AD Connect Setup

Preparation

Note before install!

In earlier versions of AD Connect you would normally assign both Enterprise Admin and Domain Admin rights on the user which was used to be synced from the onprem server to Office 365.

As of build 1.4.18.0 it is no longer supported to use an Enterprise Admin or a Domain Admin account as the AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive the following error:

“Using an Enterprise or Domain administrator account for your AD forest account is not allowed. Let Azure AD Connect create the account for you or specify a synchronization account with the correct permissions.

Before setting up AD Connect, we must first have created the correct upn suffixes on the local server for all domains which are used in Office 365.


1. Open Active Directory Domains and Trusts and then right click on Active Directory Domains and Trusts.
Add all domains to be used in office 365.

2. Change UPN Suffixes on each user in Active Directory, to the correct domain.

3. Create a new ad user, with a telling name eg. adconnect local on the Server.
User should be a member of Enterprise Admins

4. Create a new user in Office 365, with global administrator rights. (licensing is not necessary)
This user is later used, to login from AD Connect to Office 365 local on the Server.

5. Download AD Connect from 
https://www.microsoft.com/en-us/download/details.aspx?id=47594

Install AD Connect

6. Select “I agree” as showen below.

7. Select “Customize”

8. Select “Install”

9. Select “Password Hash Synchronization” and then click “Next”

10. Here you need to log in with the adconnect user, which we previously created in Office 365.

11. Let Azure AD Connect create the account for you or specify a synchronization account with the correct permissions. Use the adconnect user which we previously created onprem, and select “Create new AD account”

After username and credentials has been typed in, it should look like this below.
Click “Next”

12. Domain mrestore.dk has been verified, click “Next”

13. Here you choose which OU to synchronize to Office 365.

14. Here we just use the default values.

15. Just default values.

16. Normally we would also activate “Password writeback”
Which means that if a user reset his password in Office 365, the password will automatically be synced back to Active Directory.
I have previously experienced that it is best practice to wait by activating this function, until the customer has migrated to Office 365.

17. Now we are ready to install AD Connect, click “Install”

AD Connect is now installed, and ready for use.