State of California Azure AD Connect Upgrade & Support ... · State of California Azure AD Connect Upgrade & Support Documentation, [Type Subject Here], Version 4, Draft Prepared

Prepared for

State of California (OTECH)

11/27/2017

Version 4 Draft

Prepared by

Demetri Wilright

PFE

[email protected]

State of California Azure AD Connect Upgrade & Support Documentation

Prepared for State of California (OTECH)

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted

in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering

subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our

provision of this document does not give you any license to these patents, trademarks, copyrights, or other

intellectual property.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to

you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot

guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief

highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products,

please consult their respective manufacturers.

© 2014 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express

authorization of Microsoft Corp. is strictly prohibited.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States

and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ii

State of California Azure AD Connect Upgrade & Support Documentation, [Type Subject Here], Version 4, Draft

Prepared by Demetri Wilright

"State-of-California-Azure-AD-Connect-Upgrade-Configuration-v4.docx", Template Version 4


iii




Revision and Signoff Sheet

Change Record

Date Author Version Change Reference

11/3/17 Demetri Wilright 1 Initial draft for review/discussion

11/10/17 Demetri Wilright 4 Updated with new backup and restore steps

Reviewers

Name Version Approved Position Date


iv




Table of Contents

Table of Contents ......................................................................................................................................... IV

Summary of California AAD Connect Upgrade .................................................................................. 6

Summary: .................................................................................................................................................................. 6

Prepare Target Environment ..................................................................................................................... 8

Organizational Unit ............................................................................................................................................... 8

Service Account ...................................................................................................................................................... 8

Configure Connectivity ........................................................................................................................................ 8

Tools.…………………………………………………………………………………………………………………………………..8

Network Port Requirements .............................................................................................................................. 8

Verification ......................................................................................................................................... 8

Sample Firewall Configuration ................................................................................................... 10

DNS Resolution .................................................................................................................................................... 11

Verification ...................................................................................................................................... 11

Prepare 057D Environment ..................................................................................................................... 12

Attribute Selection .............................................................................................................................................. 12

Available attributes ....................................................................................................................... 12

Attribute Value ..................................................................................................................................................... 12

Verification ............................................................................................................................................................. 12

Install New Azure AD Connect Server ................................................................................................. 14

Disable the scheduled task and Backup Old Azure AD Configuration ........................................... 14

Restore Configuration to New AAD Connect Server ............................................................................. 14

Configure the new AAD Connect Server ............................................................................................ 16

Create Custom Sync Schedule ....................................................................................................................... 16

Sample Scheduled Task Script .................................................................................................... 16

Configure the Synchronization Error Threshold .............................................................................. 18

Verify and switch to the active AAD Connect server ...................................................................... 19


v




Verify the new AAD Connect Server ............................................................................................................ 19

CSAnalyzer Script .......................................................................................................................... 20

Disable the scheduled task on the old AAD Connect Server ............................................................. 23

Set the new AAD Connect Server to Active .............................................................................................. 24

Execute the First Sync Cycle ........................................................................................................ 24

Upgrade the old AAD Connect Server ................................................................................................ 25

Upgrade old AAD Connect Server steps .................................................................................................... 25

Future Upgrades .......................................................................................................................................... 26

Future Upgrades Steps...................................................................................................................................... 26

Recovery ......................................................................................................................................................... 27

Restore .................................................................................................................................................................... 27

Restore Steps .................................................................................................................................. 27


Page 6




Summary of California AAD Connect Upgrade

All Agencies in the state of California have a custom deployment of Azure AD Connect which

has been designed by Microsoft Consulting Services to provide a solution to the Customer’s

need for a Statewide Global Address List (GAL). This was all a part of a bigger project which was

migrating all State Agencies from either Office 365 Dedicated Cloud, or a shared Exchange On-

Premises Email Environments where they also had a FIM/MIM based GAL.

To achieve this with all agencies having their own Office 365 Tenant in the Government Cloud

Community, MCS designed and deployed a highly customized Azure AD Connect configuration.

This configuration is deployed by the document specified: State of California GAL

Synchronization Configuration & Support Documentation. This document provides the

configuration for the Azure AD Connect Upgrade starting with the section Prepare the Target

Environment. Below is a Summary of the overall AAD Connect Configuration.

