Azure AD Connect 1.1.561.0 finalizes Automatic Upgrade scenario changes and the move to mS-DS-ConsistencyGuid

Reading Time: 3 minutes

Azure ADYesterday, Microsoft released version 1,1.561.0 of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.

This version is hot on the heels of version 1.1.557.0, because it features some fixes for organization who recently made the switch to mS-DS-ObjectGuid as their Source Anchor attribute in Azure AD Connect. Also, it incorporates many of the Automatic Upgrades behavioral changes when using the Customize Settings mode of the Azure AD Connect Configuration wizard.

 

What’s New

Since version 1.1.105.0 of Azure AD Connect, the Azure AD Connect team has steadily expanded the Automatic Upgrade feature feature to support organizations with the following configurations:

  • The installation is not a DirSync upgrade.
  • The installation is not an Express settings.
  • You have more than 100,000 objects in the metaverse.
  • You are connecting to more than one Active Directory forest.

Note:
Express setup only connects to one Active Directory forest.

  • You are not using a SQL Server Express LocalDB database.
  • The Active Directory Connector account is not the MSOL_ or AAD_ account that is created, by default when you connect to Active Directory (anymore).
  • The server is set to be in Staging Mode.
  • You have enabled the Device Write-back feature.
  • You have enabled the Group Write-back feature.
  • You have enabled the User Write-back feature.

 

Fixes

The Azure AD Connect team fixed an issue that caused the out-of-box synchronization rule “Out to AD – User ImmutableId” to be removed when OU-based filtering configuration is updated. This synchronization rule is required for the msDS-ConsistencyGuid as Source Anchor feature. Fortunately, the logic in Azure Active Directory and Active Directory Federation Services (AD FS) allow for a fallback scenario where the objectGUID is used for hard matching, when the mS-DS-ConsistencyGuid is empty.

The Azure AD Team fixed an issue that causes out-of-box synchronization rules to have precedence value that is less than 100. In general, precedence values 0 – 99 are reserved for custom synchronization rules.

The Azure AD Connect team fixed an issue where the Domain and OU Filtering screen in the Azure AD Connect wizard is showing the Sync all domains and OUs option as selected, even though OU-based filtering is enabled.

The Azure AD Connect team fixed an issue that caused the Configure Directory Partitions screen in the Synchronization Service Manager to return an error if the Refresh button is clicked. The error message is:

An error was encountered while refreshing domains:

Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”

The error occurs when a new Active Directory domain has been added to an existing Active Directory forest and you are trying to update Azure AD Connect using the Refresh button.

 

Version information

This is version 1.1.561.0 of Azure AD Connect.
It was signed off on on July 23, 2017.

 

Download information

You can download Azure AD Connect here.
The download weighs 79,6 MB.

 

Concluding

Much of the above behavior was introduced in version 1.1.558.0, but internal testing led to several more fixes to make sure the choice for Azure AD Connect is the right choice for organizations on their Hybrid Identity journeys.

Azure AD Connect version 1.1.557,0 wasn’t released through the Automatic Upgrades feature, so I expect many organizations to go from 1.1.553.0 to version 1.1.561.0. Those with lifecycle management surrounding their Azure AD Connect installations should take note of release notes mentioning versions that are not offered through this feature.

Posted on July 24, 2017 by Sander Berkouwer in Active Directory, Entra ID

7 Responses to Azure AD Connect 1.1.561.0 finalizes Automatic Upgrade scenario changes and the move to mS-DS-ConsistencyGuid

  1.  

    During the auto upgrade we received error: UpgradeNotSupportedInvalidPersistedState The installation is not an Express settings or a DirSync upgrade

    Now sync has stopped and password sync is disabled (when it was previously enabled).

    from Gary July 28, 2017 at 12:27 PM
  2.  

    Hi Sander,
    The Active Directory Connector account is not the MSOL_ account that is created.
    What is the new Active Directory Connector account?
    Or do we have to configure an account and configure the required permissions in AD?

    from Paul August 14, 2017 at 3:34 PM

    • Hi Paul,

      You are right.
      Previously, the cn, displayName, name and sAMAccountName attributes for Azure AD Connect's on-premises account would start with MSOL_, as I've described here.
      In more recent versions of Azure AD Connect, it starts with AAD_.

      The account is still found in the (default) Users container, though.

      In the 'Install required components' screen of the Azure AD Connect wizard, you have the option to create a new automatically-named account (default when using Express Settings) or use either an existing Domain (service) account or existing (group) Managed Service Account.

      from Sander Berkouwer August 17, 2017 at 1:18 PM
       
  3.  

    Hey Sander – Is there a known issue with this update?
    After installing this update we had problems with the Group Memberships not being synced to Azure AD. After downgrading, it started working again ..

    from Valérie Siroux August 31, 2017 at 4:47 PM

    • Hi Valérie,

      I'm sorry to hear your upgrade got botched.
      The experience you have with Azure AD Connect is not specific to this version, but has apparently been common for upgrades of Azure AD Connect since version 1.1.443.0.

      To fix a botched upgrade, check to see if the Azure AD Connect version information in Add/Remove Programs matches the value for Microsoft.Synchronize.ServerConfigurationVersion, available through the Get-ADSyncGlobalSettings PowerShell Cmdlet.

      Additionally, after an upgrade check to see if your settings are unchanged. I use the Get-ADSyncServerConfiguration PowerShell Cmdlet to compare before and after situations.

      from Sander Berkouwer September 4, 2017 at 9:52 AM
       
  4.  

    Hi Sander, do you know if there is any patching delay between a Active AD Connect Server and one that is set to Staging? What are the chances the auto update breaks both servers?

    from Joshua Bines July 19, 2018 at 4:08 PM

    • Hi Joshua,

      Theoretically, an (automatic) upgrade could cause Azure AD Connect to stop working or behave erratically, just like any other software and/or firmware update can.

      If the risk of having a long period of unavailability (to rebuild Azure AD Connect, or wait for a long period for a resolution from Microsoft) justifies taking countermeasures, I suggest to implement life cycle management for Azure AD Connect.

      from Sander Berkouwer July 26, 2018 at 2:13 PM
       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.