCs need to be Server 2008 with the latest Service Pack.
- AD Connect must be installed on Server 2008 or later. It can be a domain controller if you use the express settings. If you plan to use password synchronization, the server needs to be Server 2008 R2 SP1 or later.
- AAD Connect needs a SQL database. By default, it will use a SQL Server 2012 Express LocalDB, which has a limit of 10 GB (about 100,000 objects). If you need more objects than that, you’ll have to use a separate SQL server.
- Hardware requirements for the AAD Connect server are listed in the table below:
|
Number of objects in Active Directory |
CPU |
Memory |
Hard drive size |
|
Fewer than 10,000 |
1.6 GHz |
4 GB |
70 GB |
|
10,000–50,000 |
1.6 GHz |
4 GB |
70 GB |
|
50,000–100,000 |
1.6 GHz |
16 GB |
100 GB |
|
For 100,000 or more objects the full version of SQL Server is required |
|
|
|
|
100,000–300,000 |
1.6 GHz |
32 GB |
300 GB |
|
300,000–600,000 |
1.6 GHz |
32 GB |
450 GB |
|
More than 600,000 |
1.6 GHz |
32 GB |
500 GB |
Installing AAD Connect
The Express install of AAD Connect is very easy. After you make sure you meet the prerequisites above, all you need is admin accounts both on-premises and in Office 365/Azure AD.
The custom install options give you a little more to think about. The first option you’ll need to decide on is the user sign-in method.
AAD Connect can configure AD FS for you, but personally I don’t really see the value. You need to stage the AD FS server and WAP server, install the SSL certificate, and ensure all the proper ports are open. AAD Connect really does not end up taking much work off your plate, so I prefer to just install and configure the AD FS server(s) myself.
If you want to use password synchronization, then by all means use this page to make that selection.
The next page in this wizard just asks for your Azure AD/Office 365 credentials.
The connected Directories page allows you to select the on-premises Active Directory forest(s) that you are going to synchronize. In the screenshot below, you can see I have added a single forest. You can add additional forests at this point if that is the configuration you’re going for.
On the Domain/OU filtering page, you can see I have selected only a single OU to synchronize. You can, of course, select as few or as many Domains and OU to synchronize as you’d like.
The identifying users page is used for multi-forest deployments where users have accounts in more than one forest. In the Exchange world, this would be the case if you have deployed a resource forest model. If that is the situation you’re in, I expect you’ll need more guidance than I can provide in this blog post.
The Filtering page allows you to filter what users and devices are synchronized by AD group. There are a number of other ways you can filter which users are synchronized.
The Optional Features page allows you to select a number of optional features as shown below.
Be cautioned that several of these features require Azure AD Premium licenses.
The last page lets you choose to start synchronization immediately, and to enable staging mode. Staging mode allows you to “pre stage” a second AAD Connect server in case your first server goes down. It’s a “poor man’s high avaibility” option.
When you hit install, your journey to the cloud will continue with the installation of your AAD Connect server.
