Active Directory Health Checks Before Migrating to Azure AD Connect

When organizations decide to integrate their on-prem Active Directory with Azure AD using Azure AD Connect, it’s usually more than just a technical upgrade. It’s a modernization step—one that affects authentication, identity management, device access, and long-term cloud strategy.

And while Azure AD Connect is powerful, it’s not forgiving.
If your Active Directory isn’t healthy, stable, and clean, then synchronization issues, authentication failures, and downstream security exposures will quickly show up.

That’s why an Active Directory health check isn’t just a prerequisite—it’s the most important step before migration.

In this article, we’ll walk through the essential checks every IT leader should ensure—tested, validated, and fixed before deploying Azure AD Connect.

---

Why AD Health Matters So Much for Azure AD Connect

Azure AD Connect relies on your on-prem AD as the truth source.
Whatever’s inside AD—good or bad—gets replicated to Azure AD.

This includes:

• Duplicate or malformed attributes
• Stale or unused accounts
• Orphaned or broken objects
• Incorrect UPN formats
• Inconsistent domain controller replication
• DNS issues
• Permission misconfigurations

If these issues exist today, they can cause:

• Sync errors that are hard to track
• Authentication disruptions
• MFA and SSO inconsistencies
• Azure AD security gaps
• Failed Hybrid Join for devices
• Delays in onboarding/offboarding

So before connecting anything to the cloud, AD must be clean, consistent, and predictable.

Let’s break down the must-do health checks.

---

1. Check Domain Controller Replication Health

Azure AD Connect expects clean replication across all domain controllers. If replication is broken or delayed, sync jobs will pull inconsistent data.

What to validate

• Run repadmin /replsummary
• Ensure no lingering objects
• Confirm there are no large replication backlogs
• Check for any domain controllers stuck in “error” or “unreachable” states

Common issues

• FSMO role placement issues
• Slow inter-site WAN links
• Deprecated domain controllers still referenced
• USN rollback scenarios

Fix replication issues before moving forward. Azure AD Connect will not “fix” AD for you.

---

2. Validate DNS Integrity and Configuration

Azure AD—and by extension Azure AD Connect—depends heavily on DNS.

Check for:

• Healthy forward and reverse lookup zones
• Correct SRV records for all domain controllers
• No stale or duplicate DNS records
• Proper site/subnet mappings
• Consistent DNS forwarders

Incorrect DNS can cause:

• Authentication delays
• Replication failures
• Domain join problems

Think of DNS as the foundation. If the foundation is weak, everything else shakes.

---

3. Ensure Clean and Valid UPNs (User Principal Names)

Azure AD Connect requires routable, globally unique UPNs.

If your on-prem uses formats like:
user@localdomain.local — that won’t work in Azure AD.

Checklist

• Verify the UPN suffix matches a verified domain in Microsoft 365/Azure AD
• Ensure no duplicates across the forest
• Ensure characters meet Azure AD naming rules
• Update legacy or non-routable UPNs

Tip:
Avoid switching users to a new UPN on the same day you run initial sync.
Plan the change, communicate it, and stage the rollout.

---

4. Clean Up Stale, Disabled, or Orphaned AD Objects

Every organization has ghosts in its Active Directory.

Stale users, old computer accounts, half-decommissioned servers, leftover groups—Azure AD Connect will sync all of these unless you configure filtering.

Perform a cleanup of:

• Users inactive for 90–180 days
• Computer accounts inactive for 30–90 days
• Groups with no owners or empty membership
• Orphaned SIDs inside group membership
• Deprecated service accounts

Azure AD Connect sync filters can help, but it’s better to clean up before deployment.

---

5. Fix Attribute Issues (The Hidden Sync Killers)

Azure AD Connect sync depends on certain AD attributes.
If attributes are malformed or duplicated, sync errors will appear immediately.

Check these attributes carefully:

• mail
• proxyAddresses
• sAMAccountName
• displayName
• userPrincipalName
• objectGUID (required for source anchor)
• unicodePwd

Common problems

• Duplicate proxyAddresses across users or groups
• Missing or invalid email attributes
• Non-unique sAMAccountNames in multi-domain forests
• Attributes with illegal characters

This is one of the most common reasons why organizations face dozens of sync errors after first-time configuration.

---

6. Validate Forest and Domain Functional Levels

Azure AD Connect has minimum requirements for forest and domain levels.

Make sure:

• Domain functional level ≥ Windows Server 2003
• Forest functional level ≥ Windows Server 2003

While most organizations today are well above that baseline, older AD environments or isolated domains may still lag.

Also confirm:

• No Windows Server 2003/2008 domain controllers
• SYSVOL replication is on DFS-R, not FRS
• The forest schema is at least Windows Server 2012 or above

Schema upgrades are required for Azure AD Connect’s modern features.

---

7. Ensure Security and Permission Requirements Are Met

Azure AD Connect requires specific permissions to read and write to AD.

Validate:

• The service account has Replicating Directory Changes permissions
• No restrictive GPOs block access
• No 3rd-party security tools block LDAP or ADSI
• Firewall rules allow DC communication

If AD Connect cannot access AD reliably, sync cycles will suffer.

---

8. Assess Password Policies and Authentication Workflows

Before enabling Hybrid Identity, ensure that authentication flows are stable.

Ask yourself:

• Are password policies consistent across domains?
• Are users using supported authentication methods?
• Are there conflicting policies applied at OU-level?

If implementing Pass-through Authentication (PTA) or Password Hash Sync (PHS):
verify that DCs allow the required encryption types.

---

9. Review Group Policies, Especially Those Impacting Devices

Azure AD Connect often works alongside Hybrid Join or Intune enrollment.

Before enabling Hybrid Join:

• Validate GPOs related to device authentication
• Remove conflicting device enrollment policies
• Confirm the AD Connect computer object is in a GPO-friendly OU

If GPOs block or conflict with Microsoft cloud identity settings, device sync will break.

---

10. Run the Microsoft IDFix Tool

IDFix is the single most important pre-migration tool for Azure AD Connect.

It detects issues such as:

• Duplicate attributes
• Invalid characters
• Formatting errors
• UPN issues
• Proxy address conflicts

Run IDFix. Resolve everything. Then run it again.
This eliminates 80% of common sync errors before they ever occur.

---

11. Plan AD OU Structure for Sync Filtering

Not everything in AD needs to sync.

Sync filtering helps you:

• Exclude servers
• Exclude service accounts
• Exclude test environments
• Exclude inactive objects

A clean OU structure leads to a clean cloud directory.

---

12. Validate Time Synchronization (Kerberos Depends on It)

Time drift breaks authentication.

Ensure:

• All domain controllers sync time with the PDC
• PDC syncs with an external, reliable NTP source
• No more than 5-minute drift between DCs

Azure AD Connect authentication flows rely heavily on Kerberos, so this part cannot be skipped.

---

Final Thoughts

Migrating to Azure AD Connect isn’t complicated—but it is unforgiving when AD hygiene isn’t maintained.

A solid pre-migration health check ensures:

• Smooth sync cycles
• Fewer errors
• Predictable authentication
• Cleaner identity structure
• Better long-term cloud governance
• Tightened security posture

A well-prepared Active Directory results in a seamless Azure AD integration—something every IT leader appreciates when enabling hybrid identity at scale.