asked on AD connect 365 local AD failed link
Hi
A previous IT company had made a poor attempt to link a companies local AD with their 365 system.
We have been left with a 365 platform that thinks its linked to AD so we cannot edit a users details and a local which isnt linked so cannot change a users surname after they got married.
I cannot seem to find a way to force 365 to forget that there is a link.
Can anyone help?
thanks
Microsoft 365Active Directory* Azure AD
Last Comment
timb551
Just to clarify.
1.in AzureAD - users are shown as synced from active directory
2. but you have no servers running AdConnect in your environment?
3. if so - you need to set users to cloud only (as suggested by DEMAN-BARCELO (MVP) Thierry)
4. Then do a manual mapping of ObjectGUID to ImmutableID (https://www.2azure.nl/2019/04/01/set-or-clear-immutable-id/)
5. Clearing ImmutableID might not be the correct way to go, as you need to clear atttributes in local AD as well
But how many users do you have in Azure AD? Which services is in use?
It might be easier to create a new 365 tenant and migrate data .. if you have not too many users
1.in AzureAD - users are shown as synced from active directory
2. but you have no servers running AdConnect in your environment?
3. if so - you need to set users to cloud only (as suggested by DEMAN-BARCELO (MVP) Thierry)
4. Then do a manual mapping of ObjectGUID to ImmutableID (https://www.2azure.nl/2019/04/01/set-or-clear-immutable-id/)
5. Clearing ImmutableID might not be the correct way to go, as you need to clear atttributes in local AD as well
But how many users do you have in Azure AD? Which services is in use?
It might be easier to create a new 365 tenant and migrate data .. if you have not too many users
ASKER
It has got slightly more complicated since i posted the question.
The company is split into 3 sites affectivley and i have found that one site that we dont support has had their local AD linked to 365.(Luckily i didnt disable it) However in their AD they do not have the users listed that we are supporting.
I dont know where this leaves me now
The company is split into 3 sites affectivley and i have found that one site that we dont support has had their local AD linked to 365.(Luckily i didnt disable it) However in their AD they do not have the users listed that we are supporting.
I dont know where this leaves me now
by 3 sites, you say there's 3 different on-premises ADs sync to the same M365 tenant?
Do they have the same sign-on domain? Do you have ADConnect og AdSync installed on any server in your AD?
Do they have the same sign-on domain? Do you have ADConnect og AdSync installed on any server in your AD?
ASKER
So basically many moons ago (before my time) the three sites AD used to be connected through vpn so one AD for all sites with a DC on each site.
The VPN was then killed and roles pulled to each DC on each site. Thus giving 3 seperate ADs. They then cleared down all the users who dont actually work on those sites.
Then i believe one of the sites linked their AD with the shared 365 infastructure.
The VPN was then killed and roles pulled to each DC on each site. Thus giving 3 seperate ADs. They then cleared down all the users who dont actually work on those sites.
Then i believe one of the sites linked their AD with the shared 365 infastructure.
Whoa ... that seems to be a bit messy ..
1. 3 locations, all with the same domain - like domain.local - but all DCs been living apart for several years and are out of sync?
2. 1 Microsoft 365 Tenant with users from 2 or 3 of these locations?
3. 1 site have ADConnect to AD still active?
4. Is the domain-part of user name the same for users from all sites?
Some extra questions:
1. What services have you utilized in Microsoft 365? (Mailboxes,SharePoint Sites, Teams, OneDrive?)
2. What services are still active on-premises?
I don't have the entire picture, but I think I'd look into the possibility of creating a separate M365 tenant for your site, connect ADConnect and sync users, and then look into migrating data using 3rd party software - or manual migration.
Are the 3 sites same company? possible to remove DC on your site, create a new domain and do a new ADConnect setup. Workstations needs to be joined to new domain, settings and data migrated - and if you have a lot of services running on-prem, this isn't the best of solutions ....
1. 3 locations, all with the same domain - like domain.local - but all DCs been living apart for several years and are out of sync?
2. 1 Microsoft 365 Tenant with users from 2 or 3 of these locations?
3. 1 site have ADConnect to AD still active?
4. Is the domain-part of user name the same for users from all sites?
Some extra questions:
1. What services have you utilized in Microsoft 365? (Mailboxes,SharePoint Sites, Teams, OneDrive?)
2. What services are still active on-premises?
I don't have the entire picture, but I think I'd look into the possibility of creating a separate M365 tenant for your site, connect ADConnect and sync users, and then look into migrating data using 3rd party software - or manual migration.
Are the 3 sites same company? possible to remove DC on your site, create a new domain and do a new ADConnect setup. Workstations needs to be joined to new domain, settings and data migrated - and if you have a lot of services running on-prem, this isn't the best of solutions ....
ASKER
1: 3 locations all with the same local domain (Will never be connected again). All DCs not on the local network have been removed so now one DC per local domain.
2: 1 x Microsoft tenant that they all share (same domain.com)
3: 1 of the sites has connected their local AD to the tenant
365 is used for Mailboxes, teams, sharepoint onedrive.
On premise is AD, file server, print server
I dont think we can do a seperate tenant as they are all using the same domain.com
All sites are affectivley the same company but based very far apart so now have 3 seperate local networks
2: 1 x Microsoft tenant that they all share (same domain.com)
3: 1 of the sites has connected their local AD to the tenant
365 is used for Mailboxes, teams, sharepoint onedrive.
On premise is AD, file server, print server
I dont think we can do a seperate tenant as they are all using the same domain.com
All sites are affectivley the same company but based very far apart so now have 3 seperate local networks
ASKER
Im wondering if the easiest thing is to backup the users mailbox and delete them from 365 (if it lets me) and then recreate as a cloud only user
might be the easiest way. How many users? I'd recommend a 3rd party backup software, PST exports tends to be time consuming and and prone to faults.
1. create new cloud only users with temp login name
2. migrate mailboxes and permission (if needed)
3. soft delete and then hard delete the old user
4. change UserPrincipalName of new cloud user.
There's no way of migrationg chat history (i think) - if it isn't inlcuded in the mailbox migration, I haven't tested it
1. create new cloud only users with temp login name
2. migrate mailboxes and permission (if needed)
3. soft delete and then hard delete the old user
4. change UserPrincipalName of new cloud user.
There's no way of migrationg chat history (i think) - if it isn't inlcuded in the mailbox migration, I haven't tested it
ASKER
At the moment its just a single user so i can deal with that easily enough.
worst case its 20 and i can do it over period of weeks so no dramas. Its only really come about becuase someone has changed their surname.
worst case its 20 and i can do it over period of weeks so no dramas. Its only really come about becuase someone has changed their surname.
ASKER
That plan didnt work. It wouldnt let me delete the account due to the AD sync that is in place on that user.
ASKER
Really not sure where to go with this now
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Yes i guess i could pass that onto the IT company who looks after the connected site.
thanks i will see where that takes me
thanks i will see where that takes me
Here is a solution;
https://docs.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide
Note that it should better to repair the ADsync synchronization.