Installation Paths

Connect Sync offers two installation paths: express and custom. Express handles the common single-forest scenario with minimal input. Custom gives you control over every aspect of the deployment. This page covers both paths, the decision points during setup, and how to verify the installation is working.

Express vs. Custom Install

Rule of thumb: If you have one AD forest, one Entra tenant, and want password hash sync, use express. For everything else, use custom.

Express Install

Express install is a guided experience that takes about 10 minutes:

1. Accept license terms and continue.
2. Select “Use express settings.”
3. Enter Entra credentials - a Hybrid Identity Administrator account.
4. Enter AD credentials - an Enterprise Admin account. The wizard uses this to create the AD DS connector account; it does not store the Enterprise Admin credentials.
5. Review UPN domains - if any domains are unverified in Entra ID, you will see a warning. Users in unverified domains get a .onmicrosoft.com UPN in the cloud.
6. Install - optionally disable “Start sync when configuration completes” if you want to configure filtering first.

After express install, the sync engine starts a full import/sync/export cycle immediately (unless you disabled it). Password hash sync is enabled by default.

Custom Install

Custom install is the express path with additional pages inserted. Key configuration pages:

Required Components

Choose whether to:

• Use a custom SQL Server instance (required for >100,000 objects or remote SQL).
• Use an existing service account (required when using remote SQL with proxy authentication).
• Specify custom sync groups (Administrators, Operators, Browse, Password Reset).
• Import settings from a previous Connect Sync installation.

User Sign-In

Select the authentication method:

• Password hash sync - default, recommended for most deployments.
• Pass-through authentication - installs PTA agents alongside sync.
• Federation with AD FS - requires an existing or new AD FS farm.
• Federation with PingFederate - requires an existing PingFederate deployment.
• Do not configure - use when you have an existing third-party solution.
• Enable Seamless SSO - available with PHS or PTA. Creates a computer account in AD for Kerberos-based SSO.

Connect Your Directories

Add AD forests. For each forest, provide credentials or let the wizard create a new AD DS connector account. The account needs:

• Read access to directory objects and attributes in scope.
• Write access if you enable password writeback, group writeback, or device writeback.

Gotcha: Since build 1.4.18.0, you cannot use an Enterprise Admin or Domain Admin account as the permanent connector account. The wizard blocks this. Create or specify a dedicated sync account.

Domain and OU Filtering

Select which domains and OUs to synchronize. This is your primary scope filter and the most common customization point. See Filtering and Scoping for details.

Uniquely Identifying Users

Configure how users from multiple forests are matched:

• Users are represented once across all forests - each forest has unique users.
• Mail attribute - join users across forests by matching the mail attribute (GALSync scenarios).
• ObjectSID and msExchMasterAccountSID - account-resource forest topology matching.
• SAMAccountName and MailNickName - join by sign-in name.

Also choose the source anchor: let Entra manage it (uses ms-DS-ConsistencyGuid, recommended) or pick a specific attribute. The source anchor is immutable after first sync, so choose carefully.

Optional Features

Enable additional capabilities:

• Exchange hybrid deployment - writes Exchange attributes back to on-premises AD.
• Password hash sync - available even when PTA or federation is the primary auth method (recommended as fallback).
• Password writeback - writes cloud password changes back to AD.
• Group writeback - writes Microsoft 365 groups to on-premises AD.
• Device writeback - writes device objects to on-premises AD for Conditional Access.
• Directory extension attribute sync - syncs custom AD attributes to Entra ID.

Staging Mode

Optionally enable staging mode during install. The server imports and syncs but does not export. Use this for disaster recovery preparation or configuration validation.

Post-Install Verification

After installation, verify that sync is working correctly:

1. Check the Synchronization Service Manager

Open the Synchronization Service Manager from the Start menu. Check the Operations tab:

• You should see completed Import, Sync, and Export operations for each connector.
• Look for errors or warnings in the Status column.
• Click on any operation to see per-object details.

2. Verify Objects in Entra ID

In the Entra admin center, check that expected users appear under Users > All Users. Compare counts:

• The number of synced users should roughly match the number of in-scope users in AD.
• Look for the “Directory synced” column (or filter by “Sync type: On-premises sync”).

3. Check the Scheduler

Get-ADSyncScheduler

Verify:

• SyncCycleEnabled is True.
• NextSyncCycleStartTimeInUTC shows an upcoming time.
• CurrentlyEffectiveSyncCycleInterval is 00:30:00 (default).

4. Verify Password Hash Sync (If Enabled)

Change a test user’s password in AD, wait for two sync cycles (about 60 minutes to be safe), then sign in to a cloud service with the new password.

5. Check Connect Health

If Microsoft Entra Connect Health is installed (included by default in recent versions), verify the sync server appears in the Entra portal under Hybrid management > Microsoft Entra Connect > Connect Sync.

Common Post-Install Issues