Windows Server 2012 / R2 and the (upcoming) Azure AD Connect Sync issue as of Aug. 31, 2022

Windows[German]Microsoft had recently pointed out the end of support for Windows Server 2012 / R2 (from October 2023). Seemingly still plenty of time to replace this server version, especially since there will still be purchasable Extended Security Update support (ESU) until 2026. But as of August 31, 2022, the danger lurks that Azure AD Connect Sync will no longer work. Anyone still running Windows Server 2012 / R2 in this environment needs to take immediate action.

Windows Server 2012 / R2 EOL

At the end of June 2022, Microsoft pointed out the supporting for products such as Windows Server 2012, Windows Server 2012 R2, and Microsoft SQL Server 2012. While SQL Server 2012 will receive the last security updates on the upcoming July 2022 patchday and is thus end-of-live (EOL), Windows Server 2012 / R2 apparently still has some time. The end of support is only on October 13, 2023 – ESU licenses allow the supply of security updates until October 13, 2026. I had addressed this in the blog post End of Support announcement for Windows Server 2012/2012 R2, SQL Server 2012.

EOL for Azure AD Connect Sync 1.x

What wasn't on my radar was the Azure AD Connect Sync issue. Azure Active Directory Connect Sync services (Azure AD Connect Sync) handles all operations related to synchronizing identity data between your on-premises environment and Azure AD (Cloud). However, Microsoft has now published the following important information regarding the end of support for various Azure AD Connect Sync versions under Azure AD Connect: Version release history.

  • August 31, 2022: All versions of Azure AD Connect 1.x will be retired as they contain SQL Server 2012 components that are no longer supported.
  • March 15, 2023: Various versions of Azure AD Connect Sync 2.x will be decommissioned as new versions are ready.

Normally, none of this would be a problem, you install the latest version of Azure AD Connect Sync and it continues to run. However, in the case of Windows Server 2012 / R2, German blog reader Daniel Staub already points out in this comment that it is not possible to upgrade Azure AD Connect Sync to version 2.x:

At the first moment, the biggest problem in this context is that the MS Azure Connect on the 2012 Server can only be installed in the version 1.x.
is installable.

What this means for 2012 Server environments as of September is still somewhat unclear. In the dumbest case, it can become very uncomfortable for certain admins.

Daniel still quotes the original excerpt from Microsoft on this topic in the comment:

This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server.

Don't install this release on Windows Server 2016 or newer. This release includes SQL Server 2012 components and will be retired on August 31, 2022. Upgrade your Server OS and Azure AD Connect version before that date.

When you upgrade to this V1.6 build or any newer builds, the group membership limit resets to 50,000. When a server is upgraded to this build, or any newer 1.6 builds, reapply the rule changes you applied when you initially increased the group membership limit to 250,000 before you enable sync for the server.

German MVP Frank Carius had published the German article ADSync / AADConnect zum on the same topic a few days ago. Further discussion and comments (in German) can be found here in the blog.

This entry was posted in Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *