Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2018-12-30) Azure AD Connect v1.2.69.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications
  • Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

IMPORTANT: I upgraded from Azure AD Connect v1.2.68.0, and the next time it synched after performing the steps below it triggered a full import and full sync for both the AD connector and the AAD connector. Since this may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Azure AD Connect: Version Release History

1.2.69.0

Released: 12/11/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This hotfix build allows the user to select a target domain, within the specified forest, for the RegisteredDevices container when enabling device writeback. In the previous versions that contain the new Device Options functionality (1.1.819.0 – 1.2.68.0), the RegisteredDevices container location was limited to the forest root and did not allow child domains. This limitation only manifested itself on new deployments – in-place upgrades were unaffected.
  • If any build containing the updated Device Options functionality was deployed to a new server and device writeback was enabled, you will need to manually specify the location of the container if you do not want it in the forest root. To do this, you need to disable device writeback and re-enable it which will allow you to specify the container location on the “Writeback forest” page.

I (finally) ran the MSI and upgraded from the previous version without any issues (except for what I mentioned below!) and ran at least one scheduled sync cycle!

After the upgrade I noticed the following, which was weird! Device writeback was enabled and configured correctly. I have one single AD domain. No idea why this happened. This was not a new server as the second bullet mentions in the “fixed issues” section mentions above.

After the next sync I started seeing….

The upper 2 are devices synched from AAD to AD, the lower 2 are Windows 10 devices being synched from AD to AAD.

image

Figure 1: “Container-Not-In-Scope” Errors

After checking the device writeback config, it was empty!

Get-ADSyncGlobalSettingsParameter | ?{$_.name -like "Microsoft.DeviceWriteBack*"}

image

Figure 2: Device Writeback NOT Being Enabled And Configured After The Upgrade

Checking the Azure AD Connect Wizard it said it was enabled. Again, weird!

My solution for this were the following steps

  • Disable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $false # <— By The Way, Should ALWAYS Be Executed Before An Upgrade Of AAD Connect To Make Sure The Sync DOES NOT Start

  • Using The Azure AD Connect Wizard: Disable Device Writeback
    • Start AAD Connect Wizard –> Click [Configure] –> Select [Configure Device Options] –> Click [Next] (2x) –> Enter AAD Global Credentials –> Select “Disable Device Writeback” –> Click [Next] –> Click [Configure] –> Click [Exit])

  • Using The Azure AD Connect Wizard: Reenable Device Writeback
    • Start AAD Connect Wizard –> Click [Configure] –> Select [Configure Device Options] –> Click [Next] (2x) –> Enter AAD Global Credentials –> Select “Configure Device Writeback” –> Click [Next] –> Select the AD Forest And AD Domain To Host The Synched Devices From AAD –> Enter AD Enterprise Admin Credentials Or Select The Option To Download The PowerShell Script –> Click [Next] –> Click [Configure] –> Click [Exit])

  • Check The Device Writeback Configuration
    • Get-ADSyncGlobalSettingsParameter | ?{$_.name -like "Microsoft.DeviceWriteBack*"}

image

Figure 3: Device Writeback Being Enabled And Configured

  • Reenable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $true # <—Should ALWAYS Be Executed AFTER A Successful And Verified Upgrade Of AAD Connect To Make Sure The Sync DOES Start The Next Schedule

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: