In most projects, we set up a brand new Windows Server 2012 R2-installation, purely for Azure AD Connect and its underlying Azure AD Connect.
For some reasons, however, you might install Azure AD Connect on Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012.
Note:
Installing Azure AD Connect is not supported on Small Business Server, Windows Server Essentials or Windows Web Server.
Reasons may include:
- Unavailability of licenses
- Incompatible hardware or hardware virtualization platform
- Incompatible software packages, services and/or drivers
- Incompatible processes
- Unavailability of knowledge
… but I’m sure you, or your customers, can find many other reasons to stick with Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012. 
This isn’t a problem.
Note:
I would recommend against installing Azure AD Connect on Windows Server 2008, since Azure AD Connect does not support password synchronization on this specific version of Windows Server.
Reboots for installing prerequisites
You’ll need to reboot the Windows Server 2008, Windows Server 2008 R2 and/or Windows Server 2012 installation(s) on which you install Azure AD Connect or one of its components (for installing .Net Framework 4.5.1), whereas installing Azure AD Connect on Windows Server 2012 R2 requires no reboots:
| Number of reboots needed | |
| Windows Server 2008 | 4 |
| Windows Server 2008 R2 | 1 |
| Windows Server 2012 | 1 |
| Windows Server 2012 R2 | – |
Note:
The above list does not include reboots for installing the latest Service Pack, when needed.
This makes installing Azure AD Connect side to side with other critical infrastructure components on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 far from ideal.
Active Directory requirements
Forest Functional Level
Regardless of the Windows Server version you use, any Active Directory domain in any Active Directory forest you synchronize objects to or from, must have at least the Windows Server 2003 Forest Functional Level (FFL).
Domain Controllers
If you want to enjoy the password write-back feature, all the Domain Controllers in these domains must be running Windows Server 2008, or up.
Domain membership
If you intend to use Azure AD Connect with the Express Settings, the Windows Server on which you want to install Azure AD Connect needs to be domain-joined.
When you customize the settings, the Windows Server on which you want to install Azure AD Connect does not need to be domain-joined. You will pick the Active Directory domain and/or forest during the setup and can add and delete additional Active Directory domains and/or forests when you run the Azure AD Connect Wizard subsequently.
Networking requirements
The Windows Server on which you plan to install Azure AD Connect needs to have a direct internet connection to Microsofts Azure datacenters.
Note:
Do not place the Azure AD Connect implementation behind a proxy server, like a McAfee Web Gateway, that (deep) inspects the traffic or any other Deep Content Inspection-capable device. If you use a product like that, please allow for an exception to the policy for Azure AD Connects traffic.
Azure AD Connect uses TCP port 443 for its connection to Microsoft Azure. It also uses TCP port 80 for certificate revocation checking.
Best Practices for installing Azure AD Connect
Active Directory PowerShell Module
| NA | Windows Server 2008 |
 |
Windows Server 2008 R2 |
 |
Windows Server 2012 |
 |
Windows Server 2012 R2 |
While this is not strictly a prerequisite for installing Azure AD Connect, I recommend you install the Active Directory Module for Windows PowerShell. Like any other Azure AD Connect implementation on Windows Server 2012 R2, you’ll need the Active Directory Module when you configure advanced settings, so make sure you have them installed and ready to go before.
Windows Server 2008
The Active Directory PowerShell Module is not available for Windows Server 2008.
Note:
This means you can’t use the advanced configuration functions in Azure AD Connects ADSyncPrep.psm1 PowerShell Module, since that requires the Active Directory PowerShell Module.
Windows Server 2008 R2
On Windows Server 2008 R2 use the following Windows PowerShell one-liner to install the module:
Add-WindowsFeature RSAT-ADDS-Tools
Windows Server 2012
On Windows Server 2012 and Windows Server 2012 R2 use the following Windows PowerShell one-liner to install the module:
Install-WindowsFeature RSAT-ADDS-Tools
Prerequisites for installing Azure AD Connect
Additional prerequisites for Windows Server 2008-only
 |
Windows Server 2008 |
| Windows Server 2008 R2 | |
| Windows Server 2012 | |
| Windows Server 2012 R2 |
For Windows Server 2008 we need to download and install these prerequisites for the Azure AD Connect prerequisites. Install these packages first in the following order before you continue and download and install the other packages:
- Download either the .Net Framework 3.5 with Service Pack 1 web installer (2,8 MB, but requires an internet connection on the Windows Server, you intend to use for Azure AD Connect to download 30 MB) or the .Net Framework 3.5 with Service Pack 1 offline installer (232 MB). Install it.
- Download the Windows Management Framework Core Package (Windows PowerShell 2.0 and WinRM 2.0 KB968930) from the Microsoft Download Center. Install it, because you need it as a prerequisite to version 3.0 of the Windows Management Framework.
- Reboot afterwards.
- Download the Windows Graphics, Imaging, and XPS Library (KB971512) and install it.
- Reboot afterwards.
.Net Framework 4.5.1
|
Windows Server 2008 |
|
Windows Server 2008 R2 |
 |
Windows Server 2012 |
| Windows Server 2012 R2 |
Azure AD Connect uses .Net Framework 4. Azure AD Connect from version 1.0.494.0501, released in May 2015 requires .Net Framework 4.5.1 or up.
