I will go through the setup of AADConnect. Just in case if you have not seen my article on IDFix. Just click on the name and it will take you there. That is requisite before configuring. The application is also a lightweight application and works seamlessly. Just be careful if you running DPI SSL running on your network. Man in the middle certificate do not always play nice or when the certificate expires. It will shutdown the connection. Best to exclude it as you trust the destionation.
You need to ensure you have a minimum of .Netframework 4.7.1 installed on the server. I have installed it on an AD server. So no issues there. Another requirement is an account to read the directory. Before you would require a domain admin account but no longer required. You can setup a service account called “AADSync@domain.co.za. Once you are done, you can download the AADconnect tool. Run the AzureADConnct.msi file. When you kick-off, you will see this page:
You can leave the default or unticked and click on “Install”
Also, leave the default selected “Password hash Synchronization” and proceed “Next”. The “Password Hash Syncrhonization” means users can sign in to Microsoft cloud services, such as Microsoft 365, by using the same password they use in their on-premises network.
At this point, you will be required to login with a “Global Admin” account. I know most of the time, you are required to have MFA on an account. If your global admin account has multifactor authentication enabled, you provide the password again in the sign-in window, and you must complete the multifactor authentication challenge. The challenge could be a verification code or a phone call.
You can create an account under the “Service Accounts OU” on your Active Directory. Ensure the password a minimum 16 characters. No domain or Enterprise admin
Next, you will be prompted for the Sync settings. You will require to add the domain which you would like to sync. Select the domain and connect the directories.
If you are not sure about the parameters and how syncing an OU can create problems or sync issues, at this point, I would recommend selecting an OU for now. Even if there are no users in there. Then you work your way to check the OU which you want to sync, that there are no duplicates, same username, display name, email address, or UPN. Then you can leave the default “Mail identifier” settings as default and proceed.
For the device filtering options, leave it as default and move on.
Then at the “Optional Features”, I would recommend selecting “Password Hash Sync” and “Password writeback”.
It will take a few minutes to configure and sync. It will run an initial sync as well.
NOTE: Do not leave the configuration open, or else the sync will not work.
And that it is. I know going through articles, they give you tons of information and options. But sometimes the bare minimum is all we need to get it working.