How to Integrate Windows Server 2012 R2 with Azure Active Directory
Integrating an on-premises Windows Server 2012 R2 Active Directory environment with Azure Active Directory (Azure AD) enables hybrid identity scenarios: users authenticate once with their on-premises credentials and gain access to cloud services including Office 365, Azure portal resources, and third-party SaaS applications. The primary synchronization tool for this integration is Azure AD Connect, which replaces the older DirSync and AAD Sync tools. This guide covers deploying Azure AD Connect, configuring synchronization, enabling Password Hash Sync or Pass-through Authentication, and validating the hybrid identity state.
Prerequisites
– Windows Server 2012 R2 with all current updates applied
– An Active Directory domain with forest functional level Windows Server 2003 or higher
– An Azure AD tenant (via Office 365 subscription or standalone Azure subscription)
– A Global Administrator account in Azure AD
– An Enterprise Admin or Domain Admin account for on-premises AD
– Outbound HTTPS (port 443) access from the Azure AD Connect server to Microsoft endpoints
– .NET Framework 4.5.1 or higher (Azure AD Connect prerequisite)
– PowerShell 3.0 minimum on the sync server
Step 1: Prepare the On-Premises Environment
Before installing Azure AD Connect, verify your AD environment meets synchronization requirements:
Import-Module ActiveDirectory
# Check forest functional level (minimum Windows Server 2003)
(Get-ADForest).ForestMode
# Check domain functional level
(Get-ADDomain).DomainMode
# Verify UPNs — all users should have a routable UPN suffix
# Azure AD uses UPN for cloud identity
$nonRoutableUsers = Get-ADUser -Filter * -Properties UserPrincipalName |
Where-Object { $_.UserPrincipalName -notmatch "@yourdomain.com$" -and
$_.UserPrincipalName -notmatch "@yourdomain.onmicrosoft.com$" }
Write-Host "Users with non-routable UPNs: $($nonRoutableUsers.Count)"
# Add a routable UPN suffix to AD if needed
Set-ADForest -UPNSuffixes @{Add="yourdomain.com"}
# Update users to use the routable UPN
Get-ADUser -Filter {UserPrincipalName -like "*@corp.local"} |
ForEach-Object {
$newUPN = $_.SamAccountName + "@yourdomain.com"
Set-ADUser $_ -UserPrincipalName $newUPN
}
# Check for duplicate attributes (proxyAddresses, UPN)
# Run IdFix to detect and fix sync errors before installation
# Download IdFix from Microsoft: https://microsoft.github.io/idfix/
Step 2: Install Azure AD Connect
Deploy Azure AD Connect on a dedicated member server (not a Domain Controller for production environments):
# Install prerequisites on the sync server
Import-Module ServerManager
Install-WindowsFeature -Name NET-Framework-45-Features, NET-Framework-45-Core,
NET-Framework-45-ASPNET -IncludeAllSubFeature
# Verify .NET version
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftNET Framework SetupNDPv4Full").Release
# 378389 = 4.5, 379893 = 4.5.2, 394802 = 4.6.2
# Download Azure AD Connect from Microsoft
# https://www.microsoft.com/en-us/download/details.aspx?id=47594
# File: AzureADConnect.msi
# Install silently
msiexec /i AzureADConnect.msi /qn ACCEPT_EULA=YES
# After install, launch the wizard
# C:Program FilesMicrosoft Azure Active Directory ConnectAzureADConnect.exe
Step 3: Configure Azure AD Connect with Express Settings
For single-forest environments, Express Settings handles most configuration automatically. For custom scenarios, use Custom Installation:
# Azure AD Connect configuration via PowerShell (post-install)
# The wizard-based setup handles initial config; PowerShell manages ongoing settings
# After wizard completion, verify the sync account was created in AD
Get-ADUser -Filter {SamAccountName -like "MSOL_*"} -Properties Description |
Select-Object Name, SamAccountName, Description
# The MSOL account is the on-premises AD connector account
# It requires specific permissions set by the wizard:
# - Replicate Directory Changes (for Password Hash Sync)
# - Read/Write permissions on objects for writeback features
Step 4: Configure Synchronization Scope with Organizational Unit Filtering
By default, Azure AD Connect synchronizes all users. In production, filter to specific OUs to exclude service accounts, admin accounts, and test objects from synchronization:
# Use the Synchronization Service Manager for OU filtering
# Or configure via PowerShell after initial setup
# View current connector configuration
Import-Module ADSync
Get-ADSyncConnector | Select-Object Name, ConnectorTypeName
# Get the AD connector
$adConnector = Get-ADSyncConnector | Where-Object { $_.ConnectorTypeName -eq "AD" }
# Review current OU filter
$adConnector.Partitions | ForEach-Object {
$_.ContainerInclusionList
}
# Apply OU filtering via the wizard's "Customize synchronization options"
# Or directly via PowerShell:
$adConnector = Get-ADSyncConnector -Name "corp.local"
$adConnector.Partitions[0].ContainerInclusionList = @(
"OU=Users,DC=corp,DC=local",
"OU=Groups,DC=corp,DC=local",
"OU=Computers,DC=corp,DC=local"
)
Set-ADSyncConnector -Connector $adConnector
Step 5: Enable Password Hash Synchronization
Password Hash Sync (PHS) is the simplest authentication method and provides a backup authentication path even if on-premises connectivity fails:
# Verify PHS is enabled after wizard configuration
Import-Module ADSync
Get-ADSyncAADPasswordSyncConfiguration -SourceConnector "corp.local"
# Enable PHS if not already configured
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector "corp.local" `
-TargetConnector "corp.onmicrosoft.com - AAD" `
-Enable $true
# Force an immediate password sync
Invoke-ADSyncRunProfile -ConnectorName "corp.local" -RunProfileName "Delta Import"
Invoke-ADSyncRunProfile -ConnectorName "corp.onmicrosoft.com - AAD" -RunProfileName "Delta Synchronization"
Invoke-ADSyncRunProfile -ConnectorName "corp.onmicrosoft.com - AAD" -RunProfileName "Export"
# Check sync status
Get-ADSyncScheduler
Step 6: Run Initial Synchronization and Verify
# Trigger initial full sync
Import-Module ADSync
# Run full import on both connectors
Start-ADSyncSyncCycle -PolicyType Initial
# Monitor sync progress
Get-ADSyncRunStepResult | Sort-Object StartDate -Descending |
Select-Object ConnectorName, RunProfileName, Result, StartDate, EndDate |
Format-Table -AutoSize
# Check for sync errors
$syncErrors = Get-ADSyncCSObject -ConnectorName "corp.local" |
Where-Object { $_.HasSyncError }
Write-Host "Objects with sync errors: $($syncErrors.Count)"
# Detailed error information
$syncErrors | ForEach-Object {
Write-Host "Error on: $($_.DN)"
Write-Host "Error: $($_.SyncError)"
}
Step 7: Verify Users in Azure AD via PowerShell
# Install Azure AD PowerShell module
Install-Module -Name AzureAD -Force
# Connect to Azure AD
$credential = Get-Credential # Global Admin credentials
Connect-AzureAD -Credential $credential
# Verify synced users
Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true } |
Select-Object DisplayName, UserPrincipalName, AccountEnabled |
Sort-Object DisplayName |
Format-Table -AutoSize
# Check for sync errors in Azure AD
Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $true -and $_.AccountEnabled -eq $false } |
Select-Object DisplayName, UserPrincipalName
# Verify a specific user
Get-AzureADUser -SearchString "John Smith" | Format-List *
# Confirm last sync time
(Get-AzureADTenantDetail).CompanyLastDirSyncTime
Step 8: Configure Seamless Single Sign-On (Optional)
Azure AD Seamless SSO allows domain-joined machines to authenticate to Azure AD without re-entering credentials:
# Enable Seamless SSO in Azure AD Connect (requires wizard reconfiguration)
# Or via PowerShell:
Import-Module "C:Program FilesMicrosoft Azure Active Directory ConnectAzureADSSO.psd1"
# Connect to Azure AD
$azureAdCreds = Get-Credential # Global Admin
New-AzureADSSOAuthenticationContext -CloudCredentials $azureAdCreds
# Enable for all domains
Enable-AzureADSSOForest -OnPremCredentials (Get-Credential) -PreserveCustomPermissionsOnDesktopSsoAccount
# Verify SSO computer account was created in AD
Get-ADComputer -Identity "AZUREADSSOACC" -Properties Description
# Add Seamless SSO URL to browser Intranet Zone via GPO
# URL: https://autologon.microsoftazuread-sso.com
# Configure via: Computer Config > Windows Settings > Security Settings >
# Internet Explorer Maintenance > Security > Security Zones
Verification
# Comprehensive hybrid identity verification
Import-Module ADSync
Write-Host "=== Azure AD Connect Health ===" -ForegroundColor Cyan
# Scheduler status
$scheduler = Get-ADSyncScheduler
Write-Host "Sync Enabled: $($scheduler.SyncCycleEnabled)"
Write-Host "Next Run: $($scheduler.NextSyncCyclePolicyType)"
Write-Host "Interval: $($scheduler.CurrentlyEffectiveSyncCycleInterval)"
# Last sync results
Get-ADSyncRunStepResult | Sort-Object StartDate -Descending | Select-Object -First 5 |
Format-Table ConnectorName, RunProfileName, Result -AutoSize
# Object counts
$totalUsers = (Get-ADUser -Filter *).Count
$syncedUsers = (Get-AzureADUser -All $true | Where-Object {$_.DirSyncEnabled}).Count
Write-Host "On-prem users: $totalUsers | Synced to Azure AD: $syncedUsers"
Summary
Integrating Windows Server 2012 R2 Active Directory with Azure AD via Azure AD Connect creates a unified hybrid identity platform where a single set of credentials provides access to both on-premises and cloud resources. Key steps include preparing AD with routable UPN suffixes, deploying Azure AD Connect on a dedicated sync server, configuring OU-scoped synchronization, enabling Password Hash Sync for cloud authentication, and verifying synchronized objects in Azure AD. Once operational, the 30-minute sync cycle continuously propagates identity changes to the cloud, enabling seamless access to Microsoft 365 and other integrated SaaS applications.
