---
title: Manually Update AD Connect
description: If you are unable to run the automatic updater for AD Connect, download and run the install wizard to manually upgrade to the latest version.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise:p14e_manually_update_adc
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_manually_update_adc.html
revdate: March 30, 2023
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Manually Update AD Connect

If you are unable to run the automatic updater for AD Connect, download and run the install wizard to manually upgrade to the latest version.

## Before you begin

Changes introduced by an upgrade

When upgrading AD Connect with IIS:

* Updating from 1.x

  The update converts all group names to the full distinguished names (DNs). The conversion completes after the new version of AD Connect registers with PingOne. Thereafter, group names sent during single sign-on (SSO) use the full DN instead of the short name.

  |   |                                                                                                                                                                                    |
  | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | If any connections require short group names to be passed during SSO, you will need to update the attribute mapping for these connections to convert from full DNs to short names. |

  You must update your application attribute mappings if `SAML_SUBJECT` is a source value for any of your application connections. When you update AD Connect, the `SAML_SUBJECT` value is changed to `userPrincipalName` rather than `sAMAccountName` as in your existing AD Connect 1.x.

  This `SAML_SUBJECT` change will affect SSO for any applications configured to pass `SAML_SUBJECT` to the application. If you have any application attributes mapped to `SAML_SUBJECT`, update it to `sAMAccountName`.

  |   |                                                                                                                                                                                          |
  | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | To ensure the correct attribute value will be passed to the application after completing the upgrade, also check your application attribute configuration for each of your applications. |

  The **Subject** displayed on the **Reports** page in the PingOne admin portal will show `userPrincipalName` rather than `sAMAccountName`. The dashboard counts of unique users will count the same user twice if the selected data range is before and after the upgrade. This is true only for users who SSO both prior to and after the upgrade.

  When configuring the new AD Connect installation, you can enable support for Active Directory group hierarchy. When enabled, Active Directory groups that are nested will inherit the SSO permissions of their parent group or groups. When disabled, an Active Directory group uses only the SSO permissions that are assigned to it, with no inheritance.

  If AD Connect is configured for high availability, schedule a maintenance window for this upgrade because SSO might be interrupted during the upgrade process. Perform any necessary server upgrades at this time because earlier versions of AD Connect might not continue to work after one of the servers has been upgraded.

  Are other applications running on the IIS host? The current version of AD Connect requires .NET 4.7.2. Other applications running on IIS might require earlier versions of .NET.

* Updating from 2.x

  If AD Connect is configured for high availability, schedule a maintenance window for this upgrade because SSO might be interrupted during the upgrade process. Perform any necessary server upgrades at this time because earlier versions of AD Connect might not continue to work after one of the servers has been upgraded.

Are other applications running on the IIS host? The current version of AD Connect requires .NET 4.7.2. Other applications running on IIS might require earlier versions of .NET.

* Upgrading to 5.x

  Upgrading to 5.0.1 or later requires .NET Framework 4.7.2.

## About this task

If you're uncertain whether you're running AD Connect or AD Connect with IIS, see the Knowledge Base article [Differentiating between AD Connect and AD Connect with IIS](https://support.pingidentity.com/s/article/Differentiating-between-AD-Connect-and-AD-Connect-with-IIS).

When the new installer runs, the AD Connect SSO and Provisioner services will be stopped and the installer will guide you through the installation process. The AD Connect SSO and Provisioner services will restart when the installation is complete.

## Steps

1. Back up the AD Connect `Program Files (x86)\Ping Identity\Ad Connect\SSO\web.config` file.

   You will use the Organization ID and Product Key when prompted for the new installation.

2. (AD Connect with IIS only) Copy the AD Connect `web.config` file you backed up into a new directory.

   In this topic, this is called the *update directory*. For a clustered, high-availability configuration, this is the directory you will use to update AD Connect on each host.

3. To ensure you can return to your existing version of AD Connect if needed, rename the `adconnect-installer.zip` file for your existing version of AD Connect and copy this file to your update directory.

4. If you customized the AD Connect authentication form, copy the AD Connect `Program Files (x86)\Ping Identity\Ad Connect\SSO\theme.zip` file to your update directory to ensure a backup is available.

5. Go to **Setup > Identity Repository > Change Identity Repository**.

6. Select **Active Directory** and click **Next**. Follow the prompts to download the AD Connect installer.

7. Copy the new AD Connect installer version to your update directory.

8. If AD Connect is installed in a clustered, high availability configuration, copy your update directory to each AD Connect host.

9. On the AD Connect host:

   1. Make a note of the account that is running the AD Connect services, as you will need to switch back to it later.

   2. Stop the Windows Services for AD Connect.

   The AD Connect services can have different names depending on the version that you have installed as well as which services are installed on the host. These can include "AD Connect Configuration Service", "AD Connect Provisioner Service", "AD Connect Software Update Service", and "AD Connect Watchdog Service".

10. Uninstall the existing version of AD Connect.

11. From the update directory you created, install the new version of AD Connect or AD Connect with IIS, depending on your previous installation type.

    For more information on the installation process, see [Installing AD Connect](p14e_installing_adc.html) or [Installing AD Connect with IIS](p14e_installing_adc_iis.html).

    |   |                                                                                                                                                                                                                                                                                                                                      |
    | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
    |   | Be careful to choose the installation type (AD Connect or AD Connect with IIS) that corresponds to your previous installation. Installing the wrong type will result in an outage to existing SSO connections and might require reconfiguration. See [Troubleshoot an AD Connect update](p14e_troubleshoot_adc.html) if this occurs. |

12. (AD Connect with IIS only) When prompted for the Organization ID and Product Key, use the values from the AD Connect `web.config` in your update directory.

13. Follow the remaining prompts to finish the AD Connect installation on the host, then verify the installation in the PingOne admin portal.

    * If you're updating standard AD Connect, see [AD Connect final setup](p14e_adc_final_setup.html) for instructions on how to verify the AD Connect installation and configure additional settings.

    * If you're updating AD Connect for IIS, see [AD Connect for IIS final setup](p14e_adc_iis_final_setup.html) for instructions on how to verify the AD Connect for IIS installation and configure additional settings.

      |   |                                                                                                                                                                                           |
      | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | If you're using AD Connect in a clustered, high availability configuration, you only need to verify the installation in the PingOne admin portal for the initial AD Connect installation. |

14. Switch back to the account that was originally running the AD Connect services.