Link to home
Start Free TrialLog in
Avatar of timb551
timb551Flag for United Kingdom of Great Britain and Northern Ireland

asked on

AD connect 365 local AD failed link


A previous IT company had made a poor attempt to link a companies local AD with their 365 system.

We have been left with a 365 platform that thinks its linked to AD so we cannot edit a users details and a local which isnt linked so cannot change a users surname after they got married.

I cannot seem to find a way to force 365 to forget that there is a link.

Can anyone help?


Avatar of DEMAN-BARCELO (MVP) Thierry
Flag of France image


Here is a solution;

Note that it should better to repair the ADsync synchronization.
Just to clarify. AzureAD - users are shown as synced from active directory
2. but you have no servers running AdConnect in your environment? 
3. if so - you need to set users to cloud only (as suggested by DEMAN-BARCELO (MVP) Thierry)
4. Then do a manual mapping of ObjectGUID to ImmutableID (
5. Clearing ImmutableID might not be the correct way to go, as you need to clear atttributes in local AD as well

But how many users do you have in Azure AD? Which services is in use?
It might be easier to create a new 365 tenant and migrate data .. if you have not too many users

Avatar of timb551


It has got slightly more complicated since i posted the question.

The company is split into 3 sites affectivley and i have found that one site that we dont support has had their local AD linked to 365.(Luckily i didnt disable it) However in their AD they do not have the users listed that we are supporting.

I dont know where this leaves me now

by 3 sites, you say there's 3 different on-premises ADs sync to the same M365 tenant?
Do they have the same sign-on domain? Do you have ADConnect og AdSync installed on any server in your AD? 
Avatar of timb551


So basically many moons ago (before my time) the three sites AD used to be connected through vpn so one AD for all sites with a DC on each site.
The VPN was then killed and roles pulled to each DC on each site.  Thus giving 3 seperate ADs. They then cleared down all the users who dont actually work on those sites.

Then i believe one of the sites linked their AD with the shared 365 infastructure.
Whoa ... that seems to be a bit messy ..
1. 3 locations, all with the same domain - like domain.local - but all DCs been living apart for several years and are out of sync?
2. 1 Microsoft 365 Tenant with users from 2 or 3 of these locations?
3. 1 site have ADConnect to AD still active?
4. Is the domain-part of user name the same for users from all sites?

Some extra questions:
1. What services have you utilized in Microsoft 365? (Mailboxes,SharePoint Sites, Teams, OneDrive?)
2. What services are still active on-premises?

I don't have the entire picture, but I think I'd look into the possibility of creating a separate M365 tenant for your site, connect ADConnect and sync users, and then look into migrating data using 3rd party software - or manual migration.

Are the 3 sites same company? possible to remove DC on your site, create a new domain and do a new ADConnect setup. Workstations needs to be joined to new domain, settings and data migrated - and if you have a lot of services running on-prem, this isn't the best of solutions .... 

Avatar of timb551


1: 3 locations all with the same local domain (Will never be connected again). All DCs not on the local network have been removed so now one DC per local domain.
2: 1 x Microsoft tenant that they all share (same
3: 1 of the sites has connected their local AD to the tenant

365 is used for Mailboxes, teams, sharepoint onedrive.
On premise is AD, file server, print server

I dont think we can do a seperate tenant as they are all using the same

All sites are affectivley the same company but based very far apart so now have 3 seperate local networks
Avatar of timb551


Im wondering if the easiest thing is to backup the users mailbox and delete them from 365 (if it lets me) and then recreate as a cloud only user
might be the easiest way. How many users? I'd recommend a 3rd party backup software, PST exports tends to be time consuming and and prone to faults.

1. create new cloud only users with temp login name
2. migrate mailboxes and permission (if needed)
3. soft delete and then hard delete the old user
4. change UserPrincipalName of new cloud user.

There's no way of migrationg chat history (i think) - if it isn't inlcuded in the mailbox migration, I haven't tested it
Avatar of timb551


At the moment its just a single user so i can deal with that easily enough.

worst case its 20 and i can do it over period of weeks so no dramas.  Its only really come about becuase someone has changed their surname.

Avatar of timb551


That plan didnt work.  It wouldnt let me delete the account due to the AD sync that is in place on that user.

Avatar of timb551


Really not sure where to go with this now
Avatar of DEMAN-BARCELO (MVP) Thierry
Flag of France image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of timb551


Yes i guess i could pass that onto the IT company who looks after the connected site.

thanks i will see where that takes me