Upgrading AAD Connect Notes
With Windows 2012 R2 reaching end of support on October 23, 2023, it's (unfortunately) time to think about transitioning workloads off of old servers and onto newer servers. It's inevitable and given how I procrastinate, I can definitely empathize with customers in the notion of keeping up with the pace of Azure and cloud computing.
With Azure Active Directory Connect (and other Azure AD tools like the AAD PowerShell module and AAD Proxy) enforcing TLS 1.2 to improve the security posture of each tenant and to remain in compliance with industry standards, I finally found some time to update my environment at home. Yes, I run AAD Connect at home AND have my own personal domain on Office 365 (if you've seen any demos where I talk about hybrid, you may have seen that my home domain is shakeen.net).
The process for me was relatively easy. I have Pass-through Authentication enabled at home, which is probably what ADFS should've been because the "infrastructure" buildout that authorized logins on-premises with ADFS was hefty. Pass-through Authentication sees the "infrastructure" layer all abstracted in Azure. All you need are 2 agents on-premises for high availability. The authorization continues to happen on-premises (in fact, Microsoft recommends that the account you use for the AAD configuration/linkage is a cloud only account and not synchronized via AAD Connect to let users continue to authenticate in the event of a disaster).
So I uninstalled AAD Connect on-premises and my 2 AAD Pass-through agents after a synchronization into Azure. I tried to install AAD Connect on-premises using the Pass-through Authentication configuration (that's what I've linked to) and wound up stopped by the TLS 1.2 requirement before buildout. Whoops. There goes a fast configuration pattern.
I did manage to find a nifty PowerShell script after some searching online that enables TLS 1.2 on your Windows servers. Check that script out here. After I ran the script and added the right registry keys in, I was good to go with the AAD Connect installation on my new server.
I then installed AAD Connect on a Windows 2019 server, installed the Pass-through Authentication agents on 2 servers on-premises, and went to check Azure after a few minutes. Everything looked great, except I had 2 inactive servers:
I thought the uninstall command and re-registering of new servers would automatically clear out the "Inactive" servers. Turns out, that's not the case. After I located this blog post, I learned I now have to wait until those "Inactive" servers simply roll off the configuration within my tenant.
I learned something today. Hopefully this helps you!