Azure AD Connect Fails With Windows Server 2016 TP2 Forest Functional Level

I encountered this issue while attempting to setup Azure AD Connect from my lab into Azure.

Lab Environment

In my lab environment, I’ve built a new Domain Controller running on the Windows Server 2016 Technical Preview 2 Build 10074.

The domain and forest functional level are both set to “Windows Server Technical Preview”.

AzureADConn - Domain Funtional Level

Windows Server 2016 TP2 – Domain Functional Level

AzureADConn - Forest Funtional Level

Windows Server 2016 TP2 – Forest Functional Level

I’ve also built a separate Azure AD Connect virtual machine, which has 2 network adapters; one connected to the Internal Lab Network, and the other connected to the External Internet Network (with a static IP address).

 

Azure AD Connect Installation

While following this article on the Express Installation of Azure AD Connect, I downloaded and used the latest version of Azure AD Connect, specifically version 1.0.8641 as of this writing.

AzureADConn - Download

Azure AD Connect Version 1.0.8641

Walking through the Express Installation, when I got to the Connect to AD DS screen and provided enterprise administrator credentials, the installer did not accept that the forest functional level of “Windows Server Technical Preview” is indeed higher than “Windows2003Forest”.

AzureADConn - Connect to ADDS

Azure AD Connect – Connect to AD DS

So, what can we do at this point? Well, to move forward sometimes we have to take a step backwards.

 

Lower AD Forest/Domain Forest Functional Level

I decided to try to temporarily lower the domain and forest functional level, attempt the installation of Azure AD Connect, and then try to raise the level back to the Windows Server Technical Preview level. Here are my results.

To lower the Active Directory functional level, I followed this TechNet article: http://blogs.technet.com/b/aman/archive/2012/12/29/step-by-step-guide-to-lower-active-directory-functional-level.aspx

Following that article, I first checked what level the forest was set to, using the Get-ADForest PowerShell command. Interestingly, the Forest Mode shows as “WindowsThresholdForest”, even though in the GUI it is displayed as “Windows Server Technical Preview”.

AzureADConn - Current AD Forest Mode

PowerShell Get-ADForest

Next, I ran the following PowerShell commands:

  • Set-ADForestMode –Identity “SC.LAB” –ForestMode Windows2012R2Forest
  • Set-ADDomainMode –Identity “SC.LAB” –DomainMode Windows2012R2Domain
AzureADConn - Change AD Forest Mode

PowerShell Set-ADForestMode

After successfully running the referenced commands, I re-ran the Get-ADForest command to confirm that the changes had taken place. Just to be safe, I restarted my Domain Controller and the Azure AD Connect virtual machine as well.

AzureADConn - Modified AD Forest Mode

Azure AD Connect – Lowered AD Forest Functional Level

 

Azure AD Connect Re-Installation

Now that we have lowered our Active Directory forest and domain functional level to “Windows2012R2”, let’s re-attempt the installation of Azure AD Connect.

This time, I was able to successfully get past the Connect to AD DS screen and reach the final Configure screen to perform the installation.

AzureADConn - Configure

Azure AD Connect – Ready To Configure

Happily, the installation of Azure AD Connect completed successfully.

AzureADConn - Complete

Azure AD Connect – Configuration Complete

On my Azure AD Connect server, launching the Synchronization Service Manager shows that a full synchronization has completed successfully.

AzureADConn - Sync Service Manager

Azure AD Connect – Synchronization Service Manager

Logging into the Azure portal and checking the Directory Integration, it also shows that the synchronization is working.

AzureADConn - Directory Integration

Azure Default Directory – Directory Integration

 

 

Raise AD Forest/Domain Functional Level

Now that Azure AD Connect is up and running, let’s try returning the Active Directory forest and domain functional level back to the “Windows Server Technical Preview” as it was previously.

Basically, all I need to do is run the same PowerShell commands:

  • Set-ADForestMode –Identity “SC.LAB” –ForestMode WindowsThresholdForest
  • Set-ADDomainMode –Identity “SC.LAB” –DomainMode WindowsThresholdDomain
AzureADConn - Reset AD Forest Mode

PowerShell Set-ADForestMode

I restarted both the domain controller and the Azure AD Connect server again after this change.

To verify that the Azure AD Connect is still functioning correctly after changing the AD forest and domain functional level, I created a new user in AD, initiated a sync, and confirmed this user account appears in Azure AD.

AzureADConn - Re-Sync

Azure AD Connect – Synchronization Service Manager – New Object Synced

 

AzureADConn - Default Directory

Azure AD – Default Directory – New User Synced

 

Conclusion

So obviously Windows Server 2016 is still in Technical Preview. Therefore it is highly expected that once it becomes RTM, the Azure AD Connect will be updated to recognize that a Windows Server 2016 forest/domain is obviously greater than Windows Server 2003.

But for now, to be able to install Azure AD Connect on Windows Server 2016 Technical Preview you have 2 options:

  1. Perform the first installation of Windows Server 2016 Technical Preview Active Directory Domain Services, with the forest and domain functional level set as Windows Server 2012 R2; or
  2. If you have already installed AD DS as “Windows Technical Preview”, follow the steps described in this article to temporarily lower the functional level, complete the Azure AD Connect installation, and then return the functional level back to “Windows Technical Preview”

I hope this helps you with your experience with the Windows Server 2016 Technical Preview 2 and Azure AD Connect.

%d bloggers like this: