Azure AD Connect v2.0 – Why should I care?

Azure AD Connect v2.0 – Why should I care?

Azure AD Connect (AADC) was released many years ago and has seen many versions over those years. Microsoft fairly recently introduced a policy where older versions would be sunset after a period of time. Now with the deprecation of components that the current AADC versions use, it has released the v2.x branch of Azure AD Connect.

Now confusingly there is also the Azure AD Connect v2.0 endpoints. These two are not strictly related, but both should be considered as part of an upgrade. The v2.0 endpoints allow for larger groups to be migrated (up to 250k members instead of only 50k members) and import/export performance has been improved.

Why should I care?

The following components are nearing their end of life/end of support dates:

  • SQL Server 2012: July 2022 (replaced with SQL 2019 LocalDB)
  • ADAL authentication library: June 2022 (replaced with MSAL authentication library)
  • TLS 1.0 and TLS 1.1: January 2022 (updated to now use TLS 1.2)
  • SHA1 signing of binaries (updated to now be signed with SHA2)
  • Windows Server 2012 and 2012 R2 (now require at least Windows Server 2016)

The ultimate deadline is that all of the v1 versions of AADC will go out of support on 31 August 2022, but advice is to ensure you are using v2.0 of AADC before June 2022 when ADAL goes out of support, since after that time authentication may prevent you from ever upgrading AADC

(What is Azure AD Connect v2.0? | Microsoft Docs)

What do I need to do?

First thing to do is check your current version of AADC. If you’re at version 1.5.45 or later then you’re good to go, if you are older than that, while you can still upgrade ok, our advice is upgrade the current instance to 1.5.45. The main reason for this is that you can then export the configuration and use that export as input into the install of version 2.0

Second thing is to see if you are using a staging server. If you are a company with thousands of people then having a staging server is in our opinion essential for best recoverability, reduced maintenance windows, better upgrade/config change control

If your existing AADC servers (staging and exporting) are already on Windows Server 2016 or later then they could be upgraded in place. Again for us, the recommendation is make sure you have a staging server and do that one first before validating the metaverse and then switching roles before upgrading what was the exporting server

In a lot of cases the simplest will be to stand up a brand new Windows Server 2016 or later (ideally the latest version supported in your organisation). Before installing AADC taken an export from the existing exporting AADC and use that as input when you run through the install.

Now there are many decisions that go into installing AADC like

  1. do I use LocalDB (aka SQL Express) or full blown SQL
  2. do I keep SQL on the same server or on another server, etc.

If you are not sure then please speak to us and we can help out, or we can run the upgrade for you