Forum Discussion

mlotfy's avatar
mlotfy
Copper Contributor
Jul 12, 2020

Lost on premises AD and we want to sync office 365 accounts with the new AD with the same forest

We had a disaster at work, we lost all VMs and Backups. now we build a new AD om premises  with the same forest and need to sync again with office 365. accounts were syncing with password hash synchronization so now users can login on clouds but these accounts not liked to on premises accounts.

How can i solve this issue. 

  • Hello mlotfy,

    if you are able to create the Active Directory on-premises with the same domain suffix and UserPrincipalName (UPN) for the users, a soft-match with the cloud objects should not be a problem. You just have to create the users with the same UPN and e-mail address as the cloud users. A soft match will be tried by the next sync of Azure AD Connect.

    If that is not possible or in your plans, you could alternate proceed with hard-match by matching the on-premises with the cloud objects by using the Azure AD anchor attribute, in most cases should be ms-DS-ConsistencyGuid

    Please let me know if you need detailed information

    Kind regards
    Spikar
    • VasilMichev's avatar
      VasilMichev
      MVP

      Just to add a small correction - soft match will not work in this scenario, as it requires the ImmutableID to be null. You'll either have to disable dirsynd in order to nullify the ImmutableId's of each user, or simply use the hard match method instead.

      • mlotfy's avatar
        mlotfy
        Copper Contributor

        Do I have to disable the direct sync as it will take up to 72 hours as mentioned in Microsoft documentation?

        if not the scenario will be :

        clear ImmutableId's  in azure objects by script 

        Run Direct sync by setting email as source anchor.

         

        will that work?

         VasilMichev 

Resources