Summary:

• 2 Azure AD Connect Servers

o One will be placed in staging mode (old build) and one will be the active

connector (latest build)

• Local AD and Azure AD Connectors are added like any other AAD Connect Installation

• There is one Connector “NewGAL Sync” added via the restore process documented later

o The Connector are just two different OU’s in the same Active Directory Forest

(cashared.ca.gov)

o The “LegacyGAL Sync” should already be removed by the time of implementing

this upgrade

▪ This assumes all Agency objects are present in the “NewGAL Sync”

• There are custom sync rules to:

o Flow AuthoritativeNull for Users TargetAddress Attribute.

o Set value for a Custom Metaverse Attribute (created on pg.34) called

CustomMailNickName for Group Objects, and User Objects.

o Import all Contacts from NewGAL Sync, while filtering the Agency’s own Contact

Objects which are not needed in their own Tenant. Other Agency’s Group Objects

are also Filtered out.


Page 7




o Import all Contacts from LegacyGAL Sync, while filtering the Agency’s own

Contact Objects which are not needed in their own Tenant.

o Export to NewGAL Sync the Agency’s User Objects as Contact Objects.

o Export to NewGAL Sync the Agency’s Group Objects

• There is also a sample of the Powershell Script which is run by a Windows Scheduled

Task every 30minutes. This task replaces the built-in Sync Scheduler in AAD Connect.

They use this method as the Connectors must be synced in the order they appear on the

sample script.

• The BEST and first troubleshooting step is to make sure the Customer’s AAD Connect

Configuration matches this Document. Meaning they were not deployed on earlier

version of the Doc, where changes have been made/updated, nor did the Admin at the

Customer site “tweak” anything.


Page 8




Prepare Target Environment

Organizational Unit

Each agency must have a unique OU configured in the target environment’s (CA Shared) Active

Directory. The current structure is:

OU=<department>,OU=SharedGAL,DC=cashared,DC=ca=,DC=gov

Service Account

Each agency must have credentials with appropriate permissions to write their new objects to

this OU.

Configure Connectivity

The GAL Synchronization process requires DNS resolution to the cashared.ca.gov environment

and network access to the domain controllers in cashared.ca.gov.

Tools

• PsPing - https://technet.microsoft.com/en-us/sysinternals/psping.aspx

• Telnet (Install-WindowsFeature TelnetClient from an elevated PowerShell prompt)

Network Port Requirements

Configure access on TCP/UDP ports 53, 135, 389, 445, 636, 3268 from both the AAD Connect

server and the domain controller that AAD Connect uses as its primary DNS server to the servers

in cashared.ca.gov.

Verification

AAD Connect Server

1. Open an elevated PowerShell prompt.

2. Run one of the following commands in the elevated prompt:

telnet 100.124.2.132 389

or

psping 100.124.2.132:389


Page 9




3. Repeat for ports 135, 445, 636, and 3268.

Domain Controller

1. Open an elevated PowerShell prompt.

2. Run one of the following commands in the elevated prompt:

telnet 100.124.2.132 53

or

psping 100.124.2.132:53

Note: Both TCP and UDP ports are required; telnet and psping can only test TCP.


Page 10




Sample Firewall Configuration

The following firewall configuration sample is similar to what can be used in a Cisco ASA firewall.

<PAT IP ADDRESS> - the IP address that Agency wants to use

<AADCONNECT-SERVER-IP> - IP Address of AADConnect server

<AADCONNECT-DC-IP> - IP Address of DC that AADConnect is using for primary DNS

<OTECH ROUTER OR FIREWALL ADDRESS> - IP address the firewall/router on OTech’s side

object network AGENCYPAT

host <PAT IP ADDRESS>

object network AGENCY-AZURE

network-object object <AADCONNECT-SERVER-IP>

network-object object <AADCONNECT-DC-IP>

object network OTECH-ENDPOINT

host <OTECH ROUTER OR FIREWALL ADDRESS>

object-group network CASHARED-GAL

network-object object 100.124.2.132



access-list outside_nat0_outbound extended permit ip object AGENCY-AZURE object-group CASHARED-GAL

access-list outside_nat0_outbound_1 extended permit ip object-group CASHARED-GAL object AGENCY-AZURE

access-list outside_cryptomap extended permit ip host OTECH-ENDPOINT object-group CASHARED-GAL

nat (inside,Outside) source static AGENCYPAT OTECH-ENDPOINT destination static CASHARED-GAL CASHARED-GAL

nat (inside,Outside) source dynamic AGENCY-AZURE OTECH-ENDPOINT destination static CASHARED-GAL CASHARED-GAL


Page 11




DNS Resolution

Configure the domain controller that AAD Connect uses as its primary DNS server with a

conditional forwarder zone.

