Upgrade Azure AD Connect to V2.x

We have Azure AD Connect V1 running in the organization. We like to upgrade from Azure AD Connect V1 to Azure AD Connect V2. We recommend following the article Upgrade Azure AD Connect when upgrading to the latest version. This time, the update from Azure AD Connect V1.x to V2.x is slightly different, and hence we created a new article about it.

Table of contents

Introduction

Microsoft released Azure AD Connect V2.0 (2.0.3.0) on July 20, 2021. In the Azure AD Connect changelog, we can see that they released a couple of newer builds with bug fixes. At the moment of writing, Azure AD Connect is on version 2.0.25.1.

Note: Upgrade Azure AD Connect to V2.x before August 31, 2022. Otherwise, several components will go out of support.

Next year several of the components in your current Azure AD Connect server installations will go out of support. If you use unsupported products, it will be harder for the Microsoft support team to provide you with the support experience your organization requires. So we recommend all customers to upgrade to this newer version as soon as they can.

Before we upgrade Azure AD Connect to V2, let’s look at the changes.

Read more: Install and configure Azure AD Connect »

Azure AD Connect V2.0 major changes

These are the new significant changes in Azure AD Connect V2.0:

  • SQL Server 2019 LocalDB
  • MSAL authentication library
  • Visual C++ Redist 14
  • TLS 1.2
  • All binaries signed with SHA2
  • Windows Server 2012 and Windows Server 2012 R2 are no longer supported
  • PowerShell 5.0

Read the official Azure AD Connect V2.0 documentation.

Do you have Azure AD Connect V1 running on a Windows Server 2012/R2? Then export the settings and migrate Azure AD Connect to Windows Server 2016/2019/2022.

Read more: Migrate Azure AD Connect to new server »

Enable TLS 1.2 on Azure AD Connect server

Before we download and run the upgrade to Azure AD Connect V2.x, we must enable TLS 1.2 on the Azure AD Connect server. If we don’t do that and run the Azure AD Connect setup file, we will get the Incorrect version of TLS message.

Incorrect version of TLS
TLS 1.2 is not configured on this server.

This installation requires TLS 1.2, but it was not enabled on the server. Please refer to this document to learn more about the steps you need to take to enable TLS 1.2 on your server. After configuring TLS 1.2, please run the AADConnect Wizard to continue with installation and configuration.

Upgrade Azure AD Connect to V2.0 incorrect version of TLS - TLS 1.2 is not configured on this server

Run PowerShell ISE as administrator on the server which has Azure AD Connect installed. Download Enable-TLS1.2.ps1 PowerShell script and run it from PowerShell. Another way is to copy the below PowerShell script.

If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319')) {
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319')) {
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server')) {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client')) {
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take effect.' -ForegroundColor Cyan

Paste the script in PowerShell ISE and run the script.

Enable TLS 1.2 PowerShell script

After running the script, you must restart the Windows Server for the changes to take effect.

Download Azure AD Connect v2.x

Download the latest Azure AD Connect version by going to the Microsoft Download Center. At the moment, the newest version is Azure AD Connect 2.0.25.1.

Download Microsoft Azure Active Directory Connect

Place the AzureADConnect.msi file in C:\install.

AzureADConnect.msi

Upgrade Azure AD Connect to V2.x

Double-click the AzureADConnect.msi file, and let the setup extract the files.

Upgrade AAD Connect

The screen will show that an older version of Azure AD Connect is installed and will be upgraded.

  • During the Azure AD Connect upgrade, the synchronization will be stopped.
  • After Azure AD Connect upgrade, full sync will occur between AD and Azure AD.

Note: If you have more than 50.000 AD objects, you might want to run the update after working hours or on the weekend, as it can take a couple of hours or more to finish syncing.

Click Upgrade.

Upgrade Azure AD Connect to V2.0 upgrade main screen

The setup is upgrading the synchronization engine.

Upgrade Azure AD Connect to V2.0 upgrading the synchronization engine

Connect to Azure AD

With Azure AD Connect V1, we enter our Azure AD global administrator account. In Azure AD Connect V2, we can use a user account with the Hybrid Identity Administrator user role. We no longer need the Global Administrator role for this.

