Upgrade and understanding Azure AD Connect

Question

At the moment I want to upgrade an (old and corrupt) AAD Connect server version 1.1.380.0 to 1.5.18.0. Because the huge version difference, Microsoft suggest doing a swing upgrade. Install a new server with AAD connect in stage mode and compare the settings and switch the servers when ok.
First of all the new Connect setup wants to configure our ADFS servers. Because this is an operational environment, I don’t want to do this in this stage. So I choose to run the setup again on the new server and chose a different setup-option (do not configure) and did not configure the ADFS server.
Beside some error regarding the health agent installation, the new server was installed and a new synchronization account was created in Azure AD. After this step I compared the two setups (documenter) to see the differences between the servers. But there are to many new settings and I do not know if I need them and how to configure them. So there is no way I want to use this server right away. I need more information first and need to understand the sync process.
I now have 2 servers. 1 operational and one in staging mode with a major version difference.

• Is there a way I can configure this new machine that it only synchronize one domain or one group of objects? To prevent changes to already synchronized objects. So it will not delete or corrupt the objects of the other server.
• I want to end up with a situation I can test this new server without making changes to any other objects. So, is there a way to setup a test environment?
• How do you implement a new version? How do you test?
• What happens to objects when you switch the server to active and the other to staging and vise versa.

So I want to understand the process so I would not synchronize an wrongly configured AAD connect server and ended up with an empty Azure AD.
Any information how you would implement this new version would be nice.
Thanks!

Answer 1

Dear @AmanpreetSingh-MSFT ,

Thanks for all the information so far. At this moment we are not clear how to solve our problem. We did have a look at the other topic regarding the registration of the health service. We can't think of anything we did wrong so far. Maybe there is problems with our new server. What I want to do now is to start all over again with a new server (virtual in our case). I like to take down the new created Azure AD Connect server. But I’m a bit afraid it will create problems during these steps. So I want to do it in the right way.
We’re still using the other Azure AD Connect server. This still works fine for now. I want to get rid of the new created one to start all over again. This server is still in staging mode. Want I want to do is to run uninstall from the Azure AD connect software on the server. Delete the synchronization account from Azure AD. Then there still is an not working Azure Health Agent. Can I delete this from the Azure site? By just clicking delete? Or will this be deleted during the uninstall.
Keep in mind. This is a production environment and people still need to continue there work. Is there any risk removing this Azure AD Connect server (still in staging mode) with it’s health agent? I’m a bit afraid that after the uninstallation of the Azure AD Connect server, Azure thinks we don’t have any sync server left.
After this deletion I will start the installation all over again. And will use all your suggestions in this topic.

Answer 2

I also like to add some information about the configuration of the azure AD connect server. Because I did not configure anything yet I looked at the configuration. Federation configuration shows a SSL certificate with an old date... This certificate was already replaced at the ADFS server.
What will be updated when I press de Update Settings button? I don't want to change anything on the ADFS servers. These are stil producten servers.

Answer 3

@AmanpreetSingh-MSFT ,

Thanks for all the information! I still have to many questions to continue without any risk. That’s why I decided to create a test environment to test all the things before I make any changes to the production. I think this is the only way to keep the risk as low as possible. If I have some new question, I will make a new topic.
I will use this topic to see how I can test. Thanks again!

Answer 4

@amanpreetsingh-msft,

I made a small test environment and did some Azure AD Connect installations to see how this will interfere with our production environment and to learn a lot of this sync service. I installed a second sync server in the test environment and did switch to the other server without any problem.

After this I started with a new server in production and installed the latest version in stage mode. Heath agent is registered correctly. The existing production ADFS servers are now updated (managed) by this new sync server. So this is a major improvement when I compare this with the first attempt.

After everything was up and running I used csexport with the /f:x option to create an export.xml and used the CSExportAnaluzer to create a csv file. Just like you suggested. I ended up with 2 files with 1433 records all together. In this file I can find every user, contact, device and group of my organization. They all have ‘UPDATE as operation. No ADD and no DELETE. So I guess no records will be deleted. But every record will be updated.

How do I know if I want these changes (updates)? What I think, because we make a major jump in the version, a lot off things are changed and that’s why the records needed to be updated. What I can find in the synchronization service are changes like bellow.

Do you undestand whats happening here and can you explane it to me? Can I now switch to this new server en put the other server in staging-mode? Or do I need to check everything is oke before I make the switch.

Thanks!
Rob