Upgrade and understanding Azure AD Connect

Question

At the moment I want to upgrade an (old and corrupt) AAD Connect server version 1.1.380.0 to 1.5.18.0. Because the huge version difference, Microsoft suggest doing a swing upgrade. Install a new server with AAD connect in stage mode and compare the settings and switch the servers when ok.
First of all the new Connect setup wants to configure our ADFS servers. Because this is an operational environment, I don’t want to do this in this stage. So I choose to run the setup again on the new server and chose a different setup-option (do not configure) and did not configure the ADFS server.
Beside some error regarding the health agent installation, the new server was installed and a new synchronization account was created in Azure AD. After this step I compared the two setups (documenter) to see the differences between the servers. But there are to many new settings and I do not know if I need them and how to configure them. So there is no way I want to use this server right away. I need more information first and need to understand the sync process.
I now have 2 servers. 1 operational and one in staging mode with a major version difference.

• Is there a way I can configure this new machine that it only synchronize one domain or one group of objects? To prevent changes to already synchronized objects. So it will not delete or corrupt the objects of the other server.
• I want to end up with a situation I can test this new server without making changes to any other objects. So, is there a way to setup a test environment?
• How do you implement a new version? How do you test?
• What happens to objects when you switch the server to active and the other to staging and vise versa.

So I want to understand the process so I would not synchronize an wrongly configured AAD connect server and ended up with an empty Azure AD.
Any information how you would implement this new version would be nice.
Thanks!

Answer 1

@Rob van den Broek Thank you for sharing the information. Please try below steps`

1. Test-AzureADConnectHealthConnectivity -Role Sync command to see if you are successfully able to connect to the required endpoints.
2. Run below command and see if you are getting http 403 forbidden or not, as per below snip:
   
3. If you are using Proxy to connect to internet, set proxy using Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress address:port cmdlet.
4. If you still face the same issue, update C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file with below parameters:
   
5. Since you are using ADFS, I would suggest you to validate these TLS/SSL certificate requirements: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#tlsssl-certificate-requirements.

Also, i would suggest you to post it as a separate question as well. That way it will have more visibility and other can help you if they have faced similar issue. At this time, it appears as answer to the main question and others may ignore it.

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 2

@Rob van den Broek , AD Connect server in Staging mode receives all inbound updates and doesn't export anything. It is always good to know that once it is moved from Staging to Production, what is it going to export. You can use the CSAnalyzer script to know what objects will be synced once the server is moved to production without actually switching to production mode. You can find the script here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server#appendix-csanalyzer

Below are the steps that you need to perform:

1. Start a cmd prompt and go to %ProgramFiles%\Microsoft Azure AD Sync\bin
2. Run: csexport "Name of Connector" %temp%\export.xml /f:x The name of the Connector can be found in Synchronization Service. It has a name similar to "contoso.com – AAD" for Azure AD.
3. Run: CSExportAnalyzer %temp%\export.xml > %temp%\export.csv You have a file in %temp% named export.csv that can be examined in Microsoft Excel. This file contains all changes that are about to be exported.
4. Make necessary changes to the data or configuration and run these steps again (Import and Synchronize and Verify) until the changes that are about to be exported are expected.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Answer 3

@Rob van den Broek , I can suggest 2 options here:

1. Run a full sync on staging server by using Start-ADSyncSyncCycle -PolicyType Initial cmdlet. As I mentioned in my previous comment, staging server doesn't export anything, but we should make sure that it has all the inbound (import) updates.
2. Export the database on the old server and import it to the new server. Then Install Azure AD Connect using an existing ADSync database. Refer to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-database for step by step instructions. Don't start synchronization at completion of the installation and configure the server in staging mode before starting sync.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Answer 4

Dear @AmanpreetSingh-MSFT ,

I did have a closer look at the suggested link regarding the use of existing database. But unfortunately I can’t use this. I think we have to go back to my originally post. To see what I want to achieve.