1. Log into the domain controller.

2. Launch an elevated PowerShell prompt.

3. Run the following command in the elevated prompt:

$DnsServers = @('100.124.2.132','100.124.2.133','100.124.2.134')

Add-DnsServerConditionalForwarderZone -MasterServers $DnsServers -Name cashared.ca.gov

Verification

1. From the AAD Connect server, open a command prompt.

2. Run the following commands in the prompt:

PS C:\> nslookup -q=srv _ldap._tcp.cashared.ca.gov

The expected result is similar to the following:

Server: agencydc.ca.gov Address: 10.1.1.1

_ldap._tcp.forestc.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = mcashdc1.cashared.ca.gov mcashdc1.cashared.ca.gov internet address = 100.124.2.132


Page 12




Prepare 057D Environment

An agency participating in the statewide GAL needs to filter out objects belonging to their own

domain(s) (since they will be contributing those objects to the SharedGAL container) as well as

objects from 057D for other agencies that are being synchronized into the SharedGAL container.

Prior to deploying GALSync, an attribute needs to be set in the on-premises Active Directory so

that MMSSPP sync can replicate the value to 057D, which will then get synchronized into the

LegacyGAL OU in the CA Shared environment.

Attribute Selection

Each agency will require the selection and population on an attribute that will be used for

filtering. The following attributes have been identified as being available to use. Each agency

must identify and use a consistent attribute in their own agency.

Note: extensionAttribute13 is not available due to an existing constant mapping inside the

existing GALSync solution.

Available attributes

▪ extensionAttribute10





Attribute Value

Once an attribute has been identified, populate the attribute for all objects synchronized to

CES/057D via MMSSPP with the value

MigratedFromCES

Verification

To verify that the values have been synchronized, please check an in-scope object in CES either

via the CES Portal or PowerShell to the Exchange Dedicated endpoint

(https://mail.ces.ca.gov/PowerShell).


Page 13




Note: Once all agencies have been migrated, this attribute will no longer need to be populated.


Page 14




Install New Azure AD Connect Server

Disable the scheduled task and Backup Old Azure AD

Configuration

1. Open the configuration wizard on your old Azure AD Connect (AAD) Server

2. On the old AAD Connect server stop the scheduled task

a. This task was created in the State of California GAL Synchronization

Configuration & Support Documentation from the Create Custom Sync

Schedule section

3. Launch elevated PS session.

4. Import-Module ADSync

5. Mkdir c:\backup

6. Get-ADSyncServerConfiguration -Path C:\Backup

7. Zip up and email to yourself, save to OneDrive, etc.

a. This should only be performed during the first upgrade

8. Upon completion of backup, on your old AAD Connect server enable the scheduled task

Restore Configuration to New AAD Connect Server

1. Rebuild AADConnect server, express setup, use credentials for connectivity to on-prem

forest and AAD, but clear checkbox for “Synchronize Now.”

a. For AAD Connect Versions after 1.1.524.0 Express Settings changes which AD

Attribute is used for SourceAnchor to ms-DS-ConsistencyGUID. Be sure The

Agency Account for the AD Connector has permission to write to ms-DS-

ConsistencyGUID Attribute for all synced User Objects.

i. For more information on this change see the following Document

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts


Page 15




2. Log into Office 365 portal, locate Sync service account, reset password.

3. Copy/extract AADConnect backup ZIP file to C:\Backup.

4. From inside Synchronziation Server Manager, delete AD and AAD Connectors.

5. Launch elevated PowerShell session.

6. Import-Module ADSync

7. Set-ADSyncServerConfiguration -Path C:\Backup


Page 16




Configure the new AAD Connect Server

Follow the instructions in the State of California GAL Synchronization Configuration &

Support Documentation from the Prepare AAD Connect Server section and stop at the Create

Custom Sync Schedule section

Create Custom Sync Schedule

1. Disable the default AAD Connect synchronization schedule.

a. Launch an elevated PowerShell prompt.

b. Run Import-Module ADSync

c. Run Set-ADSyncScheduler -SyncCycleEnabled $False

2. Create new scheduled task to call each of the required run profiles for AD, AAD, and New

GALSync connectors. The scheduled task should be configured to execute every 30

minutes using an account that is a member of both the AADSync Admins group and the

local Administrators group.

