Azure AD Connect upgrade best practices and things to avoid
Hello Experts,
As you may know, Microsoft is deprecating the Azure AD Connect 1.x version protocol this 8/31/22 as these version contain legacy SQL Server 2012.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
Can someone please share best practices and pros/cons of your experience running this upgrade? Things to avoid, checklist, high level steps, something that can be used to build a plan for this upgrade
The upgrade was painless when I ran it. TLS 1.2 was already enabled on the server so the installation just completed without errors.
You could export your AD Connect settings before the upgrade as a backup. Then if you did run into problems with the upgrade, you could just uninstall AD Connect completely, do a clean installation and import the settings.
You could export your AD Connect settings before the upgrade as a backup. Then if you did run into problems with the upgrade, you could just uninstall AD Connect completely, do a clean installation and import the settings.
The best way to upgrade is to keep the existing server as it is, and install a new server in "staging mode".
- Export the settings from the existing server.
- Install the new ADConnect on a new server indicating that you are using the exported configuration.
- At the end of this installation, stay in "staging mode".
- Verify that all rules are well applied in the same way as on the source.
- Verify that the number of each kind of objects in the Metaverse Search are nearly identical (Nb of users, groups and computers).
- If numbers are correct, switch the old server in staging mode
- Then switch the new server in production mode.
If you have alerts during export (For exemple, Bad order/number of rules) or import, change the configuration on the source, until all is OK.
- Export the settings from the existing server.
- Install the new ADConnect on a new server indicating that you are using the exported configuration.
- At the end of this installation, stay in "staging mode".
- Verify that all rules are well applied in the same way as on the source.
- Verify that the number of each kind of objects in the Metaverse Search are nearly identical (Nb of users, groups and computers).
- If numbers are correct, switch the old server in staging mode
- Then switch the new server in production mode.
If you have alerts during export (For exemple, Bad order/number of rules) or import, change the configuration on the source, until all is OK.
ASKER
Thanks Deman,
How can you export configuration from current server and import onto new one?
How can you export configuration from current server and import onto new one?
Depending on the version of ADConnect, that you have, the export configuration (link) could be found in the "View configuration". (Using the ADConnect admin link that should be on the desktop).
If your version is too older, you can download the Powershell from Microsoft:
How to import and export Azure AD Connect configuration settings - Microsoft Entra | Microsoft Docs
(Curious, I don't see the link anymore on this link).
Another solution to find the script is to find it on a new installation of ADConnect.
=> It can be installed without configure it !
If your version is too older, you can download the Powershell from Microsoft:
How to import and export Azure AD Connect configuration settings - Microsoft Entra | Microsoft Docs
(Curious, I don't see the link anymore on this link).
Another solution to find the script is to find it on a new installation of ADConnect.
=> It can be installed without configure it !
Deaman bring up a point which I missed, You can keep the exisiting ADConnect running in staging mode.
Once your new instance started working fine you can switch the server as production.
I recommend to stop the services on old server for a day or two. Then decommission it.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-uninstall
By default, the settings are exported to C:\ProgramData\AADConnect.
how-to-connect-import-export-config#export-azure-ad-connect-settings
Once your new instance started working fine you can switch the server as production.
I recommend to stop the services on old server for a day or two. Then decommission it.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-uninstall
By default, the settings are exported to C:\ProgramData\AADConnect.
how-to-connect-import-export-config#export-azure-ad-connect-settings
At least, don't remove immediately ADConnect.
It can allow you to rollback if things are very bad with the new server.
It can allow you to rollback if things are very bad with the new server.
ASKER
Thank you all for the comments, but still have a doubt here.
Since we are upgrading from Azure AD Connect 1.x to version 2.x, is it valid to add a second server running Azure AD Connect version 2.x in staging mode while old server is running?
Since we are upgrading from Azure AD Connect 1.x to version 2.x, is it valid to add a second server running Azure AD Connect version 2.x in staging mode while old server is running?
"Since we are upgrading from Azure AD Connect 1.x to version 2.x, is it valid to add a second server running Azure AD Connect version 2.x in staging mode while old server is running?"
Yes, it's perfectly valid. It's called a "swing migration" and is a valid way of migrating to a new version of Azure AD Connect.
More information here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
Yes, it's perfectly valid. It's called a "swing migration" and is a valid way of migrating to a new version of Azure AD Connect.
More information here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://www.microsoft.com/en-us/download/details.aspx?id=47594
Create an OU in AD and exclude that OU from syncing.
Azure-ad-connect-8211-excluding-organizational-units-syncing?forum=winserverDS
Windows Server 2012 and Windows Server 2012 R2 are no longer supported for ADConnect.
Enable TLS 1.2 if not enabled as TLS1.1 is not supported.
Please find the article on how to upgrade to 2.x
https://www.alitajran.com/upgrade-azure-ad-connect-to-v2/