Re-connecting a new Active Directory to an existing Office365 environment

Xavier Mustin

Administrator
Staff member
#1
You are attempting to run Directory Sync after previously setting up Office 365 and creating cloud based accounts. None of the accounts created in the O365 admin portal are syncing with your Active Directory accounts.

Solution

If you have not already done so, setup Directory Sync:

The procedures in this article require these two items to be installed:

Now, to get the errors cleared up:

  1. After running the initial Directory Sync, log into your O365 Admin Portal and navigate to Users/Active Users
  2. Look for Users that are still listed as ‘In Cloud’
  3. These are the user accounts that have not successfully been tied to an on-premises AD account. We will need to tie the Users’ O365 ImmutableID to the on-premises AD GUID
  4. Use Powershell to enter the following commands. The commands below use the 2012 Active Directory Shell, if you use Quest Tools, replace get-ADuser with get-QADuser
    1. Code:
      Connect-MSOLService
      – Enter your Office 365 Admin credentials
    2. Code:
      $guid = (get-Aduser <username>).ObjectGuid
    3. Code:
      $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
    4. Code:
      Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
  5. Use Powershell to iniate a Directory Sync job
    1. Code:
      Import-module “c:Program FilesWindows Azure Active Directory SyncDirSyncImportModules.ps1
    2. Code:
      Start-OnlineCoexistenceSync
 
Last edited:

Xavier Mustin

Administrator
Staff member
#2
#CommonName
$cn = “Bob Builder”

#Get the AD User ObjectGUID
$guid = (get-aduser -f {cn -eq $cn} -pr objectguid).objectguid

#Get the AD User UPN (matching the Azure AD User Object UPN)
$upn = (get-aduser -f {cn -eq $cn}).userprincipalname

#Convert the ObjectGUID into a ImmuteableID
$ImmutableID = [System.Convert]::ToBase64String($guid.ToByteArray())

#Set the ImmuteableID to the Azure AD User Object
set-msolUser -userprincipalname $upn -immutableID $ImmutableID


Then Run the Synchronization again, which will create another Duplicate Anchor Error, but the job is done, so the next time it will work as intended.

Good Luck
 

Xavier Mustin

Administrator
Staff member
#3
When there are duplicates:
    • Remove user from DirSync (move to OU which is not synced, will only work when OU Filtering is used. If not, disable DirSync…).
    • Perform DirSync.
    • Remove duplicate synced user (NOT cloud user):
      • Remove-MSOLuser -UserPrincipalName <UPN> -RemoveFromRecycleBin
      • Add ImmutableID from AD user to Cloud user
        • $guid = (get-Aduser <username>).ObjectGuid
          $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
        • Connect to AD Azure (Connect-MSOLService when AD Azure Powershell Module is installed).
        • Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
        • It’s possible that the clouduserUPN must be changed to the <tenant>.onmicrosoft.com format. It should be changed by DirSync to correspond with the AD UPN.
        • See also http://www.joseph-streeter.com/?p=423
    • Place account back in correct (synced) AD OU.
    • Manually kick off a sync on the DirSync Server if you don’t want to wait (up to 3 hours with default settings):
      • C:\Program Files\Windows Azure Directory Sync\DirSyncConfigShell.psc1
      • Start-OnlineCoexistenceSync
 
Haut