Moving AZ AD Connect from on-prem DC to DC in Azure

michal 186 Reputation points
2020-12-02T20:02:32.7+00:00

Hello,

I would like to get some advise on a task I am about to perform. First, a little background:

I've been migrating few on-prem servers to Azure. This includes also an on-prem DC. I've already spin up a VM in Azure, joined to domain, promoted to DC and moved all fsmo roles to it. They are syncing fine and I've tested that end-users are authenticating and also getting GPO from the DC in AZURE form time to time. So until now, all seems to be working OK.

Now, I've just found out that AZ AD Connect is running on the on-prem DC. This DC is going to be shut down and I have to move it to the DC in Azure.

Wondering what is the best way to set up AZ AD Connect on the new DC in Azure in my scenario, before I shut the on-prem DC down. Can I just shut the on-prem DC down and install AD Connect on the DC in Azure? Is it that simple? Or should I follow some "migration" steps...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
0 comments
Accepted answer
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2020-12-03T04:08:58.727+00:00

    @michal Thanks for reaching out.
    We recently did a public preview for importing and exporting the Azure AD connect configuration settings for migration purpose.
    You can read more about it here to understand what you need to perform during server to server migration :
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-import-export-config

    Also note : Only changes made by Azure AD Connect are automatically exported. Any changes made by using PowerShell, the Synchronization Service Manager, or the Synchronization Rules Editor must be exported on demand as needed to maintain an up-to-date copy. Export on demand can also be used to place a copy of the settings in a secure location for disaster recovery purposes.

    You can then just import the settings on the new AAD connect server while installing the connect tool :
    44536-image.png

    =====================================================================================================

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. michal 186 Reputation points
    2020-12-03T13:46:13.61+00:00

    @VipulSparsh-MSFT : looks like there is an old version of AD Connect on on-prem DC (version 1.1.647), which does not have the EXPORT feature yet. Any advise?

    I've found some guidance about how to preform custom installation and set up the same configuration as on the old one, including enabling/disabling staging mode etc. Doesn't look complicated...

    Would you recommend to install the latest release of AZ AD Connect to the new server and configure it the same way as the old one.... and then just ENABLE staging on old one and disable on new server once all done? Or better to perform "in-place" upgrade of AD Connect on old server and then proceed with migration you mentioned above...

    UPDATE:

    I've already tried to install the most recent version of AZ AD Connect and noticed 3 things when going through the tasks that I would like to ask about:

    1. Connect to Azure AD - should I use "admin@mathieu.company .omnimicrosoft.com" as username? or "admin@mathieu.company .com" -that I've tried- would be OK as well, as this one is also marked as Global Administrator in AZ AD
    2. Azure AD sing-in task - I've seen "lan.company.com" UPN Suffix that was marked as "Not Added" only. It is the name of the domain in AD. However, the "lan.company.com" is not reigisterd in AZ AD, there is "company.com". I do not get "company.com" in UPN Suffix as an option. Can this cause any issue? ....I've marked "continue without matching all UPN suffixes to verified domains" during the installation.
    3. Identifying users - the recomended option was "Let Azure manage the source anchor" so I selected it. However, once installation finished, I saw that anchor was "objectGUID" with explanation that "ms-DS-ConsistencyGuid" attribute is already in use. I've tried to reinstall the AD Connect again and manually selected "ms-DS-ConsistencyGuid" to match the configuration on old server - woudl that be OK?

    should I expect any issues when I move the new AD Connect to production (disable staging) with all the above? The environment is only a simple one AD forest environment... with no extra configuration...

    UPDATE 2

    Read your link once again and found info about how to get config file from AD Connect that does not support EXPORT feature. So following those instructions.... However, ended up on "Azure Active Directory credentials" when importing the configuration. By default, it chose "Azure Global Administrator", which is "admin@mathieu.company .omnimicrosoft.com"... Unfortunately, I do not have password for it as the guy who set it up before is not with us anymore. Would it work if I use another GLOBAL ADMIN? - e.g, "admin@mathieu.company .com" which I have the password for.... Or it may cause some mess...

  2. michal 186 Reputation points
    2020-12-09T12:02:43.15+00:00

    @VipulSparsh-MSFT : ... I've successfully migrated the AD Connect... thanks to the link you've provided. Could find all reuqired info there... THANKS!