Manually Update AD Connect
If you are unable to run the automatic updater for AD Connect, download and run the install wizard to manually upgrade to the latest version.
Before you begin
Changes introduced by an upgrade
When upgrading AD Connect with IIS:
- Updating from 1.x
-
The update converts all group names to the full distinguished names (DNs). The conversion completes after the new version of AD Connect registers with PingOne. Thereafter, group names sent during single sign-on (SSO) use the full DN instead of the short name.
If any connections require short group names to be passed during SSO, you will need to update the attribute mapping for these connections to convert from full DNs to short names.
You must update your application attribute mappings if
SAML_SUBJECT
is a source value for any of your application connections. When you update AD Connect, theSAML_SUBJECT
value is changed touserPrincipalName
rather thansAMAccountName
as in your existing AD Connect 1.x.This
SAML_SUBJECT
change will affect SSO for any applications configured to passSAML_SUBJECT
to the application. If you have any application attributes mapped toSAML_SUBJECT
, update it tosAMAccountName
.To ensure the correct attribute value will be passed to the application after completing the upgrade, also check your application attribute configuration for each of your applications.
The Subject displayed on the Reports page in the PingOne admin portal will show
userPrincipalName
rather thansAMAccountName
. The dashboard counts of unique users will count the same user twice if the selected data range is before and after the upgrade. This is true only for users who SSO both prior to and after the upgrade.When configuring the new AD Connect installation, you can enable support for Active Directory group hierarchy. When enabled, Active Directory groups that are nested will inherit the SSO permissions of their parent group or groups. When disabled, an Active Directory group uses only the SSO permissions that are assigned to it, with no inheritance.
If AD Connect is configured for high availability, schedule a maintenance window for this upgrade because SSO might be interrupted during the upgrade process. Perform any necessary server upgrades at this time because earlier versions of AD Connect might not continue to work after one of the servers has been upgraded.
Are other applications running on the IIS host? The current version of AD Connect requires .NET 4.7.2. Other applications running on IIS might require earlier versions of .NET.
- Updating from 2.x
-
If AD Connect is configured for high availability, schedule a maintenance window for this upgrade because SSO might be interrupted during the upgrade process. Perform any necessary server upgrades at this time because earlier versions of AD Connect might not continue to work after one of the servers has been upgraded.
Are other applications running on the IIS host? The current version of AD Connect requires .NET 4.7.2. Other applications running on IIS might require earlier versions of .NET.
- Upgrading to 5.x
-
Upgrading to 5.0.1 or later requires .NET Framework 4.7.2.
About this task
If you’re uncertain whether you’re running AD Connect or AD Connect with IIS, see the Knowledge Base article Differentiating between AD Connect and AD Connect with IIS.
When the new installer runs, the AD Connect SSO and Provisioner services will be stopped and the installer will guide you through the installation process. The AD Connect SSO and Provisioner services will restart when the installation is complete.
Steps
-
Back up the AD Connect
Program Files (x86)\Ping Identity\Ad Connect\SSO\web.config
file.You will use the Organization ID and Product Key when prompted for the new installation.
-
(AD Connect with IIS only) Copy the AD Connect
web.config
file you backed up into a new directory.In this topic, this is called the update directory. For a clustered, high-availability configuration, this is the directory you will use to update AD Connect on each host.
-
To ensure you can return to your existing version of AD Connect if needed, rename the
adconnect-installer.zip
file for your existing version of AD Connect and copy this file to your update directory. -
If you customized the AD Connect authentication form, copy the AD Connect
Program Files (x86)\Ping Identity\Ad Connect\SSO\theme.zip
file to your update directory to ensure a backup is available. -
Go to Setup → Identity Repository → Change Identity Repository.
-
Select Active Directory and click Next. Follow the prompts to download the AD Connect installer.
-
Copy the new AD Connect installer version to your update directory.
-
If AD Connect is installed in a clustered, high availability configuration, copy your update directory to each AD Connect host.
-
On the AD Connect host:
-
Make a note of the account that is running the AD Connect services, as you will need to switch back to it later.
-
Stop the Windows Services for AD Connect.
The AD Connect services can have different names depending on the version that you have installed as well as which services are installed on the host. These can include "AD Connect Configuration Service", "AD Connect Provisioner Service", "AD Connect Software Update Service", and "AD Connect Watchdog Service".
-
-
Uninstall the existing version of AD Connect.
-
From the update directory you created, install the new version of AD Connect or AD Connect with IIS, depending on your previous installation type.
For more information on the installation process, see Installing AD Connect or Installing AD Connect with IIS.
Be careful to choose the installation type (AD Connect or AD Connect with IIS) that corresponds to your previous installation. Installing the wrong type will result in an outage to existing SSO connections and might require reconfiguration. See Troubleshoot an AD Connect update if this occurs.
-
(AD Connect with IIS only) When prompted for the Organization ID and Product Key, use the values from the AD Connect
web.config
in your update directory. -
Follow the remaining prompts to finish the AD Connect installation on the host, then verify the installation in the PingOne admin portal.
-
If you’re updating standard AD Connect, see AD Connect final setup for instructions on how to verify the AD Connect installation and configure additional settings.
-
If you’re updating AD Connect for IIS, see AD Connect for IIS final setup for instructions on how to verify the AD Connect for IIS installation and configure additional settings.
If you’re using AD Connect in a clustered, high availability configuration, you only need to verify the installation in the PingOne admin portal for the initial AD Connect installation.
-
-
Switch back to the account that was originally running the AD Connect services.