The Enabling Technologies Blog

Our team of Cloud Strategy Advisors, Solution Architects, Engineers and former C-Suite Executives work diligently to provide our vistors with the most pressing information.

John Miller /

Azure Active Directory Connect 1.x to be Retired

Introduction 

The January 20, 2022 version of the Azure Active Directory Connect Release History page is displaying this caution: 

Text

Description automatically generated

If your Azure Active Directory Connect (AADC) Server is running a version of the product that begins with a “1”, you need to replace or upgrade it to a 2.x version. Microsoft has only been applying critical changes to the 1.x versions. They recommend switching to the 2.x version as soon as you can but certainly before August 31, 2022! 

For an introduction to Azure Active Directory Connect Server version 2.0, please take a look at the Introduction to Azure AD Connect V2.0 article from Microsoft. 

If you continue running a retired version of AADC, it might unexpectedly stop working! 

 

Upgrading an Azure Active Directory Connect (AADC) 

In the Azure Active Directory Connect documentation, Microsoft makes the point of how important it is to keep the software on the AADC Servers as current as possible: 

Text

Description automatically generated

 

Most AADC upgrades are in-version such as an upgrade from 1.6.14.2 to 1.6.16.0. Microsoft is now requiring a major upgrade of AADC from version 1.x to version 2.x. Changes to the configuration of your AADC, such as enabling Pass-through authentication, should also be treated as upgrades. You should use the same precautions and methodology for configuration changes as you do software upgrades. 

As a reminder, you should be backing up your Azure Active Directory Connect Server regularly. 

There are three (3) common ways to upgrade an AADC Server: 

  • Automatic Upgrade 
  • In-place upgrade 
  • Swing Migration 

Automatic Upgrade 

Link: Azure AD Connect: Automatic upgrade 

Unfortunately, when upgrading from 1.x to 2.x, an automatic upgrade will not work. Automatic upgrades are only available for in-version upgrades. You cannot use an automatic upgrade to go from an AADC 1.x to a 2.x version. When you install AADC, automatic upgrading is turned on by default if your installation meets certain criteria such as having less than 100,000 objects in the metaverse. Once you fail to meet any of the criteria, automatic upgrades will turn off “automatically”. You can also disable them at your discretion.  

This type of upgrade will automatically upgrade the revision of the AADC as new versions are released. Historically, not all the revisions of the 1.x AADC supported automatic upgrades. The two (2) most recent 1.x releases do support it while most of the ones before these do not. None of the versions of the 2.x since 2.0.3.0 released on July 20, 2021, support automatic upgrades. If the latest version is not available for automatic update, you will need to download it and perform an In-place upgrade or Switch migration. 

Risk and Rollback:  

  • This type of upgrade can be risky.  
  • Unless you are regularly monitoring the AADC Server, this upgrade may happen without you knowing it! 
  • Your AADC Server will not apply an upgrade on the day it’s released. The upgrade will be downloaded and installed based on a built-in randomness mechanism. 
  • It is certainly possible that this could break your AADC one evening during the work week. 
  • The article lists troubleshooting steps if the upgrade doesn’t complete or breaks your AADC server. 
  • There is a strong likelihood that you will have to restore the AADC Server from a backup or rebuild it if something goes wrong!  

In-place upgrade 

Link: In-Place Upgrade 

This type of upgrade is used for existing version 1.x and 2.x AADC Servers. When an upgrade is released and is not available for automatic upgrade, it can be downloaded from the Microsoft Download Center. If your AADC Server installation doesn’t meet the criteria mentioned previously, automatic upgrading will not be an option and you will have to download and install the upgrades manually. There are some important notes in the in-place upgrade article linked above that you should review before upgrading. 

Risk and Rollback:  

  • This type of upgrade is somewhat less risky than an automatic upgrade because you have control over when it happens. A lot of AADC administrators won’t install an upgrade that has been released with the last month, three (3) months etc. They prefer to let other customers beta test it! 
  • You can, and probably should, perform the upgrade over a weekend. If something goes horribly wrong, you have the whole weekend to test and validate it and roll it back if you must. 
  • The article lists troubleshooting steps if the upgrade doesn’t complete or breaks your AADC Server. 
  • There is a strong likelihood that you will have to restore the AADC Server from a backup or rebuild it if something goes wrong! 
  • If you are using in-place upgrades you will need to keep an eye on the release history page or subscribe to it, if available, to get notified of new releases. 

Swing Migration 

Link: Swing Migration 
Link: Azure AD Connect: Staging server and disaster recovery 

This method is sometimes referred to as parallel migration. A Swing migration can be used for in-version as well as major version upgrades such as moving from AADC 1.x to 2.x. It is really the only method you should use for a major version upgrade! Not only can you use this method for minor and major version upgrades, but you can also use it when making configuration changes to the AADC Server. 

If you want to enable Pass-through authentication, for example, you could setup a staging server, make the change on it, switch the production and staging roles of the two (2) servers and test the change in production. If everything is fine, you can leave the second server as the production server and prepare the original, now staging server, for the next configuration change or software upgrade. If it doesn’t work, switch the roles back to the original production server without Pass-through authentication enabled. 