We have an old corrupted (upgrade from other synchronization tool) version of Azure AD Connect, version 1.1.380.0. Every day the machine tries to do an upgrade. At this time the auto-upgrade is suspended. Updates fail and luckily the machine continues to synchronize. This is my inheritance and I need to see how I can fix this without creating any risk of users not able to login anymore with there already synchronized accounts. We still going to use the new version of Azure AD connect and validation will be via our ADFS servers. Because the major difference comparing to todays version we can’t upgrade this machine (Even if we succeed, I don’t dare, because when this machine crashed we run into an even bigger problem.

What I found out already; In the logfile that is generated during the auto-upgrade process, I can read why it is not able to auto-upgrade. The line says: Azure AD Connect Upgrade Error: 906 : Encountered exception determining LocalDb database size. Details System.IO.FileNotFoundException: Could not find file 'C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf'. And yes it is true. There is no database file at this location! So that’s why I call this installation corrupt. And that’s why this server needs to go.

Let me rephrase my question from the initial msg…

How can I, without any risk, replace this Azure AD Connect server with a new one. I don’t know if any extra changes are
made during installation.

Thanks!
Rob

Answer 5

@AmanpreetSingh-MSFT , here is all the information about registering health agent.

I installed Azure AD Connect v1.5.18.0 on a Win 2012 R2 machine. Choose NOT to configure the User Sign-in, because I don’t want this installation to make changes to our ADFS servers. Our ADFS servers are operational, I can’t make changes (if needed) to them now. Choose ObjectGUID as Unique identifying because old servers is also using it. All other options default installation. AAD connect is installed en configured. New sync account is created in Azure AD. One of the msg’s at the and of the installation was: Registration failed for your AAD Connect Health Agent for sync.

Did try to register it: Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $true. But unfortunately every time it fails.

In Azure Active Directory Connect Health I can see under sync services 2 connected servers. 1 is unhealthy. Msg:

The AAD Connect Health Service is not receiving the latest data from the server(s) listed above. This may be due to connectivity issues or data collection issues on the server itself.

If I have a look at the log files during the register process I see al lot of information. I hope I pick the right lines from this log. First error only when I use the register command.

2020-04-22 12:41:13.367 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/
2020-04-22 12:41:13.367 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/
ERROR: 2020-04-22 12:41:13.367 [DiscoverAndOverrideEndpoints]:Null/Empty AdalAuthority
System.InvalidOperationException: Null/Empty AdalAuthority2020-04-22 12:41:13.399 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/
2020-04-22 12:41:13.399 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

During installation and registering this error did not exist:

2020-04-22 09:09:52.447 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/
2020-04-22 09:09:52.45 [OverrideEndpoints]:AdalAuthority: HTTPS://LOGIN.WINDOWS.NET/XXXXXXX.ONMICROSOFT.COM

The problem starts here I guess.

2020-04-22 09:09:54.97 Monitoring Agent Registration Attempt start
2020-04-22 09:09:54.971 Tenant Certificate successfully written to location: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert, byte[] length = 3621 bytes, written file length = 3621 bytes
2020-04-22 09:09:54.971 Start Command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="1.5.22.0"
2020-04-22 09:10:06.14 Monitoring Agent Registration Attempt process exited, ExitCode = 1
2020-04-22 09:10:06.141 Monitoring Agent Registration Attempt end, ExitCode = 1, Result = Fail
2020-04-22 09:10:06.148 Attempt Failed. Exception: System.InvalidOperationException: Failed configuring Monitoring Service using command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="1.5.22.0"
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.<>c__DisplayClass78_0. <StoreMonitoringServiceCertificateAndConfig>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.<>c__DisplayClass1.<ExecuteAction>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteActionTResult

This copying of the cert file and registering of the service repeats a couple of times without success. A bit futher you can read.

Agent.Main;Client activation failed:The remote server returned an error: (403) Forbidden.
System.Net.WebException: The remote server returned an error: (403) Forbidden.

And I’m running out of ideas how I must fix this.
If you need more information, I can reregister again and sent you the log.

Thanks!
Rob