March 28, 2024
040918 2348 MigrateExch1 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect
Have you been follow my previously post steps to add your domain to Office 365? if not please check my previously post and do it. If you did and then it's time to deploy Azure AD connect to sync your on-premises AD to Azure AD (Office 365). You can download and install Azure AD Connect to your ADFS server or you also can install it at your domain server if you won't use ADFS server for your infrastructure. you can install Azure Ad Connect with Express settings but I recommend install it with Customized settings, because you can adjust settings to match your requirements.

Have you been follow my previously post steps to add your domain to Office 365? if not please check my previously post and do it. If you did and then it’s time to deploy Azure AD connect to sync your on-premises AD to Azure AD (Office 365).

You can download and install Azure AD Connect to your ADFS server or you also can install it at your domain server if you won’t use ADFS server for your infrastructure. you can install Azure Ad Connect with Express settings but I recommend install it with Customized settings, because you can adjust settings to match your requirements.

Deployment Azure AD Connect

040918 2348 MigrateExch1 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

If you need a tool to connect your on-premises directory with Azure AD and Office 365, Azure AD Connect is the best way to do it. Azure AD Connect has two installation types for new installation: Express and customized.

Prerequisites

  • It must be installed on Windows Server standard or better.
  • It supports full GUI installed only.
  • Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain.
  • If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.
  • If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later.
  • Disable PowerShell Transcription Group Policy.
  • .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
  • If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.
  • You need SSL Certificates if Active Directory Federation Services is being deployed
  • An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. This account must be a school or organization account and cannot be a Microsoft account.
  • Create a A record for AD FS federation service name on both intranet and internet.
  • Check the link for https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports if you have firewalls on your intranet.
040918 2348 MigrateExch3 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD ConnectNote

Please review the latest prerequires before Install.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites

Install Azure AD Connect with Express settings

040918 2348 MigrateExch4 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

If you have a signal forest AD or User sign with the same password using password synchronization, then this is the recommended option to use.

Azure AD Connect Express Settings is used when you have a single-forest topology and password synchronization for authentication.

Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the pre-requisite steps in Azure AD Connect: Hardware and prerequisites.

  1. Sign in as a local Administrator to Azure AD Connect Server.
  2. Navigate to and double-click AzureADConnect.msi.

    040918 2348 MigrateExch5 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

  3. On the Security Warning page, click Run.

    040918 2348 MigrateExch6 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

  4. On the Welcome screen, select the box agreeing to the licensing terms and click Continue.

040918 2348 MigrateExch7 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

5. On the Express settings screen, click Use express settings.

040918 2348 MigrateExch8 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

6. On the Enter your Azure AD credentials page, enter the username and password of a global administrator for your Azure AD. Click Next.

040918 2348 MigrateExch9 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

7. On the Enter the Active Directory Services enterprise administrator credentials page, enter the username and password for an enterprise admin account. You can enter the domain part in either NetBIOS or FQDN format, Click Next.

040918 2348 MigrateExch10 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch11 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD ConnectNote

The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the prerequisites.

If you see this page, then review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains.

040918 2348 MigrateExch12 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

8. On the Ready to configure screen, click Install.

040918 2348 MigrateExch13 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch14 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD ConnectNote

If you have Exchange in your on-premises Active Directory, then you also have an option to enable Exchange Hybrid deployment. Enable this option if you plan to have Exchange mailboxes both in the cloud and on-premises at the same time.

9. When the installation completes, click Exit.

10. After the installation has completed, sign off and sign in again before you use Synchronization Service Manager or Synchronization Rule Editor.

040918 2348 MigrateExch15 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

Install Azure AD Connect with Customized settings

040918 2348 MigrateExch16 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

If you have multiple forests or you need to customized your sign-in option or customize synchronization feature, then this is the recommended option to use.

  1. If your internal domain is not a routable domain, you need to select the customization settings to configure user sign-in.
  2. On the Install required components page, check Use an existing service account and type service account name and password, click Install.

    040918 2348 MigrateExch17 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch18 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD ConnectNote

By default Azure AD Connect uses a virtual service account for the synchronization services to use. If you use a remote SQL server or use a proxy that requires authentication, you need to use a managed service account or use a service account in the domain and know the password. In those cases, enter the account to use. Make sure the user running the installation is an SA in SQL so a login for the service account can be created

3. On User sign-in page, select pass-through authentication to be the Sign On method, users can sign in to Office 365 using the same password as on-premises network, also, select Enable sign sign-on and then click Next.

040918 2348 MigrateExch19 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

3. On Connect to Azure AD page, enter global admin account and password, click Next.

040918 2348 MigrateExch20 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch21 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD ConnectNote

Please use an account in the default onmicrosoft.com domain, it will happen error if using the federation domain account.

040918 2348 MigrateExch22 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

4. On Connect your directories page, select local domain and click Add Directory.

040918 2348 MigrateExch23 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

5. It will pop up AD Forest account page, select Create new account and enter the service account name and password, click OK and then click Next.

040918 2348 MigrateExch24 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch25 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

6. On Azure AD sign-in configuration page, make sure the UPN domains present in on-premises AD DS and be verified in Azure AD, click Next.