Staging servers actively import and synchronize Active Directory and Azure Active Directory information but does perform any exports. You could say that the server reads and processes the information but does not write out the results. The server in will not run password sync or password writeback, even if you selected these features during installation. A staging server can be promoted into being a production server. Once promoted, the server will start the export operation and will enable password sync, and password writeback. The server will go fully online. 

This method is the only one that requires at least two (2) AADC Servers. In addition to your production server, you will need a staging server. When not being used to install an upgrade or test a configuration change, the second server can provide a disaster recovery capability for the AADC “service” itself. 

Hardware Requirements – AADC 2.x 

Link: Hardware Requirements for Azure AD Connect 

Right sizing your hardware depends on the number of objects in Active Directory: 

Graphical user interface, application

Description automatically generated

For installations with less than 100,000 objects, the AADC installation program will install SQL Express 2019 on the local machine by default. You can specify that the server use an instance of SQL 2019 running on another server. 

If you have more than 100,000 objects, you will need use a full version of SQL 2019. For performance reasons, collocating the full version on the AADC Server is preferred. The hardware requirements for deployments with more than 100,000 objects are much higher.  

Chart

Description automatically generated with low confidence

Software Requirements – AADC 2.x 

Link: Installation Prerequisites 

  • Windows Server 2016 or higher. Standard edition or higher. 
  • Small Business Server or Windows Server essentials 2019 or higher. 
  • Requires the full Graphical User Interface (GUI). 
  • Refer to the rest of the requirements on the Installation Prerequisites web page. 

Risk and Rollback:  

  • This type of upgrade is much less risky than the other options. 
  • You have control over when the upgrade is performed. 
  • You can still perform the upgrade over a weekend, but you don’t have to! 
  • You can install the upgrade on the staging server and let it synchronize with the production server during the week. 
  • This leaves you with only needing to switch the server roles to put the upgraded AADC Server into production!  
  • If there is a problem with the upgraded server come Monday morning, you just need to switch the roles back! 
  • You will probably not have to restore an AADC Server from a backup with this method! 
  • You will need to keep an eye on the release history page or subscribe to it, if available, to get notified of new releases. 

Upgrading to Azure Active Directory Connect 2.x 

By this point, most will likely agree that the safest way to upgrade or change the configuration of an AADC Server is by performing a Swing migration. For most companies, this will really be their only option when upgrading their AADC Servers from 1.x to 2.x. Theoretically, you could do an in-place upgrade of an AADC Server from 1.x to 2.x if your existing 1.x server is running Windows Server 2016 or Windows Server 2019. Is this a good idea even if you can? No, stick with the Swing migration! 

  • Swing migrations are by far the safest method for performing in-version upgrades and changing the configuration settings of Azure Active Directory Connect Servers. 
  • They are really the only way to perform a major upgrade of an AADC Server. 
  • They provide the safest and easiest roll back mechanism should you need to back out the upgrade. 
  • The new version can be installed and synchronized on a staging server during business hours. 
  • You can switch the roles of the production and staging servers whenever you want. 
  • Reverting, or “unswitching”, the servers is easy and can again be done at any time. 

Added Benefit of a Switch Migration 

If you’ve done a Switch migration, you have already made the decision to setup a second AADC Server. Once the migration is finished, you could continue using the new server as your production AADC Server or you can keep both servers online. What’s the advantage of keeping both servers? 

  • The old production server would now be your staging server. It can be the staging server for your next upgrade or configuration change. 
  • If you keep it online, the second server now provides you with an AADC disaster recovery capability. 

Once you’ve completed your switch migration and are running on a “new” AADC production server your “old” server will continue to function as a staging server.  You now have a few options: 

  1. Leave the “new” server as the production server and deprecate the original server. Your production environment will consist of a single AADC production server running on the “new” server. 
  1. Perform the same upgrade or configuration setting change on the “old” server (which is now the staging server). When ready, make it the production server and deprecate the staging server. Your production environment will consist of the original hardware or virtual machine with the applied upgrade or setting change. 
  1. Keep the “new” server in the production environment. You now have a production and staging server in a running state in your environment. The “old” server will be the switch server for the next upgrade or setting change. You now have an AADC deployment with a disaster recovery capability. If the production server fails, connect to the staging server, and take it out of staging mode. This will put it into production mode. Repair the failed server and leave it as the staging server or re-switch the roles of the servers. 

Summary 

  • Version 1.x of the Azure Active Directory Connect Server will be retired on August 31, 2022. 
  • You will need to replace these with Azure Active Directory Connect Servers running the latest release of version 2.x. 
  • If you continue running a retired version of Azure Active Directory Connect Server, it might unexpectedly stop working!  
  • Your Azure Active Directory Connect Server is a critical component of your Active Directory and Azure Active Directory infrastructure. 
  • The switch migration is the safest method for performing any type of upgrade or configuration change to an Azure Active Directory Connect Server.  
  • If you use a switch migration, you can easily keep a staging server in your environment.  
  • A staging server will afford you a disaster recovery capability for your Azure Active Directory Connect Server installation. 
  • Enabling Technologies is available and ready to help with any questions that you might have on upgrading your Azure Active Directory Connect Server, Active Directory, Azure Active Directory, Identity Management, Microsoft 365, Security and Teams. Please contact us at contact@enablingtechcorp.com 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

ref:_00D80KtFf._5000y1WwWQD:ref