Migrate Azure AD Connect To New Server

Migrate Azure AD Connect To New Server

Azure AD Connect is a tool that connects the on-premises active directory with Azure Active Directory. AAD Connect entitles single sign-on capabilities as well as synchronization of data between the two systems. In this article, we’ll run through the process of migrating Azure AD Connect from one server to another, step by step. We’ll also discuss the prerequisites for New AD Connect Server, common issues you may encounter during the migration process, and how to resolve them.

There are a few reasons you might want to migrate Azure AD Connect to a new server:

  • Your current AD Connect Server is running Windows Server 2012 and Windows Server 2012 R2, which is no longer supported for Azure AD Connect v2
  • You want to take advantage of the new features in Azure AD Connect v2
  • Azure AD Connect had SQL Server 2012 LocalDB in past versions, but Azure AD Connect v2 comes with SQL Server 2019 LocalDB. Microsoft has enhanced performance and stability in the V2 release by implementing several security-related bug fixes in SQL Server 2019.

This article outlines the step-by-step process to migrate Azure AD Connect to new Server using Azure AD Sync Staging Mode:

  • Prerequisites for New AD Connect Server.
  • Export the configuration from the old server.
  • Install Azure AD Connect on the new server and import the configuration.
  • Migrate Azure AD Connect by performing cutover to New Server

Follow this Azure AD Connect Migration guide, and you’ll be up and running on your new server in no time!

Prerequisites for New AD Connect Server

This section will outline the prerequisites and pre-installation procedure for an Azure AD Connect installation and migration. These steps will ensure a smooth migration of Azure AD Connect to a new server.

TLS 1.2 is required for Azure AD Connect V2.0

Azure AD Connect V2.0 requires TLS 1.2; If TLS 1.2 is not enabled on your server, you will need to enable this before you can deploy Azure AD Connect V2.0.

PowerShell script to check TLS 1.2

You can use the following PowerShell script to check the current TLS 1.2 settings on your Azure AD Connect server.

#PowerShell script to check TLS 1.2
Function Get-ADSyncToolsTls12RegValue
{
    [CmdletBinding()]
    Param
    (
        # Registry Path
        [Parameter(Mandatory=$true,
                   Position=0)]
        [string]
        $RegPath,

        # Registry Name
        [Parameter(Mandatory=$true,
                   Position=1)]
        [string]
        $RegName
    )
    $regItem = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Ignore
    $output = "" | select Path,Name,Value
    $output.Path = $RegPath
    $output.Name = $RegName

    If ($regItem -eq $null)
    {
        $output.Value = "Not Found"
    }
    Else
    {
        $output.Value = $regItem.$RegName
    }
    $output
}

$regSettings = @()
$regKey = 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'

$regKey = 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'

$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'

$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'

$regSettings

Example Output showing proper TLS1.2 configuration:

Output showing proper TLS1.2 configuration

PowerShell script to enable TLS 1.2

You can use the following PowerShell script to enforce TLS 1.2 on your Azure AD Connect server.

#PowerShell script to enable TLS 1.2
If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take affect.' -ForegroundColor Cyan

PowerShell Version 5 is required.

Azure AD Connect depends on Microsoft PowerShell 5.0 and requires PowerShell version 5.0 or greater to be present on the server. You can use the following PowerShell cmdlet to check PowerShell Version installed on your server

#Check PowerShell Version installed
$PSVersionTable

.NET Framework 4.5.1 or later is required

Azure AD Connect requires .NET Framework 4.5.1 or later to be installed on the server; you can use the below PowerShell command to check if 4.5.1 or later is installed on the server. This PowerShell script checks the value of the Release entry to determine whether .NET Framework 4.5.1 or later is installed. This code returns True if it’s installed and False otherwise.

#PowerShell Script to check if .NET Framework 4.5.1 or later is installed
#This code returns True if it's installed and False otherwise
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release -ge 378675

Root and subordinate certificate used by Azure

Ensure all root and subordinate certificate authorities utilized by Azure are installed on the server. If there are any missing, download missing certificates and import them into the trusted store.

