You installed Azure AD Connect and want to configure Azure Active Directory Single Sign-On (SSO).…
Migrate Azure AD Connect to new server
How to migrate Azure AD Connect to a new server? You have Azure AD Connect V1 running, and you want to upgrade to Azure AD Connect V2. However, Azure AD Connect V2 requires Windows Server 2016 or higher. This article will show how to move Azure AD Connect to another server.
Table of contents
- Introduction
- Why move Azure AD Connect to new server?
- Azure AD Connect V2.0 major changes
- Old Azure AD Connect server
- New Azure AD Connect server
- Enable TLS 1.2 on Azure AD Connect server
- Download Azure AD Connect V2
- Install Azure AD Connect V2
- Import synchronization settings
- User sign-in settings
- Create hybrid identity administrator account
- Connect to Azure AD
- Connect directories
- Ready to configure
- Verify Azure AD Connect version
- Verify Azure AD Connect synchronization
- Enable staging mode on old server
- Disable staging mode on new server
- Check Azure AD Connect synchronization
- Uninstall Azure Azure AD Connect
- Conclusion
Introduction
Are you new to Azure AD Connect? Learn more on how to install and configure Azure AD Connect. It’s good to make yourself familiar with Azure AD Connect before you migrate Azure AD Connect to another server.
The following Windows Server releases support Azure AD Connect V2:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Note: Azure AD Connect V2 requires Windows Server 2016 or higher. You must migrate Azure AD Connect to a new server if running an older Windows Server version.
Do you already have Azure AD Connect V1 installed on Windows Server 2016 or higher and want to upgrade? Or do you already have Azure AD Connect V2 running and want to upgrade to the latest version for new features and bug fixes? Read the articles:
Note: Upgrade Azure AD Connect to V2.0 before August 31, 2022. Otherwise, several components will go out of support.
In our example, Azure AD Connect V1 is running on Windows Server 20212 R2. Now that we can’t have an in-place upgrade to Azure AD Connect V2 because it requires Windows Server 2016 or higher, we must migrate Azure AD Connect to another server. It can be a new server or an existing server.
In our scenario, this is how the setup looks like:
- DC01-2019: Windows Server 2019 (Domain Controller)
- AAD01-2012: Windows Server 2012 (Old Azure AD Connect server)
- AAD02-2019: Windows Server 2019 (New Azure AD Connect server)
Why move Azure AD Connect to new server?
There are different reasons why you need to migrate Azure AD Connect server to a new server:
- Azure AD Connect V2 supports Server 2016 and higher
- Azure AD Connect server fails to start
- Decommission old Windows Servers
Azure AD Connect V2.0 major changes
These are the new significant changes in Azure AD Connect V2.0:
- SQL Server 2019 LocalDB
- MSAL authentication library
- Visual C++ Redist 14
- TLS 1.2
- All binaries signed with SHA2
- Windows Server 2012 and Windows Server 2012 R2 are no longer supported
- PowerShell 5.0
Read the official Azure AD Connect V2.0 documentation.
Old Azure AD Connect server
Sign in to the old Azure AD Connect server. Go through the steps to check a couple of Azure AD Connect settings and write them down. Also, you need to export the Azure AD configuration.
In our example, it’s the server name AAD01-2012.
Check Azure AD Connect version
Start Azure Active Directory Synchronization Service from the programs menu. Click in the menu bar on Help > About. Azure AD Connect version 1.6.16.0 shows up.
Export Azure AD Connect configuration
Before you migrate Azure AD Connect to another server, you must create an Azure AD Connect export configuration.
Start Microsoft Azure Active Directory Connect from the programs menu. Click on Configure.
Click View or export current configuration. Click Next.
Click Export Settings.
Save the .json file on the C:\temp folder of the new Windows Server that you will install Azure AD Connect on.
In our example, the new Windows Server is AAD02-2019.
Check Azure AD Connect user sign-in settings
Go back to the Additional tasks. Click on Change user sign-in. Click Next.
Write down or take a screenshot of the User sign-in settings. You will need to provide these settings in the Azure AD Connect setup wizard on the new Windows Server.
Note: The Azure AD export configuration will not export the User sign-in settings. Write the settings down.
New Azure AD Connect server
Sign in to the Windows Server that you will install Azure AD Connect on. Go through the steps to import the Azure AD configuration settings and install Azure AD Connect.
In our example, it’s the server AAD02-2019.
Enable TLS 1.2 on Azure AD Connect server
Before we download and run the upgrade to Azure AD Connect V2.0, we must enable TLS 1.2 on the Azure AD Connect server. If we don’t do that and run the Azure AD Connect setup file, we can get the Incorrect version of TLS message.
Incorrect version of TLS
TLS 1.2 is not configured on this server.
This installation requires TLS 1.2, but it was not enabled on the server. Please refer to this document to learn more about the steps you need to take to enable TLS 1.2 on your server. After configuring TLS 1.2, please run the AADConnect Wizard to continue with installation and configuration.
Run PowerShell ISE as administrator on the new server. Download Enable-TLS1.2.ps1 PowerShell script and run it from PowerShell. Another way is to copy the below PowerShell script.
New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'Paste the script in PowerShell ISE and run the script.
After running the script, you must restart the Windows Server for the changes to take effect.
Download Azure AD Connect V2
Download the latest Azure AD Connect version by going to the Microsoft Download Center. At the moment, the newest version is Azure AD Connect 2.0.28.0.
Save the AzureADConnect.msi file in C:\install folder.
Install Azure AD Connect V2
Double-click the AzureADConnect.msi file, and let the setup extract the files. Agree to the license terms and click Continue.
Click on Customize for a custom install.
Import synchronization settings
Check the checkbox Import synchronization settings. Browse to the exported Azure AD Connect .json file. Click Install.
User sign-in settings
Select the same User sign-in settings configured on the old Azure AD Connect server. In the previous step, you did take a screenshot of these settings or wrote it down.
In our example, it’s Password Hash Synchronization. Click Next.
Create hybrid identity administrator account
With Azure AD Connect V1, we enter our Azure AD global administrator account. In Azure AD Connect V2, we can use a user account with the Hybrid Identity Administrator user role. We no longer need the Global Administrator role for this.
We recommend using an account with the least privileges. So, we will create a service account for the Hybrid Identity Administrator and use that from now on.
Read the Microsoft documentation about the Azure AD built-in roles.
Sign in to the Azure AD portal. Navigate to Azure Active Directory > Roles and administrators. Search for the role Hybrid identity administrator. Assign the service account to the role.
In our example, it’s the user account svc-hia.
Connect to Azure AD
Enter your Azure AD global administrator credentials or the hybrid identity administrator credentials. Click on Next.
Connect directories
You can get an error that it can’t connect to Active Directory. Click on Change Credentials.
You can select account option:
- Create new AD account: Azure AD Connect will create an AD DS Connector account (MSOL_xxxxxxxxxx) in AD with all the necessary permissions.
- Use existing AD account: Provide an existing account with the required permissions. Read more on how to create an AD DS Connector account.
Fill in the credentials. Click on OK.
In our example, we will select the option Create new AD account.
The Active Directory is successfully added. Click Next.
Ready to configure
Ensure that you check both checkboxes. Click Install.
Wait for the Azure AD Connect upgrade to finish.
Configuration complete. Azure AD Connect configuration succeeded, and the synchronization process has been initiated. Click Exit.
Verify Azure AD Connect version
Verify that Azure AD Connect V2 is successfully installed.
Start Azure Active Directory Synchronization Service from the programs menu. Click in the menu bar on Help > About. In our example, Azure AD Connect version 2.0.28.0 shows up.
Verify Azure AD Connect synchronization
Verify that the synchronization status shows the status success. It should not show any errors or permissions issues.
Read more: Force sync Azure AD Connect with PowerShell »
Enable staging mode on old server
On the old server, start Microsoft Azure Active Directory Connect. Click on Configure and select Configure staging mode. Click Next.
Fill in the Azure AD global administrator or hybrid identity administrator credentials. Click Next.
Check the checkbox Enable staging mode. Click Next.
Check the checkbox Start the synchronization process when configuration completes. Click configure.
Staging mode is successfully enabled on the old Azure AD Connect server. Click Exit.
Disable staging mode on new server
On the new server, start Microsoft Azure Active Directory Connect. Click on Configure and select Configure staging mode. Click Next.
Fill in the Azure AD global administrator or hybrid identity administrator credentials. Click Next.
Uncheck the checkbox Enable staging mode. Click Next.
Check the checkbox Start the synchronization process when configuration completes. Click configure.
Staging mode is successfully disabled on the new Azure AD Connect server. Click Exit.
Check Azure AD Connect synchronization
Start Azure Active Directory Synchronization Service. Verify that the synchronization status shows as success.
Sign in to the Microsoft 365 admin center. Click on the sync status in the Azure AD Connect tile.
The directory sync status shows the Directory sync client version and Directory sync service account.
Our example is the version Azure AD Connect 2.0.28.0 and sync service account Sync_AAD02-2019.
Read more: Find Azure AD Connect accounts »
If you don’t have the Azure AD Connect tile, you can navigate to Health > Directory sync status.
Uninstall Azure Azure AD Connect
The last steps that you want to take care of on the old Azure AD Connect server are:
- Uninstall Azure AD Connect
- Remove old AD DS Connector account
- Remove old Azure AD Connector account
You can also shut down the old Azure AD Connect server for a couple of days just in case or disable the Azure AD Connect services. Then, after everything works as you expect, uninstall Azure AD Connect.
Read more: Uninstall Azure AD Connect »
That’s it!
Conclusion
You learned how to migrate Azure AD Connect to a new server. First, export Azure AD Connect configuration settings and load the config when installing Azure AD Connect on the new server. Then, verify that you did install the latest Azure AD Connect version successfully and that the synchronization works without any errors. As of last, uninstall Azure AD Connect on the old server and clean up the old service accounts.
Did you enjoy this article? You may also like Configure Azure AD Password Protection for on-premises. Don’t forget to follow us and share this article.
What Others Are Reading
Great How-To – Thanks. Just what I was looking for.
Thank you. Very useful.
Thank you for taking the time to provide this. Useful guide.
Ive just migrated my AD Connect to another server. Sync appears to be working ok since the switch. If i encounter any problems can i simply disable new server and re-enable old one?
Cheers
You’re welcome.
Yes, that’s how it works. You enable staging on the new server and disable staging on the old server.
Hybrid Identity Administrator doesn’t work with pass-through authentication.
Thanks for your guidance. Do you have step-by-step notes on how to use AADConnectConfigDocumenter tool (https://github.com/Microsoft/AADConnectConfigDocumenter) from MIcrosoft. From Github its bit difficult to understand.