The .Net Framework 4.5.1 (Offline installer) is ideal for these types of deployments.
Although it is almost 70 MBs in size, you can use it to deploy .Net Framework to Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 without them needing an internet connection.
Install it on each Windows (Server) installation on which you intend to use Azure AD Connect and/or any of its components (like ADSyncPrep.psm1). Then reboot.
Note:
Strangely, on Windows Server 2008 you don’t have to reboot after the installation of .Net Framework 4.5.1…
Make sure you have Windows Update configured for these installations, since security updates are regularly issued for the .Net Framework and you don’t want to get stuck with an insecure version of the .Net Framework on your Azure AD Connect infrastructure.
Windows PowerShell 3.0
 |
Windows Server 2008 |
|
Windows Server 2008 R2 |
| Windows Server 2012 | |
| Windows Server 2012 R2 |
Azure AD Connect uses PowerShell 3.0 under the hood, so you will need to install the Windows Management Framework before you can successfully install Azure AD Connect.
Windows Server 2008
First, download and install the "Extended Protection for Authentication" patch (KB968389). Restart afterwards.
Then download the Windows Management Framework 3.0 here.
This is the latest version of the Windows Management Framework that is available for Windows Server 2008. The only file you need on the x64 version of Windows Server 2008 is Windows6.0-KB2506146-x64.msu (14,4 MB). Install it. Reboot afterwards.
Windows Server 2008 R2
You can download Windows Management Framework 4.0 here.
On Windows Server 2008 R2, the only file you need is Windows6.1-KB2819745-x64-MultiPkg.msu. (18,5 MB)
Windows Server 2012
You can download Windows Management Framework 4.0 here.
On Windows Server 2012, use Windows8-RT-KB2799888-x64.msu.
Install it on each Windows (Server) installation on which you intend to use Azure AD Connect and/or any of its components (like ADSyncPrep.psm1). Reboot afterwards.
Installing Azure AD Connect
After you’ve taken care of the proper information security measures (anti-malware, backup, etc.) it’s time to download and run the installer for Azure AD Connect.
This is as straightforward as can be on all supported version of Windows Server, although you might end up with an aborted installation when you don’t comply with the prerequisites: Azure AD Connect does not offer links to the prerequisites, does not automatically install them, but simply quits.
Concluding
You can install Azure AD Connect on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and/or on Windows Server 2012 R2.
Plan for the additional steps on the down-level Windows Server versions to avoid arguing with a project manager. It’s slightly more work, especially on Windows Server 2008.
However, installing Azure AD Connect on Windows Server 2008 might not be the brightest idea, because you will significantly limit the usefulness of the Azure AD Connect and, thus, your Hybrid Identity implementation.
Further reading
Prerequisites for Azure Active Directory Connect (Azure AD Connect)
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect: Version Release History
Installing Windows PowerShell
However I believe that Azure AD Connect with ADFS is not supported on WIn Server 2008 R2.
AD Connect Install keeps telling me that I need WIn Server 2K12 R2 to support ADFS (Federation Services)
Hi Mike,
If you want to use Azure AD Connect to configure and/or manage Active Directory Federation Services (AD FS), then the AD FS infrastructure needs to be at least Windows Server 2012 R2.
If you want to use Azure AD Connect in a networking environment with Windows Server 2008 or Windows Server 2008 R2 only, you will need to use the 'Do not configure' option on the 'User sign in' page of the Azure AD Connect wizard. Then, you can manually implement the AD FS infrastructure, if needed. When done, use the Azure AD PowerShell Module to convert the Azure AD tenant's domain name(s) for federation.
Hi,
I have Azure AD Connect running on Windows Server 2008 R2 and I have been planning to migrate to Windows Server 2012. How should I do this? I asked a friend and he said: "Just uninstall Azure AD Connect from Windows Server 2008 R2 and install Azure AD Connect on Windows Server 2012." Is this the best way to do this?
Hi Novel,
I feel the best way to do this is by installing Azure AD Connect on a Windows Server 2012 installation as a Staging Mode server. This new Azure AD Connect installation won't make any changes to your Azure AD tenant or Active Directory environment, but will populate its Azure AD Connect database. Then, you can cross-check the contents of the database on both Azure AD Connect installations. After you're satisfied the new Azure AD Connect installation performs in the same way as your current Azure AD Connect installation, you can configure the Windows Server 2008 R2-based Azure AD Connect installation to Staging Mode, too, and quickly thereafter configure the Windows Server 2012 R2-based Azure AD Connect installation as no longer being in Staging Mode. It will become the actively synchronizing Azure AD Connect installation. After a week, or so, when everything continues to run smoothly, simply uninstall Azure AD Connect from Windows Server 2008 R2.
I recommend this method, because it allows for cross-checks and roll-backs.
Thanks for this. Forgot how much I hate installing this on Windows Server 2008 R2. Such a pain.
what do I do if Microsoft removed the download and I can't find it anywhere?
Microsoft has opted to release Azure AD Connect using a static download location at downloads.microsoft.com.
Microsoft provides 12 months of support for Azure features, including Azure AD Connect. Microsoft will have to announce any plans offering Azure AD Connect at least 12 months in advance per the general availability rules they have put in place themselves. Individual released versions of Azure AD Connect are supported for 24 months.
If you need access to a previous version of Azure AD Connect, you can create a support ticket from the Azure Portal.