Below is the link to the Microsoft article that provides the details of the root and subordinate Certificate Authorities (CAs) utilized by Azure

https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details

Supported Operating Systems

Microsoft Azure Active Directory Connect Version 2 must be installed on a domain-joined, full GUI version of Windows Server 2016 or Windows Server 2019. Please note Windows Server 2022 is not yet supported.

Export Ad Connect configuration from the old server

Exporting the existing Azure AD Connect configuration from the current server can be done by opening the Azure AD Connect console and selecting View or export the current configuration.

Azure-Ad-Connect-Export-Current-Config

On Review your Solution Console, click on ‘Export Settings’ and select the location where you would export saved. Save it locally and then copy it to the new server

Azure AD Connect Export Current Config - review your solution

Install Azure AD Connect on the new server and import the configuration.

Download the latest version of AD Connect Installer

To download the latest version of the Azure AD Connect installer, go to the following Microsoft Download Center page

https://www.microsoft.com/en-us/download/details.aspx?id=47594

Install Azure AD Connect on the new server in staging mode

Copy the Azure AD Connect installer to the new server that will be hosting the latest version of the AAD Connect instance and launch it to begin the installation process. Use Express Setting – Select Customize

Azure AD Connect Express Settings

Select the option to import synchronisation settings, browse to the location where export settings were saved and select the file

Azure AD Connect - Install required components

Select the appropriate user sign-in option

Azure AD Connect - User Sign-in

Connect to Azure AD using the Global Administrator’s login credentials

Azure AD Connect - Connect to Azure AD

Select the first option “create new AD account” and enter the enterprise Admin account credentials

Azure AD Connect - AD forest account

Check both boxes to start the synchronisation process when the configuration completes and to Enable staging mode. Select Install to begin the installation process

Azure AD Connect - Ready to configure

Configuration complete box is displayed once installation completes successfully

Azure AD Connect - Configuration complete

Verify all settings have been imported successfully

Compare the old and new Server configurations to verify all settings have been imported successfully using AADConnectConfigDocumenter script. The AADConnectConfigDocumenter script can compare configurations from two different AADConnect instances and highlight any differences. This script can be downloaded from below GitHub repository

https://github.com/Microsoft/AADConnectConfigDocumenter

The GitHub repository has step-by-step instructions on how to use AADConnectConfigDocumenter script. This script will produce an HTML document highlighting any differences in configuration.

Migrate Azure AD Connect by performing a cutover to the New Server

Cutover to the new server is performed by enabling staging mode on the old server and then disabling stranging mode on the new server.

Place the Old Server is Staging Mode

To place the current production server (Old Server) in staging mode, launch the Microsoft Azure Active Directory Connect console on the old server and select “Configure Staging Mode.”

Azure AD Connect - Additional Tasks

Check the box to Enable Staging Mode. Both servers are currently in staging mode at this stage, and none are syncing changes to Azure AD.

Azure AD Connect - Configure Staging Mode

Disable Staging Mode on New Server

Launch the Microsoft Azure Active Directory Connect console on the new server, select “Configure Staging Mode”

Azure AD Connect - Additional Tasks

In the “configure staging mode” blade, uncheck the box “Enable Staging Mode.” At this stage, we have successfully performed the failover. The old server is in staging mode, and the new server will perform the sync to Azure AD

Azure AD Connect -  Configure Staging Mode

In conclusion, following the Azure AD Connect Migration Guide is necessary when migrating to a new server. This guide provides the detailed steps required to migrate Azure AD Connect safely. Following these steps will ensure a smooth transition and avoid any issues.

1 thought on “Migrate Azure AD Connect To New Server”

  1. Lucas Martinez

    Thank you for this insightful blog post! Have you encountered any unexpected challenges during Azure AD Connect migration process? Did you find any particular strategies or tips especially effective in ensuring a smooth transition?
    Your expertise could certainly help others navigate potential pitfalls. Thanks again for sharing your knowledge with the community!

Leave a Comment

Your email address will not be published. Required fields are marked *