question

RobvandenBroek-8832 avatar image
2 Votes"
RobvandenBroek-8832 asked amanpreetsingh-msft commented

Upgrade and understanding Azure AD Connect

At the moment I want to upgrade an (old and corrupt) AAD Connect server version 1.1.380.0 to 1.5.18.0. Because the huge version difference, Microsoft suggest doing a swing upgrade. Install a new server with AAD connect in stage mode and compare the settings and switch the servers when ok.
First of all the new Connect setup wants to configure our ADFS servers. Because this is an operational environment, I don’t want to do this in this stage. So I choose to run the setup again on the new server and chose a different setup-option (do not configure) and did not configure the ADFS server.
Beside some error regarding the health agent installation, the new server was installed and a new synchronization account was created in Azure AD. After this step I compared the two setups (documenter) to see the differences between the servers. But there are to many new settings and I do not know if I need them and how to configure them. So there is no way I want to use this server right away. I need more information first and need to understand the sync process.
I now have 2 servers. 1 operational and one in staging mode with a major version difference.

  • Is there a way I can configure this new machine that it only synchronize one domain or one group of objects? To prevent changes to already synchronized objects. So it will not delete or corrupt the objects of the other server.

  • I want to end up with a situation I can test this new server without making changes to any other objects. So, is there a way to setup a test environment?

  • How do you implement a new version? How do you test?

  • What happens to objects when you switch the server to active and the other to staging and vise versa.

So I want to understand the process so I would not synchronize an wrongly configured AAD connect server and ended up with an empty Azure AD.
Any information how you would implement this new version would be nice.
Thanks!






azure-active-directoryazure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered RobvandenBroek-8832 commented

@RobvandenBroek-8832, AD Connect server in Staging mode receives all inbound updates and doesn't export anything. It is always good to know that once it is moved from Staging to Production, what is it going to export. You can use the CSAnalyzer script to know what objects will be synced once the server is moved to production without actually switching to production mode. You can find the script here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server#appendix-csanalyzer

Below are the steps that you need to perform:

  1. Start a cmd prompt and go to %ProgramFiles%\Microsoft Azure AD Sync\bin

  2. Run: csexport "Name of Connector" %temp%\export.xml /f:x The name of the Connector can be found in Synchronization Service. It has a name similar to "contoso.com – AAD" for Azure AD.

  3. Run: CSExportAnalyzer %temp%\export.xml > %temp%\export.csv You have a file in %temp% named export.csv that can be examined in Microsoft Excel. This file contains all changes that are about to be exported.

  4. Make necessary changes to the data or configuration and run these steps again (Import and Synchronize and Verify) until the changes that are about to be exported are expected.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks amanpreetsingh-msft for your information. Maybe I can use it when I’m a bit further in the process.
At this moment the steps you suggested generate a empty xml file. It only contains the following information:

<?xml version="1.0"?>
<cs-objects/>

So probably I’m doing something wrong. Maybe you can tell me more about this.

Is there a way I can export the configuration from the old server to the new one? That would also be a good start point. Keep in mind the major version difference. Any other way to move to a new server would be nice.

To anyone else. Any suggestion regarding moving to a new server would be nice!
Thanks!

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered RobvandenBroek-8832 commented

@RobvandenBroek-8832, I can suggest 2 options here:

  1. Run a full sync on staging server by using Start-ADSyncSyncCycle -PolicyType Initial cmdlet. As I mentioned in my previous comment, staging server doesn't export anything, but we should make sure that it has all the inbound (import) updates.

  2. Export the database on the old server and import it to the new server. Then Install Azure AD Connect using an existing ADSync database. Refer to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-database for step by step instructions. Don't start synchronization at completion of the installation and configure the server in staging mode before starting sync.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RobvandenBroek-8832 Have you had a chance to test this out?

0 Votes 0 ·

Not yet, sorry... To busy with other project to at the moment. But of cause I will react on your suggestion.

But at the moment I’m not sure if I want to continue the way you are pointing at. At the moment the new server is having more problems. After installing Azure AD Connect, there also was an error regarding the ‘health agent’. Al the suggestions I red about the registration of the health agent, ended up in an error. So at the moment I’m not sure if I want tot continue with this server or start using a new one (VMware). I’m a bit running out of solutions regarding the health agent.

But can I post the questions in this topic too?

I also want to look at the other link you suggested.

Thanks!

0 Votes 0 ·
RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered RobvandenBroek-8832 commented

Dear @amanpreetsingh-msft,

I did have a closer look at the suggested link regarding the use of existing database. But unfortunately I can’t use this. I think we have to go back to my originally post. To see what I want to achieve.

We have an old corrupted (upgrade from other synchronization tool) version of Azure AD Connect, version 1.1.380.0. Every day the machine tries to do an upgrade. At this time the auto-upgrade is suspended. Updates fail and luckily the machine continues to synchronize. This is my inheritance and I need to see how I can fix this without creating any risk of users not able to login anymore with there already synchronized accounts. We still going to use the new version of Azure AD connect and validation will be via our ADFS servers. Because the major difference comparing to todays version we can’t upgrade this machine (Even if we succeed, I don’t dare, because when this machine crashed we run into an even bigger problem.