3. Replace the value after -ConnectorName with the connector name as it is displayed in

the AAD Connect Synchronization Service Manager. It is cAsE sENsItIvE.

4. 4. The values for -RunProfileName must explicitly match one of the values specified in

the run profile configuration for the connector. It is cAsE sENsItIvE.

5. Make sure the schedule task is disabled on the new server we will enable it below

Sample Scheduled Task Script

Note: This sample script has removed Legacy GALSync, do not use script from State of

California GAL Synchronization Configuration & Support Documentation from the Create

Custom Sync Schedule section

Import-Module ADSync Invoke-ADSyncRunProfile -ConnectorName "activedirectory.com" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "tenant.onmicrosoft.com - AAD" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "New GALSync" -RunProfileName "Delta Import" Invoke-ADSyncRunProfile -ConnectorName "albr.ca.gov" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "tenant.onmicrosoft.com - AAD" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "New GALSync" -RunProfileName "Delta Synchronization" Invoke-ADSyncRunProfile -ConnectorName "tenant.onmicrosoft.com - AAD" -RunProfileName "Export" Invoke-ADSyncRunProfile -ConnectorName “activedirectory.com” -RunProfile “Export”


Page 17




Invoke-ADSyncRunProfile -ConnectorName "New GALSync" -RunProfileName "Export


Page 18




Configure the Synchronization Error Threshold

Since objects with overlapping SMTP values exist in the LegacyGAL OU, it is possible that during

the first few runs after an agency has been configured for GAL that there will be a significant

number of errors until all objects have been updated in MMSSPP, the OTech GALSync, and

CAShared. To work around this, please configure the following registry value:

Path: HKLM\SYSTEM\CurrentControlSet\Services\ADSync\Parameters

Name: ErrorLimit Type:

REG_DWORD Value: 100000 (decimal) or 186a0 (hexadecimal)

After setting this value, restart the Microsoft Azure AD Sync Service.


Page 19




Verify and switch to the active AAD Connect server

Verify the new AAD Connect Server

The verification below verifies what is imported and synchronized on the new AAD Connect

database against what is currently in Azure AD. In the processedusers1.csv you should not see

a lot of changes.

1. Synchronize your old AAD Connect Server

2. Synchronize your new AAD Connect Server

a. Select Connectors, and select the first Connector with the type Active Directory

Domain Services. Click Run, select Full import, and OK. Do these steps for all

Connectors of this type.

b. Select the Connector with type Azure Active Directory (Microsoft). Click Run,

select Full import, and OK.

c. Make sure the tab Connectors is still selected. For each Connector with type

Active Directory Domain Services, click Run, select Full Synchronization, and OK.

d. Select the Connector with type Azure Active Directory (Microsoft). Click Run,

select Full Synchronization, and OK.

3. Start a cmd prompt and go to %ProgramFiles%\Microsoft Azure AD Sync\bin

4. Run: csexport "Name of Connector" %temp%\export.xml /f:x

a. The name of the Connector can be found in Synchronization Service. It has a

name similar to "contoso.com – AAD" for Azure AD.

5. Copy the PowerShell script from the CSAnalyzer section to a file named csanalyzer.ps1.

6. Open a PowerShell window and browse to the folder where you created the PowerShell

script.

7. Run: .\csanalyzer.ps1 -xmltoimport %temp%\export.xml

You now have a files named processedusers(X).csv, where (X) is a sequential numbering as the

Analyzer creates a new file for every thousand entries,


Page 20




8. that can be examined in Microsoft Excel. All changes staged to be exported to Azure AD

are found in this file.

9. Make necessary changes to the data or configuration and run these steps again (Import

and Synchronize and Verify) until the changes that are about to be exported are

expected.

