AAD connect migrate / upgrade to AAD Connect 2.0 with Server 2022

More information of AAD connect can be found here: 
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect-v2

In this article I describe the migration of AAD connect 1.6.16.0 to AAD connect 2.x.

Windows Server 2012 and Windows Server 2012 R2 are no longer supported so I choose to migrate to a complete new server.

My as is situation is AAD connect 1.x on server 2012 and the new situation will be Server 2022 with AAD connect 2.x.
My system specs are 2 vCPUs, 8 GB Memory and 80 Gb hard disk.

The setup will be on a new Windows Server 2022 and afterwards the old AAD connect server will be decommissioned.

The steps to take : 

  • Export settings and prepare the new server which runs in staging mode 
  • Set the old server in staging mode
  • Turn off staging mode on the new server
  • Check synchronisation
  • Decomission old server

What’s new in Azure AD Connect V2.0

  • SQL Server 2019 LocalDB
  • MSAL authentication library
  • Visual C++ Redistributable 14 runtime
  • TLS 1.2
  • All binaries signed with SHA-2
  • PowerShell 5.0 or later


The service account

The service account used by our setup of Azure AD connect is a Virtual service account.

A virtual service account is a special type of account that does not have a password and is managed by Windows.

The VSA is intended to be used with scenarios where the sync engine and SQL are on the same server. If you use remote SQL, then it’s recommend to use a Group Managed Service Account instead.

More about service accounts : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions


Check the version of your current AAD connect server.
Log on to the old AAD connect server

Start Azure Active Directory Synchronization Service. Click in the menu bar on Help > About.
The installed Azure AD Connect version must be 1.6.16.0.

Export Azure AD Connect configuration

Start Microsoft Azure Active Directory Connect from the programs menu. Click on Configure.

Click View or export current configuration. Click Next.

Click Export Settings. The exported  .json file to the  new Windows Server on which you will install Azure AD Connect.

Check Azure AD Connect user sign-in settings because the Azure AD export settings will not export the User sign-in settings
Go back to the Additional tasks. Click on Change user sign-in. Click Next.

Sign in to the new Azure AD connect Server 

Enable TLS 1.2

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement

 New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.' 

restart the Server

Download and install Azure AD Connect  

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Release notes

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#20280

https://www.microsoft.com/download/details.aspx?id=47594

Click continue

Click Customize

Check the checkbox Import synchronization settings. Browse to the exported Azure AD Connect .json file. Click Install.

Select the User sign-in settings as configured on the old Azure AD Connect server.

Check Password Hash Synchronization.
Click Next.

use a user account with the Hybrid Identity Administrator user role or Global Administrator role
In case of PIM it doesn’t matter.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#express-settings-installation

error that it can’t connect to Active Directory. Click on Change Credentials.

Change credentials

Create new AD account: Azure AD Connect will create an AD DS Connector account (MSOL_xxxxxxxxxx) in AD with all the necessary permissions.

Click OK

Green flag so Active Directory is successfully connected.

Click Next

Ensure that you check both checkboxes. Click Install.

Don’t forget to exclude the new service account from your MFA policy otherwise you will receive an error.

[ 10] [WARN ] GetServiceAccount: service account authorization failed for [email protected].  Waiting for account to be provisioned.  Details: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘00000002-0000-0000-c000-000000000000’.

If you receive this error you have to edit your MFA conditional access policy and exclude the aadconnect account from this conditional access policies.

Click Exit

Start Azure Active Directory Synchronization Service 
Verify the synchronisation status.

Als quickly check the installed version Azure AD Connect version 2.0.91.0 -> Help -> About.

Log On to the OLD AAD connect server to Enable staging mode.

start Microsoft Azure Active Directory Connect.
Click on Configure.

select Configure staging mode.

Click Next.

Enable staging mode. Click Next.

Select Start the synchronization process when configuration completes.

Click configure.

Staging mode is successfully enabled.

Click Exit.

Log On to the NEW server to disable staging mode.

start Microsoft Azure Active Directory Connect.

Click on Configure 

select Configure staging mode.
Click Next.

Log in with the Azure AD global administrator or hybrid identity administrator 

Uncheck the checkbox Enable staging mode. Click Next.

Select Start the synchronization process when configuration completes.
Click configure.

Staging mode is successfully disabled.
Click Exit

Check Azure AD Connect synchronization

Start Azure Active Directory Synchronization Service.
 

Verify that the synchronization status shows as success.

Check sync status in the  Microsoft 365 admin center.
Click on the sync status in the Azure AD Connect tile.

Directory sync status – Microsoft 365 admin center

You could also check Azure AD,

Log in to Azure AD,

Select Azure AD Connect -> Azure AD Conenct Health.

Then select Sync services and select your domain.

Direct links :

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect

https://aad.portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/SyncServicesList

Uninstall Azure Azure AD Connect

The last steps that you want to take care of on the old Azure AD Connect server are:

  • Uninstall Azure AD Connect
  • Remove old AD DS Connector account
  • Remove old Azure AD Connector account

You can also shut down the old Azure AD Connect server for a couple of days just in case or disable the Azure AD Connect services. Then, after everything works as you expect, uninstall Azure AD Connect.

Handy PowerShell commands :

# Start Sync cycles
Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle -PolicyType Initial

# This command value determines the actual installed Azure AD Connect version.
# Version can be found in Microsoft.Synchronize.ServerConfigurationVersion 2.1.15.0

(Get-ADSyncGlobalSettings).Parameters | select Name,Value

# AAD connect autoupgrade setting check 
Get-ADSyncAutoUpgrade

# set upgrade to enabled
Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled

Documentation :

AAD connect version history
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Latest version
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#20280

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#21200

Azure AD Connect: Automatic upgrade & Troubleshooting
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-automatic-upgrade

https://aka.ms/aadconnectrss into your RSS reader

Leave a Reply

Your email address will not be published. Required fields are marked *