Moving Azure AD Connect From Windows Server 2012 to 2016
Last week I stood up a new Windows Server 2016 domain controller as we prepared to decommission the older ones. One task I needed to complete was to migrate our Azure AD Connect software. I followed Paul Cunningham guide Migrating Azure AD Connect to a New Server. Everything went well and we did our testing to make sure that everything was pushing out to o365 and it was. The o365 admin portal was showing our new DC id under the ADD Connect Status. I thought all was well.
This week I get a call from a remote site saying their password wasn’t working on their Outlook. I figured it wasn’t anything serious, but after I remoted into the client’s desktop the error was that their password had expired. Now, that was odd because the password wasn’t set to expire as of yet. I logged into the O365 admin portal and tried to reset the password. Typically there is an error if I try to reset a password for a AD synced user, as we don’t allow write back into AD from O365. This time the password was reset, without error. Now I wasn’t feeling so great about last week’s Azure AD Connect migration.
At this point, I know that the user’s account is no longer connected to our AD on premise. I didn’t have a lot of time, so I went ahead and contacted support.
Support had me move the user out of the synced OU in AD to a none synced OU. Then support has me do a delta sync. Once the sync is done support then had me move the user back to the synced OU. Naturally, this was followed up by another delta sync. This initially fixed the issue, but things got a little weird as O365 had to set up the mailbox again. The user didn’t seem to lose any mail or any settings during this whole ordeal.
The options below were from office 365 follow up email. Take note we didn’t have to do option 2. Option 1 seemed to solve the unsynced AD account.
Option 1 (This is what fixed the user account for firstname.lastname@example.org)
- Move the user to an unsync’d OU in the local AD.
- Run delta sync – confirm user account is cloud only
- Move the user back to a sync’d OU in the local AD.
- Run delta sync – confirm user account is showing “sync’d with AD”
Option 2 (This was suggested if more remote locations are experiencing the same issue)
- Connect to PowerShell MSOL: Azure AD
- Turn off Dir Sync (will take up to 48 hours for this to complete)
- Run the configuration wizard again on the DC (server 2016)