Step-By-Step: Addressing Forest Functional Level Issues Syncing Azure AD to Windows Server 2016 TP2
Summer is usually a slow time for most IT administrators. I usually take advantage of the downtime to test out new technical preview software that Microsoft shares and put it through its paces. One said issue I encountered recently was while attempting to setup Azure AD Connect only my newly created Windows Server 2016 TP2 machine within my lab into Azure.
I recently built a new Domain Controller operating Windows Server 2016 Technical Preview 2 Build 10074 in my lab environment. Currently both the domain and forest functional level are both set to Windows Server Technical Preview as shown below :
I have also spun up a separate Azure AD Connect virtual machine which contains 2 network adapters; one connected to the Internal Lab Network, and the other assigned a static IP address and connected to the External Internet Network.
Step 1: Azure AD Connect Installation
The following Microsoft Virtual Academy video provided me the steps needed to download and install the latest version of Azure AD Connect (1.0.8641 as of this writing):
During the Express Installation, the installer did not accept that the forest functional level of “Windows Server Technical Preview” which is indeed higher than “Windows2003Forest”.
To remedy this problem, I needed to temporarily lower the Active Directory Forest/Domain Forest functionality level, attempt the installation of Azure AD Connect, and then attempt to raise the level back to the Windows Server Technical Preview level.
Step 2: Lowering the AD Forest/Domain Forest Functional Level
Following steps provided by Microsoft employee Aman Sahota, I ran PowerShell in Admin mode and used the following command to checked what level the forest was set to:
As you can see the Forest Mode shows as WindowsThresholdForest, even though the GUI displayed it as Windows Server Technical Preview.
Next, the following PowerShell commands where run to lower both the Active Directory Forest/Domain Forest functionality level:
Set-ADForestMode –Identity “SC.LAB” –ForestMode Windows2012R2Forest
Set-ADDomainMode –Identity “SC.LAB” –DomainMode Windows2012R2Domain
Once completed, I re-ran the Get-ADForest command to confirm the changes and restarted my Domain Controller and on the Azure AD Connect virtual machine.
Step 3: Azure AD Connect Re-Installation
Now that the Active Directory forest and domain functional level has been lowered to Windows2012R2, let’s re-attempt the installation of Azure AD Connect.
During this attempt, the installation successfully got past the Connect to AD DS screen and reached the final Configure screen to perform the installation.
After clicking Install, a short time later the installation of Azure AD Connect successfully completed.
Launching the Synchronization Service Manager on the Azure AD Connect server confirms that a full synchronization has successfully completed.
Logging into the Azure portal and checking the Directory Integration also confirms that the synchronization is operational.
Step 4: Raising the AD Forest/Domain Functional Level
With Azure AD Connect is up and running, let’s attempt returning the Active Directory forest and domain functional level back to Windows Server Technical Preview.
Basically, the same PowerShell commands run in step 2 are now modified to raise the level:
Set-ADForestMode –Identity “SC.LAB” –ForestMode WindowsThresholdForest
Set-ADDomainMode –Identity “SC.LAB” –DomainMode WindowsThresholdDomain
Both the domain controller and the Azure AD Connect server were restarted after this change completed.
After the reboot, a new user in AD was created and the Azure AD sync was initialized to verify that the Azure AD Connect is still functioning correctly.
Please keep in mind that Windows Server 2016 is still in Technical Preview. It is expected that Azure AD Connect will recognize that a Windows Server 2016 forest/domain is greater than Windows Server 2003 once it becomes RTM.
I hope this helps you with your experience with the Windows Server 2016 Technical Preview 2 and Azure AD Connect.