Share via

AAD connect Swing migration

Werner David 21 Reputation points
2021-11-17T15:54:10.093+00:00

Hi Everyone,
My current AAD Connect:

  • Version 1.2.67.0
  • Windows 2012 R2
  • External SQL 2012 db

It is not possible to upgrade this to the newest version as the server OS doesn't support it.
What I would like to do is the following:

  • Install a Windows Server 2019
  • Create a new SQL Server for the ADSync database. Assign required permissions. I think I need a new DB as I tried to use the existing DB but due to so many changes in AAD Connect, the database wasn't able to accomodate all of the new fields.
  • Create gMSA account for AD synchronization

-Document current Azure AD Connect Production configuration
-Export current AADConnect Production configuration (use MigrateSettings.ps1)
-Copy exported AADConnect config to ‘Staging’ Server
-Download newest version of AADConnect to 'Staging' Server (version 2.0.28.1)

'Staging' server installation

  • Select Custom Installation
  • Required Components:
    • Use an existing SQL Server (se newly created ADSync db)
    • Use an existing service account (use gMSA account)
    • Import synchronization settigns (from Export of 'Active' Server')
    • User sign-in (Do not configure - same as 'Active' Server)
  • Connect Directories
    • For AD forest account, I will use my existing AD account which is configured on the 'Active' server since it has the permissions required in AD
  • Rest of the settings
    • Here I will select the same settings as my current 'Active' server has.

My questions are:

I am confused as to which accounts require permissions in Active Directory for synchronization between AD and Azure. Is it the AD forest account or the synchronization account which starts the service?

If it is the synchronization account, then do I have to manually modify the security permissions on my AD? or is it done by the installation?

Does it make sense to Import synchronization settings from the 'Active' server to the new 'Staging' server when it has a new database? Or is it simply easier to export the synchronization rules and change the connector and import them into the new configuration?

I tried using the same Database (SQL 2012) but wasn't able to enable synchronization on the 'Staging' server due to errors in the database.

I am trying to find a way to install a new server with the latest AAD connect version and have it replace my 'Active' server. My major concern is if I can re-use accounts from my 'Active' server.

Any help or tips are welcome!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-11-18T09:30:52.26+00:00

    Hello @Werner David ,

    Thanks for reaching out.

    The AD DS Connector account(AD forest account ) is used for synchronization between AD-Azure rather than synchronization service account, so you must ensure you have the correct permissions configured when using the custom installation wizard depend on features you enable, which can be found in the following guidance.

    150497-image.png

    Alternatively, you may configure AD DS connector account permissions using the PowerShell module named ADSyncConfig.psm1, which was introduced with version 1.1.880.0. (released in August 2018).

    For synchronization service account permissions are granted by the installation wizard by default so you just have to use any account which is administrator of the local server for setting up Azure AD connect wizard. If using a full SQL Server, the account also must be System Administrator (SA) in SQL.

    The installation wizard grants all permissions require for synchronization service account by default, so you may use any account that is an administrator of the local server to set up Azure AD connect wizard. If you're using a complete SQL Server, the account must also have the SQL role of System Administrator (SA).

    To learn more about, refer Azure AD Connect: Accounts and permissions.

    If you very sure about configuration setting of Azure AD connect then you can just export and import on new server or you can Import and export complete configuration settings as per this guidance.

    If you're confident in your Azure AD Connect configuration settings, you may simply export and import synchronization rule on a new server, or you can import and export the whole setup as described in this guidance.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.