CSAnalyzer Script

An easier version to copy of the script found at:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-

aadconnectsync-operations

Param(

[Parameter(Mandatory=$true, HelpMessage="Must be a file generated using csexport 'Name of Connector' export.xml /f:x)")]

[string]$xmltoimport="%temp%\exportedStage1a.xml",

[Parameter(Mandatory=$false, HelpMessage="Maximum number of users per output file")][int]$batchsize=1000,

[Parameter(Mandatory=$false, HelpMessage="Show console output")][bool]$showOutput=$false

)

#LINQ isn't loaded automatically, so force it

[Reflection.Assembly]::Load("System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089") | Out-Null

[int]$count=1

[int]$outputfilecount=1

[array]$objOutputUsers=@()

#XML must be generated using "csexport "Name of Connector" export.xml /f:x"

write-host "Importing XML" -ForegroundColor Yellow

#XmlReader.Create won't properly resolve the file location,

#so expand and then resolve it

$resolvedXMLtoimport=Resolve-Path -Path ([Environment]::ExpandEnvironmentVariables($xmltoimport))

#use an XmlReader to deal with even large files

$result=$reader = [System.Xml.XmlReader]::Create($resolvedXMLtoimport)

$result=$reader.ReadToDescendant('cs-object')

do

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-operations

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-operations


Page 21




{

#create the object placeholder

#adding them up here means we can enforce consistency

$objOutputUser=New-Object psobject

Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name ID -Value ""

Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name Type -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name alias -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAccountName -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name mail -Value ""

$user = [System.Xml.Linq.XElement]::ReadFrom($reader)

if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}

#object id

$outID=$user.Attribute('id').Value

if ($showOutput) {Write-Host ID: $outID}

$objOutputUser.ID=$outID

#object type

$outType=$user.Attribute('object-type').Value

if ($showOutput) {Write-Host Type: $outType}

$objOutputUser.Type=$outType

#dn

$outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value

if ($showOutput) {Write-Host DN: $outDN}

$objOutputUser.DN=$outDN

#operation

$outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value

if ($showOutput) {Write-Host Operation: $outOperation}

$objOutputUser.operation=$outOperation


Page 22




#now that we have the basics, go get the details

foreach ($attr in $user.Element('unapplied-export-hologram').Element('entry').Elements("attr"))

{

$attrvalue=$attr.Attribute('name').Value

$internalvalue= $attr.Element('value').Value

switch ($attrvalue)

{

"userPrincipalName"

{

if ($showOutput) {Write-Host UPN: $internalvalue}

$objOutputUser.UPN=$internalvalue

}

"displayName"

{

if ($showOutput) {Write-Host displayName: $internalvalue}

$objOutputUser.displayName=$internalvalue

}

"sourceAnchor"

{

if ($showOutput) {Write-Host sourceAnchor: $internalvalue}

$objOutputUser.sourceAnchor=$internalvalue

}

"alias"

{

if ($showOutput) {Write-Host alias: $internalvalue}

$objOutputUser.alias=$internalvalue

}

"proxyAddresses"

{

if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}

$objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""

}

}

}

$objOutputUsers += $objOutputUser

Write-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete (($objOutputUsers.Count / $batchsize) * 100)


Page 23




#every so often, dump the processed users in case we blow up somewhere

if ($count % $batchsize -eq 0)

{

Write-Host Hit the maximum users processed without completion... -ForegroundColor Yellow

#export the collection of users as as CSV

Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

$objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

#increment the output file counter

$outputfilecount+=1

#reset the collection and the user counter

$objOutputUsers = $null

$count=0

}

$count+=1

#need to bail out of the loop if no more users to process

if ($reader.NodeType -eq [System.Xml.XmlNodeType]::EndElement)

{

break

}

} while ($reader.Read)

#need to write out any users that didn't get picked up in a batch of 1000

#export the collection of users as as CSV

Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

$objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

Disable the scheduled task on the old AAD Connect Server

9. On the old AAD Connect server launch the Task Scheduler

10. On the old AAD Connect server stop the scheduled task


Page 24




a. This task was created in the State of California GAL Synchronization

Configuration & Support Documentation from the Create Custom Sync

Schedule section

Set the new AAD Connect Server to Active

Execute the First Sync Cycle

1. From the Synchronization Manager, select the Connectors tab.

2. Right-click on the New GALSync connector, select Run, click Delta Import and then click

OK.

a. You should have already run a Full Import in the Verify the New AAD Connect

Server section above. If you have not completed that section, please return to

that section now

3. Wait for this cycle to complete successfully.

4. Launch the Task Scheduler.

5. Execute the previously configured scheduled task


Page 25




Upgrade the old AAD Connect Server

Notes:

