Prerequisites for Azure AD Connect

This article describes the prerequisites and the hardware requirements for Azure Active Directory (Azure AD) Connect.

 

Before you install Azure AD Connect

Before you install Azure AD Connect, there are a few things that you need.

 

Azure AD

 

Prepare your on-premises data

 

On-premises Active Directory

 

PowerShell execution policy

 

Azure AD Connect server

 

Installation prerequisites

 

Harden your Azure AD Connect server

We recommend that you harden your Azure AD Connect server to decrease the security attack surface for this critical component of your IT environment. Following these recommendations will help to mitigate some security risks to your organization.

 

SQL Server used by Azure AD Connect

 

Accounts

 

Connectivity

 

 

 

 

 

              For more information, see MSDN about the default proxy element. For more information when you have problems with connectivity, see Troubleshoot connectivity problems.

Other

Optional: Use a test user account to verify synchronization.

 

 

Component prerequisites

 

PowerShell and .NET Framework

Azure AD Connect depends on Microsoft PowerShell 5.0 and .NET Framework 4.5.1. You need this version, or a later version installed on your server.

 

Enable TLS 1.2 for Azure AD Connect

Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting the communication between the sync engine server and Azure AD. You can configure .NET applications to use TLS 1.2 by default on the server. For more information about TLS 1.2, see Microsoft Security Advisory 2960358.

  1. Make sure you have the .NET 4.5.1 hotfix installed for your operating system. For more information, see Microsoft Security Advisory 2960358. You might have this hotfix or a later release installed on your server already.
  2. For all operating systems, set this registry key and restart the server ->      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SchUseStrongCrypto"=dword:00000001

image

  1. If you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server, make sure you have the required versions installed for TLS 1.2 support for Microsoft SQL Server.

 

DCOM prerequisites on the synchronization server

During the installation of the synchronization service, Azure AD Connect checks for the presence of the following registry key:

Under this registry key, Azure AD Connect will check to see if the following values are present and uncorrupted:

 

Prerequisites for federation installation and configuration

Windows Remote Management

When you use Azure AD Connect to deploy AD FS or the Web Application Proxy (WAP), check these requirements:

Set-Item.WSMan:\localhost\Client\TrustedHosts –Value <DMZServerFQDN> -Force –Concatenate.

 

TLS/SSL certificate requirements

 

Name resolution for federation servers

Azure AD Connect supporting components.

Azure AD Connect installs the following components on the server where Azure AD Connect is installed. This list is for a basic Express installation. If you choose to use a different SQL Server on the Install synchronization services page, SQL Express Local DB isn't installed locally.

 

 

Hardware requirements for Azure AD Connect

The following table shows the minimum requirements for the Azure AD Connect sync computer.
 

Number of objects in Active Directory

CPU

Memory

Hard drive size

Fewer than 10,000

1.6 GHz

6 GB

70 GB

10,000–50,000

1.6 GHz

6 GB

70 GB

50,000–100,000

1.6 GHz

16 GB

100 GB

For 100,000 or more objects, the full version of SQL Server is required. For performance reasons, installing locally is preferred. The following values are valid only for Azure AD Connect installation. If SQL Server will be installed on the same server, further memory, drive, and CPU is required.

 

 

 

100,000–300,000

1.6 GHz

32 GB

300 GB

300,000–600,000

1.6 GHz

32 GB

450 GB

More than 600,000

1.6 GHz

32 GB

500 GB

 

The minimum requirements for computers running AD FS or Web Application Proxy servers are: