Upgrade from Azure Active Directory sync to AAD Connect can be made with “In-Place-Upgrade” or “Parallel” installation.
Instructions how to make in-place-upgrade can be found from here and guidance to Microsoft technical documentation from here.
Parallel upgrade is recommendation if you have more than 50000 objects which are synced to the cloud or you want to make operating system upgdare at same time. Here is instructions how to do parallel upgrade of DirSync.
Keep in mind that following changes are supported with DirSync and will be upgraded:
- Domain and OU filtering
- Alternate ID (UPN)
- Password sync and Exchange hybrid settings
- Your forest/domain and Azure AD settings
- Filtering based on user attributes
High level steps are:
- Export configuration from DirSync engine
- Install AAD Connect to staging mode and import DSync settings
- Check and confirm data which will be synced to AAD
- Uninstall DirSync
- Disable staging mode and start synchronization
Parallel Upgrade:
- Download AAD Connect tool from Microsoft download center
- Start AAD Connect.exe at DirSync server
- When “Welcome to Azure AD Connect” installation page opens close it down from “x” at right corner and run following command from installation location:
C:\Program Files\Microsoft Azure Active Directory Connect) execute the following command:
AzureADConnect.exe /ForceExport from command line
This will open new wizard where you can export DirSync configurations
After exporting the configuration move to new AAD Connect server and perform same steps than at DirSync machine
- Start AAD Connect.exe at AAD Connect server
- When “Welcome to Azure AD Connect” installation page opens close it down from “x” at right corner and run following command from installation location:
C:\Program Files\Microsoft Azure Active Directory Connect) execute the following command:
AzureADConnect.exe /Migrate from command line
Wizard opens again and you can import settings and define additional parameters like service account or SQL server. My recommendation is to use dedicated service account for AAD Connect and assign correct permissions to on-premises AD. Just remember to grant necessary permssions to that account.
Rest of the wizard is familiar, just go through and logon to Azure AD and on-premises AD.
After configuration is complete it’s good idea to verify data before activating sync. There are some catches comparing AAD Connect and AAD Sync.
- Users – adds three (3) attributes to user objects (DNSDomainName, NetbiosName and OnPremisesSamAccountName)
- Groups – adds displayName attribute to groups and sync those groups. AAD Connect creates displayName from samAccountName and sync group to AAD
- Devices – are added to metaverse but not synced to AAD by default
Information how to do verification to data is found from here. When installing AAD Connect to staging mode you can export all the data from connector space before synchronization.
In my case we had about quite big amount of objects to be updated to the AAD and imported to connector space.
Full import from on-prem AD Full import from AAD
Full sync to connector spaces
Total amount of exports.
If Exchange 2016 would be used at on-premises AAD Connect adds one extra attribute to users objects – msDS-ExternalDirectoryObjectID.
Summary:
When upgrading from DirSync to AAD Connect be aware that there are huge amount of updated object because of new sync rules.
Keep in mind support dates and deprecation schedule:
- April 13, 2016 — Windows Azure Active Directory Sync (“DirSync”) and Microsoft Azure Active Directory Sync (“Azure AD Sync”) are announced as deprecated.
- April 13, 2017 — Support ends. Customers will no longer be able to open a support case without upgrading to Azure AD Connect first.
Sam's Corner 