ENow Blog | Azure & Active Directory Center

Understanding Auto-Upgrade Options in Azure AD Connect

Written by Jeff Guillet MVP, MCSM | Jul 25, 2017 1:00:00 PM

For hybrid customers, Azure Active Directory Connect is one of the most important tools you need to keep Azure AD up-to-date. Besides directory synchronization, it provides means for authentication to Office 365 resources using password hash sync, pass-through authentication, or AD FS.

Auto-Upgrade in Azure AD Connect is a feature that’s been available since build 1.1.105. When enabled, AAD Connect periodically polls Microsoft delivery servers for new versions and automatically upgrades AAD Connect to the latest build.

When Auto-Upgrade was first rolled out as an option, not all AAD Connect installations were automatically upgraded at the same time. That way, Microsoft could pilot an update to a percentage of deployments and use telemetry to ensure the upgrades went smoothly before rolling it out to more clients.

At first, only those customers who used Express Settings with or without password writeback could use Auto-Upgrade. Over time, the setup/upgrade process has become more robust and more configurations, like staging mode, are capable of supporting Auto-Upgrade. In build 1.1.561 the scenarios supported to use Auto-Upgrade was expanded to include the following configurations:

  •  
  • The device writeback feature is enabled
  • The group writeback feature is enabled
  • The installation is a custom installation
  • There are more than 100,000 objects in the metaverse
  • More than one forest is being connected to Azure AD
  • The AD Connector account uses a specified service account
  • The server is set to be in staging mode
  • The user writeback feature is enabled

You can determine if an AAD Connect server is in Auto-Upgrade mode using the Azure AD Connect GUI or PowerShell. From the GUI, select View current configuration and look at Synchronization Settings:

Figure 1 - View current configuration

Or, from PowerShell you can run the Get-ADSyncAutoUpgrade cmdlet to get the current state. There are three possible states:

  •  
  • Enabled – Auto-Upgrade is enabled and will check for new updates, roughly every 6 hours
  • Disabled – Auto-Upgrade will never check for new updates
  • Suspended – Auto-Upgrade is unable to apply updates. This state should normally only be set by AAD Connect

The Enabled and Disabled states are obvious, but I want to spend a little more time explaining the Suspended state. As mentioned earlier, when Auto-Upgrade is set to Enabled AAD Connect checks periodically for updates. If the current configuration is not supported by Auto-Upgrade, AAD Connect will set to state to Suspended. You can think of a Suspended state to mean, “Not possible.” If an administrator should set the Auto-Upgrade state to Enabled on a server where Auto-Upgrade is not possible, AAD Connect will set it back to Suspended on the next polling cycle.

This behavior is expected and will carry forward for each manual upgrade. AAD Connect will continue to check for updates on the regular 6-hour schedule. Once the current configuration is supported, AAD Connect will update to the latest build.

So, using the Auto-Upgrade criteria above, we could have a customer running build 105 (the earliest build where Auto-Upgrade was available) whose Auto-Upgrade state is set to Suspended because they are using a specified service account. Build 1.1.561.0 is released which supports this configuration and AAD Connect Auto-Upgrades to that build for the very first time.

Enterprise customers usually want to test software before they apply updates. Those customers can set the Auto-Upgrade state to Disabled to prevent AAD Connect from automatically installing the latest build. This can be done using the following cmdlet:

Set-ADSyncAutoUpgrade -AutoUpgradeState disabled

If you later decide to re-enable Auto-Upgrade checks, set the AutoUpgradeState to “enabled”. If your configuration is still not supported, AAD Connect will set it back to “suspended” on the next periodic check. It will flip to enabled when your configuration is finally supported.

I encourage you to view your AAD Connect version and Auto-Upgrade configuration. You should consider upgrading to the latest builds to get all the new fixes and features that AAD Connect has to offer.

 

Monitor Your Hybrid - Office 365 Environment with ENow

ENow’s Office 365 Monitoring solution is like your own personal outage detector that pertains solely to you environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.Monitor Your Hybrid - Office 365 Environment with ENow.