0

How To Upgrade To Azure AD Connect 2.0

Microsoft recently announced its release of Azure AD Connect 2.0 and today we’re going to upgrade our lab from 1.4.18.0 to 2.0.10.0. If you’ve never installed Azure AD Connect, check out our video to install it from scratch. In our case, since we’re using a local database, we’re going to upgrade. Another option you could consider is doing a swing migration so you don’t have to touch your original setup.

Per Microsoft, several of the older components that Azure AD Connect uses have been scheduled for deprecation. To mitigate the issue, they bundled as many of these newer components into a single release so you only have to update once.

So What Are the Major Changes in Azure AD Connect 2.0

If you recall, the previous version of AAD Connect shipped with SQL Server 2012. Seeing as how SQL 2012 will be out of extended support in 2022, they’ve decided to bundle SQL Server 2019 when you install it.

 
Another major note to take in account is the new version of AAD Connect will now have Microsoft Authentication Library (MSAL), where as the previous version had Active Directory Authentication Library (ADAL) installed. MSAL uses Microsoft Graph Endpoints on the backend to make sync processes much faster.

 
Next up is Server 2012 and Server 2012 R2 are no longer supported for AD Connect and with that is a requirement to have PowerShell 5.0 installed on the machine. The good thing is that Server 2016 and Server 2019 have Powershell 5.0 installed by default.

 
Furthermore, if you have tried to install AAD Connect v2.0 and you’re not on Server 2019 you might have noticed that you’re immediately prompted with a warning of an incorrect TLS version. If you’re doing your homework before installing the new version, just know that TLS 1.0 and TLS 1.1 are protocols that are being deprecated by Microsoft because they are now deemed unsafe. This release of Azure AD Connect will only support TLS 1.2. If your server does not support TLS 1.2 you will need to enable this before you can deploy Azure AD Connect v2.0.

Incorrect version of TLS

 

Enable TLS 1.2 For Azure AD Connect v2.0

Straight out of their documentation, Microsoft has already posted the Powershell script to enable TLS 1.2. Here is the exact replica so you don’t have to go to another place. Make sure you Powershell as an Administrator because you will change the state of the machine.

New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null	
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'

Once that is ran, go ahead and reboot the server to make sure you install AAD Connect on a fresh system.

Upgrade To Azure AD Connect 2.0 Step by Step

First things first, you’ll need to download the latest version on Microsoft’s website here.

  • After the initial MSI is ran and the setup is completed, you’ll be prompted with the welcome screen

Welcome to Azure AD Connect

 

  • Select Upgrade when you reach this prompt

Upgrade to Azure Active Directory Connect

 

  • Azure Active Directory Connect will now upgrade the Sync Engine

Upgrade to Azure Active Directory Connect Sync Engine

 

  • Once the Sync Engine is upgraded, you will be prompted to enter in credentials

Connect to Azure AD Hybrid Identity

 

  • AAD Connect no longer needs a Global Administrator to upgrade, you can now use a Hybrid Identity Administrator
  • Following the least privilege model, we’ll enter in a Hybrid Identity Administrator account that also needs to be activated with PIM
  • To continue the installation, enter a Global Administrator -or Hybrid Identity Administrator account (we’ll activate our hybrid identity role)

Hybrid Identity Administrator PIM Role

 

  • Once Azure has confirmed the credentials, select Upgrade to start the sync process.

Ready to Config AAD Connect

 

  • The setup will now run several update processes

Configuring AAD Connect Setup

 

  • If everything was successful, you should see Configuration Complete

Configuration Complete

 

  • Last but not least, open the Synchronization Service Manager -> Help -> About
  • You should be able to confirm the version is now above. 2.0

Upgrade To Azure AD Connect 2.0

 

  • You should also be able to confirm you’re using AD Connect v2 EndPoint API
PS C:\> Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'
PS C:\>
PS C:\> Get-Command *ApiVersion* -Module AADConnector

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-ADSyncAADConnectorExportApiVersion             0.0        AADConnector
Function        Get-ADSyncAADConnectorImportApiVersion             0.0        AADConnector
Function        Set-ADSyncAADConnectorExportApiVersion             0.0        AADConnector
Function        Set-ADSyncAADConnectorImportApiVersion             0.0        AADConnector


PS C:\> Get-ADSyncAADConnectorExportApiVersion
2
PS C:\> Get-ADSyncAADConnectorImportApiVersion
2
PS C:\>

 

Confirm AAD Connect v2 EndPoints

Conclusion

Well hopefully this article was able to help you upgrade to Azure AD Connect 2.0. It’s actually not that bad of an install and it’s not too involved so hopefully you won’t run into any issues if/when you decide to upgrade it in your environment.

 

One thing I forgot to mention is that if you have specific rules on your AD Connect Server, those will need to confirmed so it doesn’t cause any impact.

5/5 - (23 votes)

Paul

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

Leave a Reply

Your email address will not be published.