Azure AD Connect: Automatic upgrade
Making sure your Azure AD Connect installation is always up to date has never been easier with the automatic upgrade feature. This feature is enabled by default for express installations and DirSync upgrades. When a new version is released, your installation is automatically upgraded. Automatic upgrade is enabled by default for the following:
- Express settings installation and DirSync upgrades.
- Using SQL Express LocalDB, which is what Express settings always use. DirSync with SQL Express also use LocalDB.
- The AD account is the default MSOL_ account created by Express settings and DirSync.
- Have less than 100,000 objects in the metaverse.
The current state of automatic upgrade can be viewed with the PowerShell cmdlet
Get-ADSyncAutoUpgrade. It has the following states:
|Enabled||Automatic upgrade is enabled.|
|Suspended||Set by the system only. The system is not currently eligible to receive automatic upgrades.|
|Disabled||Automatic upgrade is disabled.|
You can change between Enabled and Disabled with
Set-ADSyncAutoUpgrade. Only the system should set the state Suspended.
Automatic upgrade is using Azure AD Connect Health for the upgrade infrastructure. For automatic upgrade to work, make sure you have opened the URLs in your proxy server for Azure AD Connect Health as documented in Office 365 URLs and IP address ranges.
If the Synchronization Service Manager UI is running on the server, then the upgrade is suspended until the UI is closed.
If your Connect installation does not upgrade itself as expected, then follow these steps to find out what could be wrong.
First, you should not expect the automatic upgrade to be attempted the first day a new version is released. There is an intentional randomness before an upgrade is attempted so don't be alarmed if your installation isn't upgraded immediately.
If you think something is not right, then first run
Get-ADSyncAutoUpgrade to ensure automatic upgrade is enabled.
Then, make sure you have opened the required URLs in your proxy or firewall. Automatic update is using Azure AD Connect Health as described in the overview. If you use a proxy, make sure Health has been configured to use a proxy server. Also test the Health connectivity to Azure AD.
With the connectivity to Azure AD verified, it is time to look into the eventlogs. Start the event viewer and look in the Application eventlog. Add an eventlog filter for the source Azure AD Connect Upgrade and the event id range 300-399.
You can now see the eventlogs associated with the status for automatic upgrade.
The result code has a prefix with an overview of the state.
|Result code prefix||Description|
|Success||The installation was successfully upgraded.|
|UpgradeAborted||A temporary condition stopped the upgrade. It will be retried again and the expectation is that it succeeds later.|
|UpgradeNotSupported||The system has a configuration that is blocking the system from being automatically upgraded. It will be retried to see if the state is changing, but the expectation is that the system must be upgraded manually.|
Here is a list of the most common messages you find. It does not list all, but the result message should be clear with what the problem is.
|UpgradeAbortedCouldNotSetUpgradeMarker||Could not write to the registry.|
|UpgradeAbortedInsufficientDatabasePermissions||The built-in administrators group does not have permissions to the database. Manually upgrade to the latest version of Azure AD Connect to address this issue.|
|UpgradeAbortedInsufficientDiskSpace||There is not enough disc space to support an upgrade.|
|UpgradeAbortedSecurityGroupsNotPresent||Could not find and resolve all security groups used by the sync engine.|
|UpgradeAbortedServiceCanNotBeStarted||The NT Service Microsoft Azure AD Sync failed to start.|
|UpgradeAbortedServiceCanNotBeStopped||The NT Service Microsoft Azure AD Sync failed to stop.|
|UpgradeAbortedServiceIsNotRunning||The NT Service Microsoft Azure AD Sync is not running.|
|UpgradeAbortedSyncCycleDisabled||The SyncCycle option in the scheduler has been disabled.|
|UpgradeAbortedSyncExeInUse||The synchronization service manager UI is open on the server.|
|UpgradeAbortedSyncOrConfigurationInProgress||The installation wizard is running or a sync was scheduled outside the scheduler.|
|UpgradeNotSupportedAdfsSignInMethod||You have selected Adfs as the sign-in method.|
|UpgradeNotSupportedCustomizedSyncRules||You have added your own custom rules to the configuration.|
|UpgradeNotSupportedDeviceWritebackEnabled||You have enabled the device writeback feature.|
|UpgradeNotSupportedGroupWritebackEnabled||You have enabled the group writeback feature.|
|UpgradeNotSupportedInvalidPersistedState||The installation is not an Express settings or a DirSync upgrade.|
|UpgradeNotSupportedMetaverseSizeExceeeded||You have more than 100,000 objects in the metaverse.|
|UpgradeNotSupportedMultiForestSetup||You are connecting to more than one forest. Express setup only connects to one forest.|
|UpgradeNotSupportedNonLocalDbInstall||You are not using a SQL Server Express LocalDB database.|
|UpgradeNotSupportedNonMsolAccount||The AD DS Connector account is not the default MSOL_ account anymore.|
|UpgradeNotSupportedNotConfiguredSignInMethod||When setting up AAD Connect, you chose Do Not Configure when selecting the sign-on method.|
|UpgradeNotSupportedPtaSignInMethod||You have selected Pass-through Authentication as the sign-in method.|
|UpgradeNotSupportedStagingModeEnabled||The server is set to be in staging mode.|
|UpgradeNotSupportedUserWritebackEnabled||You have enabled the user writeback feature.|
Learn more about Integrating your on-premises identities with Azure Active Directory.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.