Aug 1, 2022
On-premises Active Directory– Planning Identity Synchronization
Before you install Azure AD Connect, you will also need to make sure that Active Directory meets certain requirements as well:
- You must have at least one on-premises Active Directory environment with Windows Server 2003 or later forest functional level and schema. The NetBIOS name of the forest or domain cannot have a period in it.
- The domain controller that Azure AD Connect uses must be writeable. Read-only domain controllers (RODCs) are not supported for use with Azure AD Connect. RODCs are permitted in the environment, but Azure AD Connect should be installed in an Active Directory site without RODCs.
SQL Server
In addition to the core prerequisites to install and configure Azure AD Connect, you should be aware of limitations regarding the size of the database.
By default, Azure AD Connect installs SQL Server 2019 Express for use with the Azure AD Connect database. Express editions of SQL are limited to a 10 GB database, which is sufficient for managing synchronization for approximately 100,000 objects. If the sum of objects in all of your connected directories is larger than 100,000 objects, you will need to configure Azure AD Connect during installation to connect to a full version of SQL Server.
Exam tip
SQL database server sizing and performance requirements are outside the scope of the MS-100 exam.
As previously mentioned, Azure AD Connect deployments that are used to synchronize more than 100,000 objects will require their own SQL Server. The memory and disk space requirements in Table 3.3 are for Azure AD Connect only and do not reflect the additional SQL Server sizing requirements.
Azure AD Connect server software components
Azure AD Connect has requirements specific to the minimum operating system versions, as well as other software components:
- Currently, you can deploy to Windows Server 2016 or Windows Server 2019 (but not Server 2022 yet). You cannot deploy to Small Business Server or Windows Server Essentials editions before 2019.
- The PowerShell execution policy for the server should be set to RemoteSigned or Unrestricted.
- You must not have PowerShell Transcription enabled through Group Policy if you plan on using Azure AD Connect to configure Active Directory Federation Services (AD FS).
Note
This is a change from the original product documentation. Previously, PowerShell Transcription would cause the installation to abort.
- The server used for Azure AD Connect must have a full GUI installed. It doesn’t support deployment to any edition of Windows Server Core.
- Ensure you have PowerShell 5.0 or later as well as .NET Framework 4.5.1 or later installed.
- Azure AD Connect checks for the MachineAccessRestriction, MachineLaunchRestriction, and DefaultLaunchPermission values in the Distributed COM (DCOM) configuration. If those values are missing or corrupt, the installation will fail.
While it is not required, Microsoft recommends forcing the use of TLS 1.2 for .NET Framework components. This can be configured by setting the HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto registry value to DWORD:00000001.
More Details