Compartir a través de

Step-By-Step: Addressing Forest Functional Level Issues Syncing Azure AD to Windows Server 2016 TP2

  • Artículo

Summer is usually a slow time for most IT administrators. I usually take advantage of the downtime to test out new technical preview software that Microsoft shares and put it through its paces. One said issue I encountered recently was while attempting to setup Azure AD Connect only my newly created Windows Server 2016 TP2 machine within my lab into Azure.

I recently built a new Domain Controller operating Windows Server 2016 Technical Preview 2 Build 10074 in my lab environment. Currently both the domain and forest functional level are both set to Windows Server Technical Preview as shown below :

AzureADConn - Domain Funtional Level

 

AzureADConn - Forest Funtional Level

 

I have also spun up a separate Azure AD Connect virtual machine which contains 2 network adapters; one connected to the Internal Lab Network, and the other assigned a static IP address and connected to the External Internet Network.
 

Step 1: Azure AD Connect Installation

The following Microsoft Virtual Academy video provided me the steps needed to download and install the latest version of Azure AD Connect (1.0.8641 as of this writing):
 
 

 

During the Express Installation, the installer did not accept that the forest functional level of “Windows Server Technical Preview” which is indeed higher than “Windows2003Forest”.

AzureADConn - Connect to ADDS

To remedy this problem, I needed to temporarily lower the Active Directory Forest/Domain Forest functionality level, attempt the installation of Azure AD Connect, and then attempt to raise the level back to the Windows Server Technical Preview level.
 

Step 2: Lowering the AD Forest/Domain Forest Functional Level

Following steps provided by Microsoft employee Aman Sahota, I ran PowerShell in Admin mode and used the following command to checked what level the forest was set to:

Get-ADForest

As you can see the Forest Mode shows as WindowsThresholdForest, even though the GUI displayed it as Windows Server Technical Preview.

AzureADConn - Current AD Forest Mode 
 

Next, the following PowerShell commands where run to lower both the Active Directory Forest/Domain Forest functionality level:

Set-ADForestMode –Identity “SC.LAB” –ForestMode Windows2012R2Forest
Set-ADDomainMode –Identity “SC.LAB” –DomainMode Windows2012R2Domain

AzureADConn - Change AD Forest Mode 
 
Once completed, I re-ran the Get-ADForest command to confirm the changes and restarted my Domain Controller and on the Azure AD Connect virtual machine.

AzureADConn - Modified AD Forest Mode

 

Step 3: Azure AD Connect Re-Installation

Now that the Active Directory forest and domain functional level has been lowered to Windows2012R2, let’s re-attempt the installation of Azure AD Connect.

During this attempt, the installation successfully got past the Connect to AD DS screen and reached the final Configure screen to perform the installation.
 

AzureADConn - Configure 
 

After clicking Install, a short time later the installation of Azure AD Connect successfully completed.
 

AzureADConn - Complete
 

Launching the Synchronization Service Manager on the Azure AD Connect server confirms that a full synchronization has successfully completed.
 

AzureADConn - Sync Service Manager
 

Logging into the Azure portal and checking the Directory Integration also confirms that the synchronization is operational.
 

AzureADConn - Directory Integration

 

Step 4: Raising the AD Forest/Domain Functional Level

With Azure AD Connect is up and running, let’s attempt returning the Active Directory forest and domain functional level back to Windows Server Technical Preview.

Basically, the same PowerShell commands run in step 2 are now modified to raise the level:

Set-ADForestMode –Identity “SC.LAB” –ForestMode WindowsThresholdForest
Set-ADDomainMode –Identity “SC.LAB” –DomainMode WindowsThresholdDomain
 

AzureADConn - Reset AD Forest Mode 
 
Both the domain controller and the Azure AD Connect server were restarted after this change completed.

After the reboot, a new user in AD was created and the Azure AD sync was initialized to verify that the Azure AD Connect is still functioning correctly.
 

AzureADConn - Re-Sync

 

AzureADConn - Default Directory

Please keep in mind that Windows Server 2016 is still in Technical Preview. It is expected that Azure AD Connect will recognize that a Windows Server 2016 forest/domain is greater than Windows Server 2003 once it becomes RTM.

I hope this helps you with your experience with the Windows Server 2016 Technical Preview 2 and Azure AD Connect.