What I found out already; In the logfile that is generated during the auto-upgrade process, I can read why it is not able to auto-upgrade. The line says: Azure AD Connect Upgrade Error: 906 : Encountered exception determining LocalDb database size. Details System.IO.FileNotFoundException: Could not find file 'C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf'. And yes it is true. There is no database file at this location! So that’s why I call this installation corrupt. And that’s why this server needs to go.

Let me rephrase my question from the initial msg…

How can I, without any risk, replace this Azure AD Connect server with a new one. I don’t know if any extra changes are
made during installation.

Thanks!
Rob


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RobvandenBroek-8832 In that case, you would need to go with the first option and stick to the initial action plan that I shared.

0 Votes 0 ·

Thanks @amanpreetsingh-msft for the quick reply.

The only thing with the new server that prevent me from doing this is that I’m unable to register the healthservice. What do you suggest? Start with a new server first? or continue en fox the health part afterwards?


0 Votes 0 ·

Yes, that's one option but it is always good to have a healthy server in first go. Could you please post a question for the health agent error?

0 Votes 0 ·
Show more comments
RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered RobvandenBroek-8832 published

@amanpreetsingh-msft, here is all the information about registering health agent.

I installed Azure AD Connect v1.5.18.0 on a Win 2012 R2 machine. Choose NOT to configure the User Sign-in, because I don’t want this installation to make changes to our ADFS servers. Our ADFS servers are operational, I can’t make changes (if needed) to them now. Choose ObjectGUID as Unique identifying because old servers is also using it. All other options default installation. AAD connect is installed en configured. New sync account is created in Azure AD. One of the msg’s at the and of the installation was: Registration failed for your AAD Connect Health Agent for sync.

Did try to register it: Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $true. But unfortunately every time it fails.

In Azure Active Directory Connect Health I can see under sync services 2 connected servers. 1 is unhealthy. Msg:

The AAD Connect Health Service is not receiving the latest data from the server(s) listed above. This may be due to connectivity issues or data collection issues on the server itself.

If I have a look at the log files during the register process I see al lot of information. I hope I pick the right lines from this log. First error only when I use the register command.


2020-04-22 12:41:13.367 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/
2020-04-22 12:41:13.367 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/
ERROR: 2020-04-22 12:41:13.367 [DiscoverAndOverrideEndpoints]:Null/Empty AdalAuthority
System.InvalidOperationException: Null/Empty AdalAuthority2020-04-22 12:41:13.399 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService/
2020-04-22 12:41:13.399 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

During installation and registering this error did not exist:

2020-04-22 09:09:52.447 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/
2020-04-22 09:09:52.45 [OverrideEndpoints]:AdalAuthority: HTTPS://LOGIN.WINDOWS.NET/XXXXXXX.ONMICROSOFT.COM

The problem starts here I guess.

2020-04-22 09:09:54.97 Monitoring Agent Registration Attempt start
2020-04-22 09:09:54.971 Tenant Certificate successfully written to location: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert, byte[] length = 3621 bytes, written file length = 3621 bytes
2020-04-22 09:09:54.971 Start Command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="1.5.22.0"
2020-04-22 09:10:06.14 Monitoring Agent Registration Attempt process exited, ExitCode = 1
2020-04-22 09:10:06.141 Monitoring Agent Registration Attempt end, ExitCode = 1, Result = Fail
2020-04-22 09:10:06.148 Attempt Failed. Exception: System.InvalidOperationException: Failed configuring Monitoring Service using command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="1.5.22.0"
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.<>c_DisplayClass78_0. <StoreMonitoringServiceCertificateAndConfig>b0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.<>c
DisplayClass1.<ExecuteAction>b_0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteAction[TResult](Func`1 func)

This copying of the cert file and registering of the service repeats a couple of times without success. A bit futher you can read.

Agent.Main;Client activation failed:The remote server returned an error: (403) Forbidden.
System.Net.WebException: The remote server returned an error: (403) Forbidden.

And I’m running out of ideas how I must fix this.
If you need more information, I can reregister again and sent you the log.

Thanks!
Rob

















5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered RobvandenBroek-8832 edited

@RobvandenBroek-8832 Thank you for sharing the information. Please try below steps`

  1. Test-AzureADConnectHealthConnectivity -Role Sync command to see if you are successfully able to connect to the required endpoints.

  2. Run below command and see if you are getting http 403 forbidden or not, as per below snip:
    7812-capture.jpg

  3. If you are using Proxy to connect to internet, set proxy using Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress address:port cmdlet.

  4. If you still face the same issue, update C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file with below parameters:
    7868-capture2.jpg

  5. Since you are using ADFS, I would suggest you to validate these TLS/SSL certificate requirements: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#tlsssl-certificate-requirements.

Also, i would suggest you to post it as a separate question as well. That way it will have more visibility and other can help you if they have faced similar issue. At this time, it appears as answer to the main question and others may ignore it.



Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


capture.jpg (18.7 KiB)
capture2.jpg (18.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft. I did make a seperate msg, but this is still waiting for aproval.

7901-test-azure.jpg7813-webrequest.jpg




Step 3 an 4
We are not using any proxy. This server can directly (firewall) connect to internet. So I guess there is no need testing this.

Step 5
I did have a look with a college at the suggested URL and we do have the required certificates installed.

Thanks!

0 Votes 0 ·
test-azure.jpg (132.0 KiB)
webrequest.jpg (91.2 KiB)
RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered amanpreetsingh-msft commented

Dear @amanpreetsingh-msft,

Thanks for all the information so far. At this moment we are not clear how to solve our problem. We did have a look at the other topic regarding the registration of the health service. We can't think of anything we did wrong so far. Maybe there is problems with our new server. What I want to do now is to start all over again with a new server (virtual in our case). I like to take down the new created Azure AD Connect server. But I’m a bit afraid it will create problems during these steps. So I want to do it in the right way.
We’re still using the other Azure AD Connect server. This still works fine for now. I want to get rid of the new created one to start all over again. This server is still in staging mode. Want I want to do is to run uninstall from the Azure AD connect software on the server. Delete the synchronization account from Azure AD. Then there still is an not working Azure Health Agent. Can I delete this from the Azure site? By just clicking delete? Or will this be deleted during the uninstall.
Keep in mind. This is a production environment and people still need to continue there work. Is there any risk removing this Azure AD Connect server (still in staging mode) with it’s health agent? I’m a bit afraid that after the uninstallation of the Azure AD Connect server, Azure thinks we don’t have any sync server left.
After this deletion I will start the installation all over again. And will use all your suggestions in this topic.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Uninstalling AD Connect from the new server should remove it from Azure portal as well. As long as you are not removing production server, there shouldn't be any production impact. A separate entry for every AD Connect server is maintained in Azure. So removing the new server shouldn't impact the production server.

0 Votes 0 ·
RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered amanpreetsingh-msft commented

I also like to add some information about the configuration of the azure AD connect server. Because I did not configure anything yet I looked at the configuration. Federation configuration shows a SSL certificate with an old date... This certificate was already replaced at the ADFS server.
What will be updated when I press de Update Settings button? I don't want to change anything on the ADFS servers. These are stil producten servers.


7830-federat-config.jpg



federat-config.jpg (71.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure what will happen with Update settings here, maybe you will get option to update the SSL certificate as per the steps here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-ssl-update but the options in the left side are not matching. Could be due to version difference.

0 Votes 0 ·
RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered

@amanpreetsingh-msft,

Thanks for all the information! I still have to many questions to continue without any risk. That’s why I decided to create a test environment to test all the things before I make any changes to the production. I think this is the only way to keep the risk as low as possible. If I have some new question, I will make a new topic.
I will use this topic to see how I can test. Thanks again!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered amanpreetsingh-msft commented

@amanpreetsingh-msft,


I made a small test environment and did some Azure AD Connect installations to see how this will interfere with our production environment and to learn a lot of this sync service. I installed a second sync server in the test environment and did switch to the other server without any problem.


After this I started with a new server in production and installed the latest version in stage mode. Heath agent is registered correctly. The existing production ADFS servers are now updated (managed) by this new sync server. So this is a major improvement when I compare this with the first attempt.


After everything was up and running I used csexport with the /f:x option to create an export.xml and used the CSExportAnaluzer to create a csv file. Just like you suggested. I ended up with 2 files with 1433 records all together. In this file I can find every user, contact, device and group of my organization. They all have ‘UPDATE as operation. No ADD and no DELETE. So I guess no records will be deleted. But every record will be updated.


How do I know if I want these changes (updates)? What I think, because we make a major jump in the version, a lot off things are changed and that’s why the records needed to be updated. What I can find in the synchronization service are changes like bellow.


10446-pending-export-example.jpg


Do you undestand whats happening here and can you explane it to me? Can I now switch to this new server en put the other server in staging-mode? Or do I need to check everything is oke before I make the switch.


Thanks!
Rob




· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RobvandenBroek-8832 You can pick a few accounts to see what is being updated on those accounts and follow the steps here to generate a preview one by one. In the preview, you can see the old value and new value which you can check to know what update is being sent. If the updates look good, you can make the switch.


0 Votes 0 ·

@amanpreetsingh-msft,


Here is a example of a user. It looks like a field was added if I interpreted this correctly. This must be a change added by Microsoft I guess?
10464-example1.jpg
10430-example2.jpg



0 Votes 0 ·
example1.jpg (193.8 KiB)
example2.jpg (184.8 KiB)

You need to compare this rule "Out to AAD - User..... " with the old server. This change doesn't seem to be added by Microsoft.

0 Votes 0 ·