Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM

Posted by Jorge on 2014-09-23


In this blog post I will show you how to upgrade from the beta version of the Azure AD Sync Service to its RTM version. The method I’m showing here is most likely one of the ways of accomplishing this. Here I’m uninstalling the beta version and installing the RTM version. Most likely it is also possible to just perform a software upgrade by installing the RTM version on top of the beta version. I do not like software upgrades as you might always end up or keep stuff from the previous version which I do not want!

Because the installation of the Azure AD Sync Service also creates the local service account you must first determine the scenario and also do some preparations

If you are already using a domain based service account, then it is very likely you already know the password of that service account. If you are using the default local service account, then you need to reset its password. That is most likely needed because you do not know it as it was set by the installation. To determine which account type you are using use the services MMC and check the account listed in the "Log On As" for the "Microsoft Azure AD Sync" service. You are using a local service account if its listing starts with ".\AAD_"

If you are using a local service account perform this step, other wise skip this step.

Before resetting the password of the local service account, stop the "Microsoft Azure AD Sync" service first.

image

Figure 1: Using The Services MMC To Stop The "Microsoft Azure AD Sync" Service

Start the Computer Management MMC and target the local service account that starts with ".\AAD_"

image

Figure 2: Resetting The Password Of The Current (Local) Azure AD Sync Service Service Account

Then using the services MMC respecify the new password of the local service account. After doing that start the "Microsoft Azure AD Sync" Service again.

image

Figure 3: Re-Entering Credentials For The "Microsoft Azure AD Sync (ADSync)" Service

The Azure AD Sync Service wizard will create a new local Azure AD Sync Service Service Account, and that account must be configured with the encryption keys securing the secret data in the database. To be able to do that you must export the keyset first, if not already available.

image

Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard

image

Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account

The default folder is: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\" and make sure a existing keyset does not already exist with the same filename

image

Figure 6: Providing The Path Of The Encryption File

image

Figure 7: Configuration Summary

image

Figure 8: Configuration Result

When you look in Programs And Features you will find the following software components, highlighted in yellow, that are part of the Azure AD Sync Service

image

Figure 9: Software Components That Are Part Of The Azure AD Sync Service

You may ask yourself, which one should be uninstalled first and in which order? One thing is certain, and that’s my experience, you will get into all kinds of errors during the uninstall and during the install of the new version. There it is very important to use the correct steps!

To uninstall everything in one go without errors you should uninstall the component called "Microsoft Azure AD Connection Tool"

image

Figure 10: Uninstalling The Main Component Of The Azure AD Sync Service

image

Figure 11: The Uninstall Wizard Of The Main Component Of The Azure AD Sync Service

When the uninstall has finished you can start the new installation by execution "MicrosoftAzureADConnectionTool.exe"

image

Figure 12: The Install Wizard Of The Main Component Of The Azure AD Sync Service

As soon as you see the screen above, CANCEL the installation by clicking the cross in the upper right corner. If you do not cancel the installation, it will be installed with all defaults, including SQL express.

After cancelling the installation, open a command prompt window and navigate to the folder "C:\Program Files\Microsoft Azure AD Connection Tool". You will need to execute "DirectorySyncTool.exe". It supports the following options:

DirectorySyncTool.exe /sqlserver <FQDN SQL Server> /sqlserverinstance <Custom SQL Instance Name If Applicable> /serviceAccountDomain <NetBIOS Domain Name Of Service Account> /serviceAccountName <sAMAccountName Of Service Account> /serviceAccountPassword <Password Of Service Account>

If this case I’m accepting all defaults accept that I want to use SQL server instead of SQL Express. To do that I execute the following command:

DirectorySyncTool.exe /sqlserver R1FSMBSV0.ADCORP.LAB /sqlserverinstance <Custom SQL Instance Name If Applicable>

REMARK: the SQL instance name should only be specified if it concerns a custom SQL instance. When using the default SQL instance name, do not use that parameter.

If you want to use the default SQL partition, then don’t specify this parameter.

image

Figure 13: Installing The Azure AD Sync Service And Using A SQL Server With The Default Instance Name

image

Figure 14: The Install Wizard Of The Main Component Of The Azure AD Sync Service

Agreeing with the license terms and clicking "Install" will install everything, while at the same time detecting the database of the previous version. When it uses the existing database, the remaining configuration options such as credentials, matching rules, etc. will be skipped as that is already in the database.

The installation has created a new local service account and to restore the keyset, or in other words reactivate the previous database, you to know the password of the service account in use.

Start the Computer Management MMC and target the local service account that starts with ".\AAD_"

image

Figure 15: Resetting The Password Of The Current (Local) Azure AD Sync Service Service Account

Then using the services MMC respecify the new password of the local service account. After doing that start the "Microsoft Azure AD Sync" Service again.

image

Figure 16: Re-Entering Credentials For The "Microsoft Azure AD Sync (ADSync)" Service

When starting the "Microsoft Azure AD Sync" Service without having restored the keyset, you will see the following errors.

image

Figure 17: Error Immediately Shown When Starting The Service Without Restoring The Keyset

image

Figure 18: Additional Info In The Application Event Log When Starting The Service Without Restoring The Keyset

The correct way to solve this is by reactivate the database for that you need to use the MIISACTIVATE tool in the folder "C:\Program Files\Microsoft Azure AD Sync\Bin".

image

Figure 19: Parameters Supported By The MIIS (!) Warn Standby Activation utility

image

Figure20: Reactivating The Existing Database For The New Azure AD Sync Service Engine

image

Figure 21: Warning About Making Sure the Previous Azure AD Sync Service Engine Is Offline

image

Figure22: Prompting For The Password Of The (Local) Azure AD Sync Service Service Account

image

Figure 23: Confirmation That Reactivation Was Successful

When checking you will find out the "Microsoft Azure AD Sync (ADSync)" Service is running already. Reactivation will do that.

Like the installation creates a new local Azure AD Sync Service Service Account, it also creates new Azure AD Sync Service security groups. To make sure you will be able to use the Azure AD Sync Service Engine from a permissions perspective you may need to logoff and logon again!

Additional information:

And you’re done!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM”

  1. […] (2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM […]

  2. […] (2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: