I’ve been working with Azure AD Connect (AADC) for a couple of years now. For those of you that haven’t had the pleasure yet, Azure AD Connect is a tremendous piece of software that you install on-prem and it syncs your on-prem Windows Active Directory to your Azure Active Directory or Office 365 tenant. It has come a long way since the old DirSync days. If you’re an IT Pro that has mainly worked with on-prem software like SharePoint and you’re curious where your career is going, this is it. You’re going to have to become an identity expert, or maybe start practicing those grocery bagging skills. Running AADC through its paces is a good way to start your journey into Azure, Hybrid, and Identity.
Azure AD Connect has greatly benefitted from Microsoft’s recent(-ish) move to agile software updates. For well over a year now Microsoft has been slipping out updates to AADC and made significant improvements to it, all the while not breaking anything. An amazing feat! You can see from their Version History page they keep very busy.
At the very beginning of the AADC installation Wizard you encounter a fork in the road; you can do an Express Install, or an Advanced Install. I tell most people, especially people that are new to AADC that Express is a great option. It’s very close to Next –> Next –> Finish and it does a good job getting everything wired up. Later, you can go back and rerun the installation in Advanced mode to tweak anything you need to. It’s very well done. One of the things that the Express installation does is set AADC to automatically upgrade itself when Microsoft publishes its next tasty upgrade. Like I mentioned above, the upgrades have added some great functionality with none of those nasty regressions that we’ve come to fear from upgrades. Unfortunately, until recently, if you chose to do an Advanced install right out of the chute, AADC was not set to automatically upgrade itself. And to make matters worse, that wasn’t necessarily brought to your attention during the install. If you weren’t paying attention, or didn’t know to look, you’d be stuck with that version of AADC forever. How sad!
To address that scenario, and just to give you some control over the upgrade process, I’m blogging the setting. This way you can see what your auto upgrade status is as well as change it if you’d like. Plus it gives you another opportunity to play in PowerShell. Who doesn’t love that?
First log into the machine where AADC is installed and open a PowerShell prompt. It does not need to Run as Administrator. There are two cmdlets that deal with AADC’s autoupgrade status; Get-ADSyncAutoUpgrade and Set-ADSyncAutoUpgrade. Here’s a screenshot to break up the monotonous wall of text:
As expected, we can run Get-ADSyncAutoUpgrade to set what our current status is:
We can see here that AADC is set to automatically upgrade itself with the newest juicy bits that come out. What if we didn’t want that? Maybe we have a migration freeze coming up and updates can be applied. It’s a sad state of affairs, but it happens. To do that we use:
Set-ADSyncAutoUpgrade -AutoUpgradeState Disabled
As a guy that’s used a lot of PowerShell, I find myself wishing this followed the $TRUE / $FALSE structure, but I can work with this. Since there are only three acceptable values (Enabled, Disabled, and Suspended), you can tab complete the cmdlet name, the parameter name, and the value “disabled.” That helps.
Now AADC will not upgrade itself. But does this impact the sync cycles? Not at all. If we run Get-ADSyncScheduler we see that syncs are still happy and scheduled to run as expected.
Once our maintenance freeze is over we can reenable the autoupgrades with
Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled
That’s a much more satisfying feeling than disabling.
In most cases I am afraid of autoupgrading software, but so far AADC hasn’t burned me, so I’ll give it the benefit of the doubt.