040918 2348 MigrateExch26 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

7. On Domain and OU filtering page, click Sync selected domains and OUs.

8. Select OUs you do want to synchronize to Azure AD, click Next.

040918 2348 MigrateExch27 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

9. Click Next on the Uniquely identifying your users page.

040918 2348 MigrateExch28 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

10. Click Next on the Filter users and devices page.

040918 2348 MigrateExch29 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

11. On Optional features page, select optional features if required, click Next.

040918 2348 MigrateExch30 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

I am going to select Exchange hybrid Deployment and Password Synchronization for migrating Exchange services to office 365.

12. On the Enable single sign-on page, click Enter credentials.

040918 2348 MigrateExch31 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

13. Enter domain admin service account, click OK and then click Next.

040918 2348 MigrateExch32 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch33 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

14. Select Start the synchronization process when configuration completes on the Ready to Configure page, click Install.

040918 2348 MigrateExch34 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

15. Click Next on Configuration complete page and then click Exit.

040918 2348 MigrateExch35 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

16. In order to allow Azure AD to accept Kerberos tickets you need to configure a client GPO. You need to publish these two URL’s to your Internet Zone Settings.

https://autologon.microsoftazureread-sso.com

https://aadg.windows.net.nsatc.net

17. Open Group Policy Management Editor, go to User ConfigurationàPoliciesàAdministrative TemplatesàWindows ComponentsàInternet ExploreràInternet Control Panel, click Security Page, and then double click Site to Zone Assignment List.

040918 2348 MigrateExch36 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

18. On the Site to Zone Assignment List page, click Enabled and then click Show…

040918 2348 MigrateExch37 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

19. Add two urls as above and click OK.

040918 2348 MigrateExch38 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

20. Link this GPO to your domain.

040918 2348 MigrateExch39 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

You may need more setting steps as follow if you selected ADFS

21. On AD FS farm page, click Use a certificate installed on the federation servers. (optional, If Active Directory Federation Services is being deployed)

040918 2348 MigrateExch40 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

22. It will pop up Select Federation Server page, enter AD FS server name in Search field.

23. Select AD FS server and click OK.

040918 2348 MigrateExch41 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

24. Select CERTIFICATE and select SUBJECT NAME.

040918 2348 MigrateExch42 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

25. Enter ad fs server name in SUBJECT NAME PREFIX, click Next.

040918 2348 MigrateExch43 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

26. On the AD FS Servers page, enter AD FS Server name in the SERVER field, click Add.

040918 2348 MigrateExch44 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

27. Click Next after verifying server connectivity completed.

28. On the Web Application Proxy servers page, enter WAP Server name in the SERVER field, click Add.

040918 2348 MigrateExch45 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

29. Click Next after verifying server connectivity completed.

30. Enter local domain administrator user name and password on the Domain Administrator credentials page, click Next.

040918 2348 MigrateExch46 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

21. Enter AD FS service account user name and password on the AD FS service account page.

040918 2348 MigrateExch47 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

32. On the Azure AD Domain page, select federation domain name, click Next.

040918 2348 MigrateExch48 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

33. Select Start the synchronization process when configuration completes on the Ready to Configure page, click Install.

040918 2348 MigrateExch49 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

040918 2348 MigrateExch50 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD ConnectNote

If it happens Unable to create the synchronization service account for Azure Active Directory Error, please check your firewall settings and make sure application control function not be enable and then click Retry.

040918 2348 MigrateExch51 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

34. Click Next on Configuration complete page.

040918 2348 MigrateExch52 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

35. On the Verify federation configuration page, select I have created DNS A records that allow clients to resolve……was configured click Verify.

040918 2348 MigrateExch53 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

36. Click Exit after Intranet configuration was successfully verified.

Enable Password Change for ADFS

040918 2348 MigrateExch54 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

If you have an ADFS or Dirsync with Password sync identity it will not allow you to change your password in the cloud. You will receive. But you can configure change password functionality for ADFS server to solve the issue.

The change password functionality is disabled in ADFS, you can follow below steps to enable it.

  1. Logon to ADFS Server.
  2. Open AD FS Management and run as administrator.
  3. Expand Service and select Endpoint.
  4. Right click /adfs/portal/updatepasword and click Enable.

040918 2348 MigrateExch55 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

5. It will pop up warning message said “This action requires a restart of the AD FS Windows Service”, click OK.

040918 2348 MigrateExch56 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

6. Right click /adfs/portal/updatepassword again and then click Enable on Proxy.

040918 2348 MigrateExch57 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

7. It will pop up warning message said “This action requires a restart of the AD FS Windows Service on federation server and all federation server proxies”, click OK.

040918 2348 MigrateExch58 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

8. Restart Active Directory Federation Services.

040918 2348 MigrateExch59 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

9. Once enabled this functionality, users can access the change password page via https://adfsFQDN/adfs/portal/updatepassword/.

040918 2348 MigrateExch60 - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - Migrate Exchange Services from On-premises to Office 365 PART 2- Deploy Azure AD Connect

Author: Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun