Upgrade and understanding Azure AD Connect

%3CLINGO-SUB%20id%3D%22lingo-sub-1304878%22%20slang%3D%22en-US%22%3EUpgrade%20and%20understanding%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304878%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20the%20moment%20I%20want%20to%20upgrade%20an%20(old%20and%20corrupt)%20AAD%20Connect%20server%20version%201.1.380.0%20to%201.5.18.0.%20Because%20the%20huge%20version%20difference%2C%20Microsoft%20suggest%20doing%20a%20swing%20upgrade.%20Install%20a%20new%20server%20with%20AAD%20connect%20in%20stage%20mode%20and%20compare%20the%20settings%20and%20switch%20the%20servers%20when%20ok.%3CBR%20%2F%3EFirst%20of%20all%20the%20new%20Connect%20setup%20wants%20to%20configure%20our%20ADFS%20servers.%20Because%20this%20is%20an%20operational%20environment%2C%20I%20don%E2%80%99t%20want%20to%20do%20this%20in%20this%20stage.%20So%20I%20choose%20to%20run%20the%20setup%20again%20on%20the%20new%20server%20and%20chose%20a%20different%20setup-option%20(do%20not%20configure)%20and%20did%20not%20configure%20the%20ADFS%20server.%3CBR%20%2F%3EBeside%20some%20error%20regarding%20the%20health%20agent%20installation%2C%20the%20new%20server%20was%20installed%20and%20a%20new%20synchronization%20account%20was%20created%20in%20Azure%20AD.%20After%20this%20step%20I%20compared%20the%20two%20setups%20(documenter)%20to%20see%20the%20differences%20between%20the%20servers.%20But%20there%20are%20to%20many%20new%20settings%20and%20I%20do%20not%20know%20if%20I%20need%20them%20and%20how%20to%20configure%20them.%20So%20there%20is%20no%20way%20I%20want%20to%20use%20this%20server%20right%20away.%20I%20need%20more%20information%20first%20and%20need%20to%20understand%20the%20sync%20process.%3CBR%20%2F%3EI%20now%20have%202%20servers.%201%20operational%20and%20one%20in%20staging%20mode%20with%20a%20major%20version%20difference.%3C%2FP%3E%3CUL%3E%3CLI%3EIs%20there%20a%20way%20I%20can%20configure%20this%20new%20machine%20that%20it%20only%20synchronize%20one%20domain%20or%20one%20group%20of%20objects%3F%20To%20prevent%20changes%20to%20already%20synchronized%20objects.%20So%20it%20will%20not%20delete%20or%20corrupt%20the%20objects%20of%20the%20other%20server.%3C%2FLI%3E%3CLI%3EI%20want%20to%20end%20up%20with%20a%20situation%20I%20can%20test%20this%20new%20server%20without%20making%20changes%20to%20any%20other%20objects.%20So%2C%20is%20there%20a%20way%20to%20setup%20a%20test%20environment%3F%3C%2FLI%3E%3CLI%3EHow%20do%20you%20implement%20a%20new%20version%3F%20How%20do%20you%20test%3F%3C%2FLI%3E%3CLI%3EWhat%20happens%20to%20objects%20when%20you%20switch%20the%20server%20to%20active%20and%20the%20other%20to%20staging%20and%20vise%20versa.%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESo%20I%20want%20to%20understand%20the%20process%20so%20I%20would%20not%20synchronize%20an%20wrongly%20configured%20AAD%20connect%20server%20and%20ended%20up%20with%20an%20empty%20Azure%20AD.%3CBR%20%2F%3EAny%20information%20how%20you%20would%20implement%20this%20new%20version%20would%20be%20nice.%3CBR%20%2F%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1304878%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313819%22%20slang%3D%22en-US%22%3ERe%3A%20Upgrade%20and%20understanding%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313819%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451952%22%20target%3D%22_blank%22%3E%40Robku%3C%2FA%3E%26nbsp%3BSwing%20update%20does%20require%20lot%20of%20attention.%3CBR%20%2F%3EMake%20sure%20you%20match%20the%20object%20count%20on%20both%20the%20servers%20before%20doing%20the%20switch%20from%20old%20to%20new.%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20object%20count%20I%20mean%20search%20local%20connector%20space%2C%20azure%20AD%20connector%20space%20and%20metaverse%20in%20both%20the%20machine%20and%20match%20the%20object%20count.%26nbsp%3B%3CBR%20%2F%3EAlso%20once%20the%20new%20server%20is%20up%20an%20running%20match%20the%20attribute%20list%20as%20well.%3CBR%20%2F%3EIf%20you%20have%20custom%20rules%20configured%20make%20sure%20every%20rule%20from%20your%20old%20setup%20is%20imported%20to%20the%20new%20server%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

At the moment I want to upgrade an (old and corrupt) AAD Connect server version 1.1.380.0 to 1.5.18.0. Because the huge version difference, Microsoft suggest doing a swing upgrade. Install a new server with AAD connect in stage mode and compare the settings and switch the servers when ok.
First of all the new Connect setup wants to configure our ADFS servers. Because this is an operational environment, I don’t want to do this in this stage. So I choose to run the setup again on the new server and chose a different setup-option (do not configure) and did not configure the ADFS server.
Beside some error regarding the health agent installation, the new server was installed and a new synchronization account was created in Azure AD. After this step I compared the two setups (documenter) to see the differences between the servers. But there are to many new settings and I do not know if I need them and how to configure them. So there is no way I want to use this server right away. I need more information first and need to understand the sync process.
I now have 2 servers. 1 operational and one in staging mode with a major version difference.

  • Is there a way I can configure this new machine that it only synchronize one domain or one group of objects? To prevent changes to already synchronized objects. So it will not delete or corrupt the objects of the other server.
  • I want to end up with a situation I can test this new server without making changes to any other objects. So, is there a way to setup a test environment?
  • How do you implement a new version? How do you test?
  • What happens to objects when you switch the server to active and the other to staging and vise versa.

So I want to understand the process so I would not synchronize an wrongly configured AAD connect server and ended up with an empty Azure AD.
Any information how you would implement this new version would be nice.
Thanks!

 

1 Reply
Highlighted

@Robku Swing update does require lot of attention.
Make sure you match the object count on both the servers before doing the switch from old to new. 

By object count I mean search local connector space, azure AD connector space and metaverse in both the machine and match the object count. 
Also once the new server is up an running match the attribute list as well.
If you have custom rules configured make sure every rule from your old setup is imported to the new server as well.