Neil Hoffman - 15.12.202120211215

Azure AD Connect Swing Migration Part 1 – Modern Versions

A sorely missing function of Azure AD Connect is here! It has always been a difficult task to migrate this critical application to a new server.  Making sure you capture all the settings for the new server was difficult and you always had this nagging concern of making a mistake which could cause unknown havoc!

Well, fear not! As of version 1.5.42.0, Microsoft has added a new feature to address this. For full details see Import and export Azure AD Connect configuration settings.

Note: at the time of this writing, this function is still in Preview

This blog is part 1 of 2 and will go through the process to Import from a server which is already running (or has been upgraded to) a version supporting this functionality. Part 2 will go through the process of migrating from a server running an older version of Azure AD Connect which does not have this functionality. It is recommended to compare the new and old servers before going live. This is accomplished by leaving the new server in Staging Mode, which should be the default setting when using this method, then removing Staging Mode once settings are validated.


HOW TO EXPORT

 There are two ways the configuration gets exported; automatic and manual.

Automatic

Every time a change is made to the configuration, a time stamped file is saved to %ProgramData%AADConnect. The file name is in this format, Applied-SynchronizationPolicy-TimeStamp.JSON, like this:

Only changes made by Azure AD Connect are automatically exported. Any changes made by using PowerShell, the Synchronization Service Manager, or the Synchronization Rules Editor will not cause a new file to be created. For this reason, it is recommended to do a fresh manual export when getting ready to migrate.

This is a nice feature which will show you a historical record of all changes made over time.

Manual

You can manually export by opening Azure AD Connect, Configure, View or export current configuration.

This will default to saving in the same location, %ProgramData%AADConnect, however, you are free to change the location in the save as dialog box. The file name is in this format, Exported-SynchronizationPolicy-TimeStamp.JSON, like this:

Now copy this file over to the new Azure AD Connect server to prepare for importing.

HOW TO IMPORT

When you are setting up a new instance of Azure AD Connect, you will now be offered an option to import a configuration. On the Welcome screen, click Customize and then you can choose Import synchronization settings and browse to the file you copied in the prior step.

You will need to provide the following when clicking Install, all other changes can be made after installation from the Azure AD Connect wizard:

  • Azure Active Directory credentials: The account name for the Azure Global Administrator used to configure the original server is suggested by default. It must be changed if you want to synchronize information to a new tenant
  • User sign-in: The sign-on options configured for your original server are selected by default and automatically prompt for credentials or other information needed during configuration. In rare cases, there might be a need to set up a server with different options to avoid changing the behavior of the active server. Otherwise, select Next to use the same settings
  • On-premises directory credentials: For each on-premises directory included in your synchronization settings, you must provide credentials to create a synchronization account or supply a pre-created custom synchronization account. This procedure is identical to the clean install experience with the exception you can’t add or remove directories
  • Configuration options: As with a clean install, you might choose to configure the initial settings for whether to start automatic synchronization or enable Staging mode. The main difference being Staging mode is intentionally enabled by default to allow comparison of the configuration and synchronization results prior to actively exporting the results to Azure

Validate

Now you should validate the new installation to confirm all settings have been imported successfully. You can do so by comparing two files, the original file that you exported from the old server and the new file created when you configured the new server, Exported-SynchronizationPolicy-*.JSON and Applied-SynchronizationPolicy-*.JSON respectively. You can use your favorite text comparison tool to make sure they are the same.

Once confirmed, you can decommission the old server and remove Staging Mode on the new one.

In this blog, we learned how to perform a swing migration to a new Azure AD Connect server when the old server is running a current version.  In part 2, we will review how to migrate from a server running an older version. Stay tuned and as always, please feel free to reach out to us for assistance!

You can read more of my blogs here and learn more about the importance of protecting Active Directory in this blog series.


Join the Insentra Community with the Insentragram Newsletter

Hungry for more?