Azure Active Directory Connect (AADC) Part 1 — Password Hash Synchronization (PHS)

Prerequisite Steps

** If you are using Azure VM for both Domain Controller and AADC agent, please check this site on how to create Azure VMs from scratch.

  • Create a Windows Server 2016/2019 (better to have at least 2 vCPU, 4GB of memory) and promote it to be Domain Controller. For more information on how to complete this, please check this site.
  • Create at least one Windows AD user with Domain Admins and Enterprise Admins role. If possible, create another Windows AD user with Domain Users role just to test out the synchronization later.
  • Add custom domain name you own to Windows AD Domains and Trusts and change user’s UPN accordingly. To know more about changing UPN suffix in Windows AD, please check this site for reference.
  • Note down the private IP address of the Domain Controller as we would need to use it for DNS resolution.
  • On Azure, head to the virtual network this Domain Controller is located in and find the setting for DNS. After you get to the page, select “Custom” and put down the private IP address you noted down in the previous step.
  • Once the DNS servers are set, all servers within the virtual network would need to be restarted. Otherwise, those would not get the latest network settings.
  • Create a Windows Server 2016/2019 (better to have at least 2 vCPU, 4GB of memory)
  • Join the domain you just created in the other Windows Server. For detailed steps, please check this site.
  • Download and install AADC.
  • Follow the steps after this section and this section of the article and at the end, you should be seeing at least one user with the role of AAD Global Administrator in your newly created AAD tenant.

Configure AADC to Synchronize Windows AD to AAD via PHS

  • Once you agree the terms on the first page of the AADC installation user interface, you could select “Use express settings”
  • Put down the AAD Global Administrator credential
  • Put down Windows AD Enterprise Administrator credential
  • Check “Continue with matching all UPN suffixes to verified domains” as our internal domain name is not verified on AAD and it should not be.
  • Start the synchronization process
  • Test using Windows AD user credential to log in AAD from an InPrivate browser
  • Once done, you should be seeing all Windows AD users in selected scope being synchronized to AAD. Also, you would see a Windows AD account “On-Premises Directory Synchronization Service Account” being created. This account is perform synchronization actions in both environments.
  • Check Azure AD Connect section, you should see “Password Hash Sync” showing “Enabled”



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!