What needs upgrading? Active Directory Federation Server, Active Directory Federation Server Proxy, Directory Synchronization, Exchange and PowerShell.
Federation Services
- Active Directory Federation Server – version 2.0 was available for Windows 2008 R2. With Windows 2008 now entering its extended life phases, it is worth considering an upgrade from 2.0 to the 3.0 version included in Windows server 2013. This version is included in Windows 2012 R2 and should be done as a swing migration.
Upgrading ADFS 2.0 to 3.0 – Step-By-Step: Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On
This is not an upgrade in place process. A new server (Windows 2012 R2) would be required for this upgrade. - Web Application Proxy – Along with the ADFS server, is a ADFS Proxy server that proxies connections to the backend ADFS Proxy server. Same with the ADFS tool, the Proxy version is now at a 3.0 version level, with the only notable change of the tools new name. This name is now the Web Application Proxy. This version is included in Windows 2012 R2 and should be done as a swing migration.
In order to upgrade your ADFS Proxy configuration to the new Web Application Proxy (WAP) a brand new server farm would need to be created as a direct upgrade is not supported –
https://technet.microsoft.com/en-us/library/dn486800(v=ws.11).aspx
Directory Synchronization – now this one is truly a fun one. The product Microsoft created to synchronize directory information, hence its original name, has changed and morphed over the years. This is truly one case where an upgrade is worth it The original product was missing some features and the tool has been improved over time. The key thing to remember here is that this tool also needs to be kept up to date, for supportability as well as features and functions. Microsoft has officially set the deprecation date for both DirSync and Azure AD Sync to April 13, 2017.
The upgrade process from these versions is usually painless. The only exception is if the DirSync version is too low for an upgrade to be performed and the Azure AD Connect tool will communicate this fact. Distinctive features of each version:
- DirSync – Connect to Single AD Forest Sync, Writeback of devices,
- Azure AD Sync – Connect to multiple on-premises AD forests, Attribute writeback (for Exchange hybrid deployment ), Writeback of passwords (from self-service password reset (SSPR) and password change)
- Azure AD Connect – Connect to multiple on-premises Exchange Orgs, Synchronize customer defined attributes (directory extensions), Writeback of users and groups objects.
Keeping the tool for directory sync up to date is very important. When upgrading from a previous version, some versions allow for a direct upgrade on the same server depending on the version of the old directory synchronization product. If the
If an upgrade is possible, follow this guide from Microsoft – https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started
If a direct upgrade is possible, you should see this during the upgrade:
and your settings should migrate to the new version. Before performing the upgrade, document any settings or customizations that were made during the original installation.
Exchange Server – Hybrid
Hybrid servers provide a connection between your on-premises and online Exchange Servers. The Hybrid server can provide AutoDiscover information, SMTP connectivity, user and remote mailbox management. Keeping this up to date is important. What is more important is that Microsoft requires that this software is kept up to date as well or you will be out of support. The official support policy is that Exchange needs to be within 2 versions of the latest release (a.k.a. N-2). This would mean that with the current versions of Exchange 2010 SP3 (UR15), 2013 (CU14) and 2016 (CU3), the following versions are supports for your Hybrid server:
- Exchange 2010 SP3 – UR14, UR15, UR16
- Exchange 2013 – CU13, CU14, CU15
- Exchange 2016 – CU2, CU3, CU4
This is important because what I see in the field is that an organization’s Exchange servers are typically 4 or more releases back and sometimes as far back as RTM. The perception is that if it works, don’t upgrade it. Or at least don’t upgrade it until necessary. I would highly recommend that for those using a Hybrid server to remember to keep their server up to date. At the least stay within one version and if the newest is needed or desired, wait some time (30 days?_ in order for bugs that may crop up to be either discovered or stamped out.
PowerShell Modules
PowerShell is a key component to managing your online tenant. In order to connect to your Office 365 tenant, a special PowerShell Module is needed. Microsoft has kept updating this module as well. When the module was first released, the version was listed as 1.0 as see here:
This can be found by running a simple command in PowerShell:
get-module msonline<BR>
If an older version of the module is used, then an warning message is displayed below:
In order to upgrade the module, it can be downloads from Microsoft’s ‘Azure Active Directory Connection’ page:
http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
Installing the new module is a simple process:
Once the PowerShell module is upgrade, we can verify the upgrade went well:
Version has now changed from 1.0 to 1.1.166. Notice also that the nested modules has now changed to reflect Azure in the Online Client Framework.
**NOTE**
Azure PowerShell has been updated to 2.0. I am working on a future blog on this new PowerShell module. Look for that soon.