• The new AAD Connect server should now be upgraded to the latest version and servicing

request prior to completing these steps

• We always want to make sure that both AAD Connect servers are on the same version

after validation that the newer version is working as expected

Upgrade old AAD Connect Server steps

1. On the old AAD Connect server uninstall Azure AD Connect

2. Download the new Azure AD Connect msi

3. On the old AAD Connect sever install the new AAD Connect msi and follow the steps

from the Restore Configuration to New AAD Connect Server through the Verify the new

AAD Connect Server section

a. It is vital that you stop at the Disable the scheduled task at Do not complete the

Create Custom Sync Schedule section as this should already be completed

b. At this point you should have completed the Verify the new AAD Connect Server

section, and be stopped at the Disable the task schedule on the old AAD Connect

section

4. At this point you should have 2 AAD Connect servers that are updated to the same

version


Page 26




Future Upgrades

Notes:

• The AAD Connect server upgrade path should always be upgrade the inactive AAD

Connect server first, make the active AAD Connect server inactive, and enable the

scheduled task on the upgraded AAD Connect server

Future Upgrades Steps

1. On the inactive AAD Connect sever, download the new Azure AD Connect msi

2. On the inactive AAD Connect server install the Azure AD Connect msi

3. If this is the first time you have upgraded AAD Connect since the first upgrade, you

must disable the following Synchronization Rules in the Synchronization Rules Editor

a. In from AAD – Contact Join

b. Outbound to AAD – Contact Join

c. Outbound to AAD – Contact Identity

4. Verify the inactive AAD Connect server by following the steps in the Verify the new AAD

Connect Server section

5. After verification, disable the scheduled task on the active AAD Connect server

6. Enable the scheduler task on the upgraded AAD Connect server

7. Repeat steps 1-4 on the AAD Connect server using the old AAD Connect version

8. At this point, both of your AAD Connect servers should be upgraded to the latest version


Page 27




Recovery

Restore

Important Information:

• To use the restore steps, you must have the full version of SQL deployed for AAD

Connect

• These steps should only be performed if the AAD Connect configuration is

unrecoverable, but the SQL database is still working

• You can find the latest version of the Restore Steps at the following link:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-

aadconnect-existing-database

Restore Steps

1. Rebuild AAD Connect server and on the following screen close AAD Connect

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-existing-database

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-existing-database


Page 28




2. Start a new command prompt or PowerShell session. Navigate to folder \program

files\Microsoft Azure AD Connect.

3. To start the Azure AD Connect wizard in “Use existing database” setup mode run

command:

.\AzureADConnect.exe /useexistingdatabase

4. You should see the following screen:

5. On the Install required components screen, the Use an existing SQL Server option is

enabled. Specify the name of the SQL server that is hosting the ADSync database. If the

SQL engine instance used to host the ADSync database is not the default instance on the

SQL server, you must specify the SQL engine instance name. Further, if SQL browsing is

not enabled, you must also specify the SQL engine instance port number. For example:


Page 29




6. On the Connect to Azure AD screen, you must provide the credentials of a global admin

of your Azure AD directory. The recommendation is to use an account in the default

onmicrosoft.com domain. This account is only used to create a service account in Azure

AD and is not used after the wizard has completed.


Page 30




7. On the Connect your directories screen, the existing AD forest configured for directory

synchronization is listed with a red cross icon beside it. To synchronize changes from an

on-premises AD forest, an AD DS account is required. The Azure AD Connect wizard is

unable to retrieve the credentials of the AD DS account stored in the ADSync database

because the credentials are encrypted and can only be decrypted by the previous Azure

AD Connect server. Click Change Credentials to specify the AD DS account for the AD

forest.


Page 31




8. In the pop-up dialog, you can either (i) provide an Enterprise Admin credential and let

Azure AD Connect create the AD DS account for you, or (ii) create the AD DS account

yourself and provide its credential to Azure AD Connect. Once you have selected an

option and provide the necessary credentials, click OK to close the pop-up dialog.


Page 32




9. Once the credentials are provided, the red cross icon is replaced with a green tick icon.

Click Next.


Page 33




10. On the Ready to configure screen, click Install.


Page 34




11. To verify the restored AAD Connect server, follow the Verify the New AAD Connect

Server section

Documents

State of California Azure AD Connect Upgrade & Support ... · State of California Azure AD Connect Upgrade & Support Documentation, [Type Subject Here], Version 4, Draft Prepared