skip to Main Content

Upgrade Azure AD Connect to V2.0

We have Azure AD Connect V1 running in the organization. We like to upgrade from Azure AD Connect V1 to Azure AD Connect V2. We recommend you follow the article Upgrade Azure AD Connect when upgrading to the latest version. This time, the update from Azure AD Connect V1.x to V2.x is slightly different, and hence we created a new article about it.

Introduction

Microsoft released Azure AD Connect V2.0 (2.0.3.0) on July 20, 2021. In the Azure AD Connect changelog, we can see that they released a couple of newer builds with bug fixes. At the moment of writing, Azure AD Connect is on version 2.0.25.1.

Note: Upgrade Azure AD Connect to V2.0 before January 2022. Otherwise, several components will go out of support.

Next year several of the components in your current Azure AD Connect server installations will go out of support. If you use unsupported products, it will be harder for the Microsoft support team to provide you with the support experience your organization requires. So we recommend all customers to upgrade to this newer version as soon as they can.

Before we upgrade Azure AD Connect to V2, let’s have a look at the changes.

Read more: Install and configure Azure AD Connect »

Azure AD Connect V2.0 major changes

These are the new significant changes in Azure AD Connect V2.0:

  • SQL Server 2019 LocalDB
  • MSAL authentication library
  • Visual C++ Redist 14
  • TLS 1.2
  • All binaries signed with SHA2
  • Windows Server 2012 and Windows Server 2012 R2 are no longer supported
  • PowerShell 5.0

Read the official Azure AD Connect V2.0 documentation.

Do you have Azure AD Connect V1 running on a Windows Server 2012/R2? Then export the settings and migrate Azure AD Connect to Windows Server 2016/2019/2022.

Enable TLS 1.2 on Azure AD Connect server

Before we download and run the upgrade to Azure AD Connect V2.0, we must enable TLS 1.2 on the Azure AD Connect server. If we don’t do that and run the Azure AD Connect setup file, we will get the Incorrect version of TLS message.

Incorrect version of TLS
TLS 1.2 is not configured on this server.

This installation requires TLS 1.2, but it was not enabled on the server. Please refer to this document to learn more about the steps you need to take to enable TLS 1.2 on your server. After configuring TLS 1.2, please run the AADConnect Wizard to continue with installation and configuration.

Upgrade Azure AD Connect to V2.0 incorrect version of TLS - TLS 1.2 is not configured on this server

Run PowerShell ISE as administrator on the server which has Azure AD Connect installed. Download Enable-TLS1.2.ps1 PowerShell script and run it from PowerShell. Another way is to copy the below PowerShell script.

New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'

Paste the script in PowerShell ISE and run the script.

Enable TLS 1.2 PowerShell script

After you run the script, you must restart the Windows Server for the changes to take effect.

Download Azure AD Connect v2.0

Download the latest Azure AD Connect version by going to the Microsoft Download Center. At the moment, the latest version is Azure AD Connect 2.0.25.1.

Download Microsoft Azure Active Directory Connect

Place the AzureADConnect.msi file in C:\install.

AzureADConnect.msi

Upgrade Azure AD Connect to V2.0

Double-click the AzureADConnect.msi file, and let the setup extract the files.

Upgrade AAD Connect

The screen will show that an older version of Azure AD Connect is installed and will be upgraded.

  • During the Azure AD Connect upgrade, the synchronization will be stopped.
  • After Azure AD Connect upgrade, full sync will occur between AD and Azure AD.

If you have more than 50.000 AD objects, you might want to run the update after working hours or on the weekend, as it can take a couple of hours or more to finish syncing.

Click Upgrade.

Upgrade Azure AD Connect to V2.0 upgrade main screen

The setup is upgrading the synchronization engine.

Upgrade Azure AD Connect to V2.0 upgrading the synchronization engine

Connect to Azure AD

With Azure AD Connect V1, we do enter our Azure AD global administrator account. In Azure AD Connect V2, we can use a user account with the user role Hybrid Identity Administrator. We no longer need the Global Administrator role for this.

We recommend using an account with the least privileges. So, we will create a service account for the Hybrid Identity Administrator and use that from now on.

Read the Microsoft documentation about the Azure AD built-in roles.

Create hybrid identity administrator account

Sign in to the Azure AD portal. Navigate to Azure Active Directory > Roles and administrators. Search for the role Hybrid identity administrator. Assign the service account to the role.

In our example, it’s the user account svc-aadconnect.

Hybrid identity administrator assign Azure AD account

Enter your Azure AD global administrator credentials or the hybrid identity administrator credentials. Click on Next.

Upgrade Azure AD Connect to V2.0 enter global administrator credentials

Configure

Check the checkbox Start the synchronization process when configuration completes. Click Upgrade.

Upgrade Azure AD Connect to V2.0 upgrade

Wait for the Azure AD Connect upgrade to finish.

Upgrade Azure AD Connect to V2.0 installing Azure AD Connect Health agent for sync

Configuration is complete. The upgrade from Azure Active Directory Sync has finished successfully. Click Exit.

Upgrade Azure AD Connect to V2.0 complete

Verify Azure AD Connect version

Verify that Azure AD Connect V2 is successfully installed.

Start Azure Active Directory Synchronization Service from the programs menu. Click in the menu bar on Help > About. In our example, Azure AD Connect version 2.0.25.1 shows up.

Upgrade Azure AD Connect to V2.0 verify version

Another way is to check the Azure AD Connect version with PowerShell.

Run Windows PowerShell as administrator. First, import the ADsync module with Import-Module ADsync cmdlet. After that, run Get-ADSyncGlobalSettings cmdlet.

PS C:\> Import-Module ADSync
PS C:\> (Get-ADSyncGlobalSettingsParameter | Where-Object { $_.Name -eq 'Microsoft.Synchronize.ServerConfigurationVersion'}).Value
2.0.25.1

That’s it!

Keep reading: Move Azure AD Connect to new tenant »

Conclusion

We showed how to upgrade Azure AD Connect to V2.0. It’s essential to upgrade Azure AD Connect to the latest version and keep up with the latest changes and fixes. If you have more than 50.000 AD objects, it’s better to run the upgrade after working hours as it will take some time. Lastly, verify that the synchronization works without any errors and that you did install the latest Azure AD Connect version successfully.

Did you enjoy this article? You may also like Enable modern authentication in Office 365 admin center. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *