AADSync to AD Connect migration

My notes of doing a migration from AADSync to AD Connect (AD Sync). In the process I installed AD Connect onto a new server.  AD Connect uses AD Sync as it’s new sync service (which is the third release of the product). We went from DirSync > AADSync > ADSync.

Notable changes, to force a sync of the directory, this is done from scheduled tasks. Password sync runs in real time within under 2 minutes with an option to speed this up.

There is the immutableID thing which you don’t really need to worry about either as we are syncing from the same source. Remember, the immutableID attribute is used as a source anchor which is how the sync service matches up on-prem directory objects with Azure AD objects. The on-prem objectGUID for objects are encoded into base64 which results in this value being stamped as the immutableID attribute of Azure AD objects.

The process is not that hard really, in a nutshell, you install AD Connect on a new server, don’t use the express option, use the custom install option, go right through to the very end and enable staging mode.


Staging mode will setup the server like normal e.g. for a DR site, it will enable you to fully configure it, however it doesn’t make any changes to either AD (on-prem AD) or AAD (Azure AD).

When you’re ready to fully move the sync’ing to the new AD Connect, on the old or ‘current’ AADSync server, run the following PowerShell on AADSync to stop and disable the Sync’ing services.

Get-Service | where {$_.DisplayName -match "forefront identity"} | Set-Service -StartupType Disabled
Get-Service | where {$_.DisplayName -match "forefront identity"} | Stop-Service -Force
Get-Service | where {$_.DisplayName -match "Azure Active Directory sync"} | Set-Service -StartupType Disabled
Get-Service | where {$_.DisplayName -match "Azure Active Directory sync"} | Stop-Service -Force

Then on the new AD Connect server, click start > open Azure AD Connect.


Configure staging mode…


Enter Global Admin credentials for Office 365…


Un-check Enable Staging Mode….


That’s it…..


You will notice it says to enable the sync task in Windows Task Scheduler before it will work – do that.

Below here is some PowerShell of some handy little admin tasks in which you can benefit from.

Import-Module ADSync
# Get all ADSync cmdlets
Get-Command | Where-Object {$_.ModuleName -eq "ADSync"}
#region Force a Directory Sync
if((Get-ScheduledTask TaskName "Azure AD Sync Scheduler").Actions.Execute -match "DirectorySyncClientCmd")
{Start-ScheduledTask TaskName "Azure AD Sync Scheduler"}
# To see if password sync is enabled
Get-ADSyncAADPasswordSyncConfiguration SourceConnector $adConnector.Name
#region Directory Sync
# To perform a full directory sync
Start-Process FilePath "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe" ArgumentList Initial
# To perform a delta directory sync
Start-Process FilePath "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe" ArgumentList Delta
#region Trigger a Full Password Sync in Azure AD Sync
# Get All Connectors
$adConnector = Get-ADSyncConnector | % {$_.Type -eq "AD"}
$aadConnector = Get-ADSyncConnector | % {$_.Type -eq "Extensible2" -or $_.SubType -like "*Azure*"}
$c = Get-ADSyncConnector Name $adConnector.Name
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c = Add-ADSyncConnector Connector $c
Set-ADSyncAADPasswordSyncConfiguration SourceConnector $adConnector.Name TargetConnector $aadConnector.Name Enable $false
Set-ADSyncAADPasswordSyncConfiguration SourceConnector $adConnector.Name TargetConnector $aadConnector.Name Enable $true
# Get the latest event of the password change
(Get-EventLog LogName Application | where {$_.EventID -eq "656"} | select First 1).Message
(Get-EventLog LogName Application | where {$_.EventID -eq "656"} | select First 1).Message


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s