As you may be aware, Microsoft has recently rebranded Azure Active Directory to Microsoft Entra ID. This change may cause confusion in some cases, particularly with the Microsoft Entra Connect tool. Although the documentation<\/a> already refers to it as Microsoft Entra Connect, the download page<\/a> still refers to it as Azure AD Connect V2. Furthermore, the application itself is still labeled Azure AD Connect. For the sake of consistency, I will refer to it as Azure AD Connect or simply AD Connect throughout this post.<\/p>\n<\/p>\n AD Connect is a tool used for hybrid identity deployments and synchronization of your local Active Directory objects to the cloud. In smaller environments, the tool is typically installed on a domain controller, but it can also be installed on different servers. There can be only one active AD Connect server synchronizing the objects in your environment. When you need to upgrade or decommission the server running AD Connect, you need to migrate it. You can also use this process to upgrade AD Connect to a higher version. Microsoft calls this swing migration<\/a>.<\/p>\n<\/p>\n The current version of Azure AD Connect V2 requires at least Windows Server 2016. In this guide, I am installing it on a Windows Server 2022 domain controller.<\/p>\n<\/p>\n The first step is to export the configuration from the current server. Open AD Connect, click Configure,<\/em> and select View or export current configuration<\/em>.<\/p>\n<\/p>\n Export current configuration<\/a><\/p>\n Click the Export Settings<\/em> button to save the result file, ideally directly to the new server or a network share.<\/p>\n<\/p>\n Note:<\/em><\/strong> Make a note of the account name that is shown. You might need this information later during the cleanup phase.<\/p>\n<\/p>\n Next, check the current user sign-in settings (this is not part of the export). To do so, click Previous<\/em> and then select Change user sign-in<\/em>. Make a note or take a screenshot of the settings.<\/p>\n<\/p>\n Note that not everything is stored in the exported file, such as custom sync rules. These must be migrated manually. More information can be found here<\/a>.<\/p>\n<\/p>\n If you haven’t done so yet, now is the time to download<\/a> Azure AD Connect. Once done, run the MSI package to get started. First, you need to accept the license terms. Next, click Customize <\/em>on the Express Settings screen. Select the Import synchronization settings<\/em> checkbox and provide a path to the exported JSON file.<\/p>\n<\/p>\n Click Install <\/em>to get to the User Sign-in settings. Select the same settings that you noted from the current server. In my case, it was Password Hash Synchronization only, and click Next. <\/em>On the Connect to Azure AD<\/em> screen, enter your Azure account with at least the Hybrid Identity Administrator<\/strong> user role, and click Next.<\/em><\/p>\n<\/p>\n On the Connect your directories<\/em> screen, first select the forest to synchronize.<\/p>\n<\/p>\n As you can see, I have a red x next to the domain name. This is because I must specify an account that AD Connect should use to read Active Directory. Click Change Credentials. <\/em>There are two options: let AD Connect create a new account or use an existing account with the required permissions. In my case, I let the tool create an account for me. The account name is in the format MSOL_XXXXXXXX.<\/p>\n<\/p>\n Once you configure the AD account, the mark next to the domain name will turn green, and you can click Next<\/em> to review the configuration. There are two checkboxes on the Ready to configure<\/em> screen. The first starts the synchronization process once the wizard is completed. Pay close attention to the Enable staging mode\u2026<\/em> checkbox and make sure it’s checked. As already mentioned, only one AD Connect server can actively sync the changes at any time, so the server you are currently installing must go to staging mode. Staging mode prevents the server from syncing any local changes back to the cloud.<\/p>\n<\/p>\n Click Install<\/em> to complete the wizard. It will take several minutes to do so.<\/p>\n<\/p>\n The wizard also suggests checking the imported configuration against the exported configuration. You can do so using your favorite text editor, for example, Notepad++. Note that small differences in the JSON file are expected, such as the AD Connect version number, new server hostname, new username, etc.<\/p>\n<\/p>\n Note:<\/strong> If you had any custom synchronization rules defined, make sure to create them again on the new server.<\/em><\/p>\n<\/p>\n Once the tool itself is installed, you need to verify that the synchronization works properly. Remember the two checkboxes on the Ready to configure<\/em> screen? The first was to Start the synchronization process when the configuration completes<\/em>. If you have left it checked, the tool will immediately sync. To check the results, run the Synchronization service from the Start menu. Here, you can see that a full import and sync was done successfully.<\/p>\n<\/p>\n Initial synchronization results<\/p>\n<\/p>\n Note:<\/strong> If you want to see exactly which objects (users, groups, etc.) the server will synchronize, you can create an Excel export from the AD Connect tool. To do so, use the steps described in the <\/em>Verify section in this Microsoft document<\/a>.<\/em><\/p>\n<\/p>\n Once you have installed and verified that the synchronization is working as expected, it is time to perform the AD Connect server switch. To do so, you must enable Staging mode on the old server and disable it on the new server. First, run the AD Connect tool on the old server<\/strong> and select Configure staging mode<\/em>.<\/p>\n Configure staging mode<\/a> <\/p>\n Next, check<\/strong> the Enable staging mode<\/em> box and finish the wizard. Once completed, run AD Connect on the new server<\/strong> and again select Configure staging mode<\/em>. Here, you must uncheck <\/strong>the Enable staging mode box<\/em>.<\/p>\n Disable staging mode<\/a><\/p>\n On the Ready to configure<\/em> screen, be sure to check the Start the synchronization process when the configuration completes <\/em>and click Configure<\/em>.<\/p>\n<\/p>\nExport current configuration<\/h2>\n<\/p>\n
Install Azure AD Connect on a new server<\/h2>\n<\/p>\n
Verify synchronization results<\/h2>\n<\/p>\n
Changing the active server<\/h2>\n<\/p>\n