Upgrade or Move Entra ID Connect to New Servers

Upgrade or Move Entra ID Connect to New Servers by using Custom Install with Configuration Export/Import

Prerequisites: 
Install Windows Server Remote Management Tools on each Server that will run Entra ID Connect. Download and Install Entra ID Connect software on the Server (Do Not Configure anything at this point, just run the Entra ID Connect to get the PowerShell Modules installed on the Server) 

Make sure you have:
“MigrateSettings.ps1”script on the current Sync Server (This script is used to export the Entra ID Connect configuration settings from the current Entra ID Connect Server)
“ADACLScan.ps1” script (This script will generate Permissions Report for any account you select. Very important to use the script to compare account permissions from the accounts on the current Entra ID Connect Sync Server with the accounts you will configure to be used with the new Entra ID Connect Server)  
 
Do not reuse Service Accounts 
Each Entra ID Connect Server (Sync or Staging Server) has its own unique Service Account 
 
Software Installation: 
Install all Windows Updates if any are missing 
Add Windows Remote Administration Tools feature 
Download and install the latest version of Azure AD Connect (only to the point where the Azure AD Connect PowerShell Modules are installed on the Server) 
Install Entra ID PowerShell Module 
 
Entra ID Connect Custom install requires a SQL Server Database to store identity data. 
By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB Size Limit that enables you to Manage Approximately 100,000 Objects.
 
Provision Accounts needed for Custom Azure AD Connect Deployment
Entra ID Connect uses 3 Accounts in order to Synchronize information from On-Premises or Windows Server Active Directory to Entra ID. 
 
These Accounts are:

AD DS Connector Account is used to Read/Write information to Active Directory
This account is created in the Forest Root Domain in the "Users" Container when you use Entra ID Connect Express Setup, if you are doing Entra ID Connect "Custom" install the AD DS Connector Account must be provisioned manually before the Entra ID Connect custom deployment starts, and proper permissions must be configured via PowerShell for the account in the Forest Root Domain in "Users" container. AD DS Connector Account is used to Read/Write information to Windows Server Active Directory

The User creating the AD DS Connector Account must have Enterprise Admin Permissions during the account creation and configuration of the account permissions) 
The following PowerShell Commands are used to configure the correct permissions for Azure AD Connector account: 
 
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1" 
The below is an example of how to run the PowerShell commands, and the syntax of course use the actual Account Name that you intend to configure permissions on 

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org"   
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org"  
Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org"  
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org"  
Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org"  
Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org"  
Set-ADSyncRestrictedPermissions -ADConnectorAccountDN "CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org" -Credential $(Get-Credential)<EnterEnterpriseAdminCredentials> 
 
As soon as the account configuration permissions are complete, use the "ADACLScan.ps1” script to generate the Account Permission Report and ensure all permissions configured on this account are as intended. It all should look like what you see below 
 
ACL REPORT - SVC_ADDSC1 
CN=svc_ADDSC1,CN=Users,DC=xyz,DC=org 
Report Created: 2022-08-12 09:59:36 

ADSync (Should be Managed Service Account, not gMSA), the Service Account is used to run the Synchronization Service and Read/Write Data to SQL Server Database

PowerShell
Step 1. Create New ADSync Account
New-ADServiceAccount -Name "ADSyncAADC1" -RestrictToSingleComputer
 
Step 2. Add the newly created MSA to the Server that will use the account
Add-ADComputerServiceAccount -Identity CWLRC1AADCAP01 -ServiceAccount "ADSyncAADC1"
 
Step 3. Install the newly created MSA Account on the Server that will use the Account
Install-ADServiceAccount -Identity "ADSyncAADC1"
 
Step 4. Test the newly installed MSA Account from the Server the Account is installed on
Test-ADServiceAccount "ADSyncAADC1"
 
Entra ID Connector Account is used for on-going Synchronizations with Entra ID and writes information to Entra ID (The Account Is Created by Entra ID Connect process Automatically during The Deployment of Entra ID Connect regardless of the deployment Type: “Express” or “Custom”) Entra ID Connector Account has no User Retrievable Password 
 
In addition to the above three accounts used to install Entra ID Connect, you will also need the following permissions assigned to the Account used to run the Entra ID Connect deployment. 

