Azure AD Connect Staging Mode

Azure AD Connect is the tool use to connect on-premises directory service with Azure AD. It allows users to use same on-premises ID and passwords to authenticate in to Azure AD, Office 365 or other Applications hosted in Azure. Azure AD connect can install on any server if its meets following,

• The AD forest functional level must be Windows Server 2003 or later. 

• If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must also apply hotfix KB2386717.

• The domain controller used by Azure AD must be writable. It is not supported to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.

• It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).

• It is not supported to use on-premises forests/domains using "dotted" (name contains a period ".") NetBios names.

• Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials. The server must be using Windows Server standard or better.

• The Azure AD Connect server must have a full GUI installed. It is not supported to install on server core.

• Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain.

• If you install Azure AD Connect on Windows Server 2008 or Windows Server 2008 R2, then make sure to apply the latest hotfixes from Windows Update. The installation is not able to start with an unpatched server.

• If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.

• If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later.

• The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.

• If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.

• If Active Directory Federation Services is being deployed, you need SSL Certificates.

• If Active Directory Federation Services is being deployed, then you need to configure name resolution.

• If your global administrators have MFA enabled, then the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You are prompted to add this site to the trusted sites list when you are prompted for an MFA challenge and it has not added before. You can use Internet Explorer to add it to your trusted sites.

• Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.

What is staging mode? 

 

In a given time, only one Azure AD connect instance can involve with sync process for a directory. But this gives few challenges. 

 

Disaster Recovery – If the server with Azure AD connect involves in a disaster it going to make impact on sync process. This can be worse if you using features such as password pass-through, single-sing-on, password writeback through AD connect.

Upgrades – If the system which running Azure AD connect needs upgrade or if Azure AD connect itself needs upgrade, will make impact for sync process. Again, the affordable downtime will be depending on the features and organization dependencies over Azure AD connect and its operations. 

Testing New Features – Microsoft keep adding new features to Azure AD connect. Before introduce those to production its always good to simulate and see how it will impact. But if its only one instance, it is not possible to do so. Even you have demo environment it may not simulate same impact as production in some occasions. 

 

Microsoft introduced the staging mode of Azure AD connect to overcome above challenges. With staging mode, it allows you to maintain another copy of Azure AD connect instance in another server. it can have same config as primary server. It will connect to Azure AD and receive changes and keep a latest copy to make sure the switch over is seamless as possible. However, it will not sync Azure AD connect configuration from primary server. it is engineer’s responsibility to update staging server AD connect configuration, if primary server AD connects config modified. 

 

Installation

 

Let’s see how we can configure Azure AD connect in staging mode.

 

1) Prepare a server according to guidelines given in prerequisites section to install Azure AD Connect. 

2) Review current configuration of Azure AD connect running on primary server. you can check this by Azure AD Connect | View current configuration 

 

 

3) Log in to server as Domain Administrator and download latest Azure Ad Connect from https://www.microsoft.com/en-us/download/details.aspx?id=47594

4) During the installation, please select customize option. 

 

 

5) Then proceed with the configuration according to settings used in primary server. 

6) At the last step of the configuration, select Enable staging mode: When selected, synchronization will not export any data to Ad or Azure AD and then click install. 

 

 

7) Once installation completed, in Synchronization Service (Azure AD Connect | Synchronization Service) we can confirm there is no sync jobs. 

 

 

Verify data

 

As I mentioned before, staging server allows to simulate export before it make as primary. This is important if you implement new configuration changes. 

 

In order to prepare a staged copy of export, 

 

1) Go to Start | Azure AD Connect | Synchronization Service | Connectors 

 

 

2) Select the Active Directory Domain Services connector and click on Run from the right-hand panel. 

 

 

3) Then in next window select Full Import and click OK.

 

 

4) Repeat same for Windows Azure Active Directory (Microsoft) 

5) Once both jobs completed, Select the Active Directory Domain Services connector and click on Run from the right-hand panel again. But this time select Delta Synchronization, and click OK.

 

 

6) Repeat same for Windows Azure Active Directory (Microsoft)

7) Once both jobs finished, go to Operation tab and verify if jobs were completed successfully. 

 

 

Now we have the staging copy, next step is to verify if the data is presented as expected. to do that we need to get help of a PowerShell script.  

This is available on https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-operations#appendix-csanalyzer 

 

Save this as .ps1 on C Drive. 

 

1) Open PowerShell and type cd "C:\Program Files\Microsoft Azure AD Sync\Bin" (if your install path is different use the relevant path)

2) Then run .\csexport "myrebeladmin.onmicrosoft.com – AAD" C:\export.xml /f:x in here myrebeladmin.onmicrosoft.com -AAD should replace with your Azure AD connector name. This will export config to C:\export.xml

3) Then type .\analyze.ps1 -xmltoimport C:\export.xml in here analyze.ps1 is the script we saved in beginning of this section. 

4) Then it will create CSV file called processedusers1.csv and it’s contain all changes which will sync to Azure AD. 

 

However, this step is always not required. It can make as primary server without import and verify process. 

 

How to make it as primary Server?

 

In order to make staging server as primary server,

 

1) Go to Start | Azure AD Connect | Azure AD Connect

2) Then click on Configure in next page. 

3) In next page select option Configure staging mode and click Next

 

 

 

4) In next page provide the Azure AD login credentials for directory sync account. 

5) In next window, untick Enable staging mode and click Next

 

 

6) In next window select start the synchronization process… and click Configure

 

 

This completes the process of promoting staging server in to primary. Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.