AAD Connect or Azure Cloud Connect with Windows 2012 R2 hybrid domain?

Iron Contributor

Running a hybrid Microsoft domain, with Microsoft 365 being used mainly for Exchange Online (mail) and everything else in still on premise in a Windows 2012 R2 domain.

Currently, only Azure AD Connect is being used to sync users/passwords from the AD domain to Microsoft 365. Is that still the appropriate sync tool to use, until we move everything to the cloud?

And is there a way to have the sync be bi-directional, so that if I create a user in Microsoft 365, a user account would get created in the on-premise domain? Presently it appears that we have to create the user on-premise and then make modifications to its Microsoft 365 account.

1 Reply



Hi, Robert.


Just to call it out up front and get it out of the way, Windows Server 201 R2 is no longer supported. So, if you're looking to run either Cloud or Connect sync on the actual domain controller, you'd be doing so in an entirely unsupported capacity. This doesn't mean it won't work - not that I can test that, but even if it does and something goes wrong later, you'll get no help from Microsoft with it.


That said, what you can do is use a Windows 2016 (not recommended by Microsoft as it's about to exit extended maintenance) or later member server and install either there.


The fact that the domain and forest functional are - at best - at the 2012 R2 levels is not an issue - as far as I'm aware (though to be fair, I haven't seen current versions of Entry Connect on a Server 2012 R2-era host/domain/forest, either). It's more a question of upon which server version you're trying to install the software.



My preference is still to use Entry Connect rather than Cloud Sync, but check the matrix and decide what works best for you.


While it's in the matrix, one point I'll quickly call out is if you have domain-joined devices (clients and servers) that you're looking to convert into hybrid-joined devices and managed via InTune, that automatically puts you onto the Entra Connect path, as Cloud sync doesn't handle devices.


Neither sync tool can synchronise Azure-native user objects from Azure Active Directory back to on-premise Active Directory, meaning bidirectionality is not an option. This is not to be confused with attribute write-back which is supported (stating the obvious here, but only for user objects that originated from on-premise).


If the existing configuration is working and you have no profoundly compelling reason to mess with it, I'd leave it alone until you do.


That said, if you feel compelled to mess with it anyway, then I'd highly recommend setting up a new side-by-side configuration based on Entry Connect, installed on nothing less than a Windows Server 2019 host (as a member server, given you cannot afford to mess around with the existing 2012 R2 domain controller) and ensure it staging mode is enabled.


Staging mode simple means that the installation will not perform any updates of either Azure Active Directory or on-premise Active Directory, which gives you a safe environment in which to assess the viability of disabling staging mode later on - prefaced by setting the existing Connect installation into staging mode - should everything with the new installation look fine to proceed.



Conversely, if the new installation is a fiasco, because it's in staging mode you can simply uninstall Entra Connect and destroy the Windows Server 2019 virtual machine (I'm assuming you wouldn't be using a physical installation these days).