Account must be member of Local Administrator Group on the Server, member of AD DS Enterprise Administrator Group and assigned Entra ID Global Administrator permissions

You can view Global Administrator Accounts in the Entra ID Portal. See: List Microsoft Entra role assignments - Microsoft Entra ID | Microsoft Learn 

SQL SA Account (Optional): used to create the ADSync Database when using the Full Version of SQL Server. The SQL Server may be Local or Remote to the Entra ID Connect Server (s). This account may be the same account as the Enterprise Administrator. Provisioning the Database can now be performed out of band by the SQL Administrator and then installed by the Entra ID Connect Administrator with Database Owner Rights. 

For information on this see: Install Microsoft Entra Connect using SQL delegated administrator permissions - Microsoft Entra ID | Microsoft Learn

Custom Installation and Configuration of Azure AD Connect  
Once all the Entra ID Connect Service Accounts are created and configured with the proper permissions, and you have an Admin account member of the Enterprise Admin Group, Azure Global Admin, and Server Local Administrators Group, we can begin the Azure AD Connect install. 
 
Copy “MigrateSettings.ps1” script to the current Entra ID Connect Sync Server and run the “MigrateSettings.ps1” script. The script will export all configuration settings from the Azure AD Connect Sync Server. Copy the exported configuration file to the new Entra ID Connect Server 

Now start “Custom” installation  
Select “Use an existing SQL Server” in the “Server Name” box you will need to enter the name of the SQL Server or Listener Name in case of SQL AlwaysOn Availability Group Cluster 
In “Instance Name” if applicable enter the instance Name, Port Number and in the “Database Name” enter the name of the Database designated for Entra ID Connect 
Select “Use an existing Service Account” and select “Managed Service Account” in the “Service Account Name” box enter the name of the account 
Select “Import Synchronization Settings” browse to the location where the export from the Sync Server was copy to on the local computer  
Under “User Sign-in” select the desire “Sign in” method 
 
On the “Connect Directories” we have “Directory Type” is Active Directory and “Forest” the Name of the Forest 
AD Forest Account Info select “Use Existing AD Account” and this is the AD DS Connector Account created earlier the format should be Forest Root Domain\Account Name.  

Example: XYZ.ORG\svc_ADDSC1 
 
Finally, on the “Configure” page leave the default selection in place. The default selection is: 
X  Start the Synchronization process when configuration completes 
X  Enable Staging Mode: When selected, Synchronization will not Export any Data to Entra ID 
 
“Configuration Completed” is the final messages ones the installation process is completed 
Click on “Exit” 

After the process is completed, you can start Synchronization Services to monitor the different phases of the Synchronization process and see if there are any errors. 
Running Synchronization Services does require the AD Account you are using to be member of the “ADSyncAdmins” Local Security Group 
  
Most Common Error Messages: 
“Permission-Issue” 
“AttributeValueMustBeUnique” 
“DN-Attributes-Failure” 
“Sync-Generic-Failure” 
“Exported-Change-Not-Reimport“ 
 
Permission-Issue 
The “permission-issue” error message is usually the easiest to resolve. Most cases the objects with “permission-issue” error message are AD Accounts member of Domain Admin Group, all privilege accounts are protected and their permission inheritance is set to “Disable” by default. Even if you “Enable Permission Inheritance” the change will be reversed in best case after sixty minutes or less. 
If you have high-privileged AD account with “permission-issue” Enable Permission Inheritance” wait for few minutes and run export. The issue will be resolved. 
  
Dn-Attribute-Failure 
The “dn-attribute-failure” usually occurs when there are duplicate attribute values exist for 2 or more users/groups/contacts in the on-premises domain but those values cannot be assigned to multiple users in Azure AD. For example, you can have the same SMTP/Proxy address configured for 2 users in local AD, but when you sync those users to Azure AD, you will encounter a “dn-attribute-failure”  error as the value of these attributes must be unique for every user in Azure AD. 
  
AttributeValueMustBeUnique 
The “AttributeValueMustBeUnique” the error message occurs, because attributes associated with an object have values that may already be associated with another object in your local directory services.   
“Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:tera.russell@bcservice.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. 
Tracking Id: ca3a89c6-f768-43fb-8059-291c72ea0a5a 
ExtraErrorDetails: 
[{"Key":"ObjectId","Value":["b6013903-d13c-4d57-adba-3a0c29314e83"]},{"Key":"ObjectIdInConflict","Value":["45210d1d-ebff-44bf-98bb-2eb8a6660f20"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:tera.russell@bcservice.com"]}]” 
 
Sync-Generic-Failure 
The “sync-generic-failure” is often combination of object attributes missing values and conflicting sync rules 

Exported-Change-Not-Reimported 
The “exported-change-not-reimported” is an import waning (not an error and not related to a synchronization run) and it is only indirectly related to staged exports.