The staging server (shown with dashed purple lines) is prepared with the new release or configuration. The active server (shown with solid blue lines in the following picture) is responsible for the active production load. You need (at least) two servers-one active server and one staging server. The recommended method for these scenarios is to use a swing migration. You can also use this method when you plan to make substantial changes to your configuration and you want to try them out before they're pushed to the cloud. For some customers, this process might take multiple days-and during this time, no delta changes are processed.
If you have a complex deployment or many objects, or if you need to upgrade the Windows Server operating system, it might be impractical to do an in-place upgrade on the live system. You will receive the following error in the application event log with message "Assembly version in AAD Connector configuration ("X.X.XXX.X") is earlier than the actual version ("X.X.XXX.X") of "C:\Program Files\Microsoft Azure AD Sync\Extensions\.dll".
If you do not refresh the configuration, import and export run steps will not work correctly for the connector.
For details on how to refresh the connector configuration, refer to article section Connector Version Release History - Troubleshooting. If you are using Azure AD Connect with non-standard connector (for example, Generic LDAP Connector and Generic SQL Connector), you must refresh the corresponding connector configuration in the Synchronization Service Manager after in-place upgrade.
To defer such activities, refer to section How to defer full synchronization after upgrade. To make sure that your configuration is kept between upgrades, make sure that you make changes as they're described in Best practices for changing the default configuration.ĭuring in-place upgrade, there may be changes introduced that require specific synchronization activities (including Full Import step and Full Synchronization step) to be executed after upgrade completes. If you've made changes to the out-of-box synchronization rules, then these rules are set back to the default configuration on upgrade. If there are no changes to the out-of-box configuration with the new Azure AD Connect release, then a normal delta import/sync starts instead. You might consider doing the in-place upgrade during a weekend.
The normal delta synchronization scheduler (which synchronizes every 30 minutes by default) is suspended, but password synchronization continues. This run might take a few hours, depending on the number of objects that are in scope of the sync engine. This method ensures that the new configuration is applied to all existing objects in the system. If there are any changes to the out-of-box sync rules, a full import and full synchronization occur after the upgrade. This method is preferred when you have a single server and less than about 100,000 objects. It doesn't work for moving from DirSync or for a solution with Forefront Identity Manager (FIM) + Azure AD Connector. In-place upgradeĪn in-place upgrade works for moving from Azure AD Sync or Azure AD Connect. Downgrading from Azure AD Connect to legacy clients, including DirSync and Azure AD Sync, isn't supported and can lead to issues such as data loss in Azure AD. With two servers, you can prepare one of the servers with the new release or configuration, and change the active server when you're ready.įor permissions information, see the permissions required for an upgrade.Īfter you've enabled your new Azure AD Connect server to start synchronizing changes to Azure AD, you must not roll back to using DirSync or Azure AD Sync. If you have a single server, you can upgrade the installation in-place on the same server. This is the easiest method for customers with an express installation. There are a few different strategies that you can use to upgrade Azure AD Connect. If you want to upgrade from DirSync, see Upgrade from Azure AD sync tool (DirSync) instead. Generally, customers who have not upgraded in 12-18 months should consider a swing upgrade instead as this is the most conservative and least risky option. Servers that have been in production for several years, typically have had several patches applied to them and not all of these can be accounted for. In practice, customers on extremely old versions may encounter problems not directly related to Azure AD Connect. If you want to upgrade from DirSync, see Upgrade from Azure AD sync tool (DirSync) or the Swing migration section. In-place upgrades of DirSync or ADSync are not supported and a swing migration is required. It is currently supported to upgrade from any version of Azure AD Connect to the current version.