We recommend using an account with the least privileges. So, we will create a service account for the Hybrid Identity Administrator and use that from now on.

Read the Microsoft documentation about the Azure AD built-in roles.

Create hybrid identity administrator account

Sign in to the Azure AD portal. Navigate to Azure Active Directory > Roles and administrators. Search for the role Hybrid identity administrator. Assign the service account to the role.

In our example, it’s the user account svc-hia.

Hybrid identity administrator assign Azure AD account

Enter your Azure AD global administrator credentials or the hybrid identity administrator credentials. Click on Next.

Upgrade Azure AD Connect to V2.0 enter global administrator credentials

Configure

Check the checkbox Start the synchronization process when configuration completes. Click Upgrade.

Upgrade Azure AD Connect to V2.0 upgrade

Wait for the Azure AD Connect upgrade to finish.

Upgrade Azure AD Connect to V2.0 installing Azure AD Connect Health agent for sync

Configuration is complete. The upgrade from Azure Active Directory Sync has finished successfully. Click Exit.

Upgrade Azure AD Connect to V2.0 complete

Verify Azure AD Connect version

Verify that Azure AD Connect V2 is successfully installed.

Start Azure Active Directory Synchronization Service from the programs menu. Click in the menu bar on Help > About. In our example, Azure AD Connect version 2.0.25.1 shows up.

Upgrade Azure AD Connect to V2.0 verify version

Another way is to check the Azure AD Connect version with PowerShell.

Run Windows PowerShell as administrator. First, import the ADsync module with Import-Module ADsync cmdlet. After that, run Get-ADSyncGlobalSettings cmdlet.

PS C:\> Import-Module ADSync
PS C:\> (Get-ADSyncGlobalSettingsParameter | Where-Object { $_.Name -eq 'Microsoft.Synchronize.ServerConfigurationVersion'}).Value
2.0.25.1

That’s it!

Keep reading: Move Azure AD Connect to new tenant »

Conclusion

We showed how to upgrade Azure AD Connect to V2.x. It’s essential to upgrade Azure AD Connect to the latest version and keep up with the latest changes and fixes. If you have more than 50.000 AD objects, it’s better to run the upgrade after working hours, as it will take some time. Lastly, verify that the synchronization works without any errors and that you did install the latest Azure AD Connect version successfully.

Did you enjoy this article? You may also like Enable modern authentication in Microsoft 365. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 14 Comments

  1. One thing to add to your article, in my latest update for a customer the sync scheduler did not start after switching off stage mode. I had to enable it via PowerShell.

    Reply

  2. Ali, I have a customer with 2016 Essentials server. The newer version 2 will not install on it.
    is there anything that can be done to get it to install? or does the 2016 OS need to be a minimum of Standard for AD Connect V2 to install?

    Thanks,
    Ray.

    Reply

  3. Thanks for the article.
    I ended up updating the version, but I didn’t change the user account at the time of the AD Connect update, it ended up being global admin.
    Can you tell me if you can change just the account, change it to Hybrid Identity Administrator, after AD Connect is already updated to the latest version (2.1.15.0)?
    I’ve checked on some forums and some report that it may impact how AD Connect works.

    Reply

  4. Hi Ali,

    Thanks for the great article. I had a doubt can we do an in-place upgrade from 1.6 Ver to 2.1x ver which ever latest version is available now if the OS is Win Server 2016…..?

    Reply

    1. That’s what this article is all about: An in-place upgrade from V1.x to V2.x on a supported Windows Server.

      Azure AD Connect V2 supports the below Windows Server operating system:

      – Windows Server 2016
      – Windows Server 2019
      – Windows Server 2022

      So you are good to go and follow the article.

      Reply

  5. Thanks for the clear article Ali.
    We are going to use that to upgrade AADC for two customers.
    Greeting from Cor, SMC/DBS Gouda

    Reply

  6. Hi Ali,
    Thanks a lot for the article. Very objective and helpful. I’ve lost at least 1 hour before on Microsoft documentation without any luck.

    Reply

  7. Thanks for the Article. Can you please post the document for the 1st scenario i.e Azure AD Connect V1 running on a Windows Server 2012/R2 and exporting the settings and migrate Azure AD Connect to Windows Server 2016/2019/2022. Will be waiting for your update.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *