Forum Discussion

mrizzi2's avatar
mrizzi2
Copper Contributor
Sep 13, 2022

Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

Hello experts,

 

hope your week is off to a good start.

 

Please consider a scenario where Azure AD Connect V1 has been migrated successfully to a new Azure AD Connect V2 server using a swing migration.

 

The old Azure AD Connect server has been shut down for a couple of weeks (just in case) and then it has been uninstalled. The wizard has uninstalled the various supporting components (Microsoft Azure AD Connect Health agent for sync, Microsoft Azure AD Connect synchronization services, and Microsoft SQL Server, however it appears that the uninstaller does not remove neither the old on-prem AD DS Connector account nor the old Azure AD Connector account in the cloud.

 

Is it safe to go ahead and remove them both manually ?

 

Are we required to be perform other cleanup tasks as part of removing the old Azure AD Connect V1 server ?

 

Any additional observations/recommendations on this matter will be greatly appreciated.

 

Thanks and Regards,

 

Massimiliano

  • mrizzi2 make sure that new AADConnect server has a different accpunts in both AD and Azure AD. If that's true you can safely remove the old accounts.

  • picku's avatar
    picku
    Copper Contributor

    mrizzi2 make sure that new AADConnect server has a different accpunts in both AD and Azure AD. If that's true you can safely remove the old accounts.

    • mrizzi2's avatar
      mrizzi2
      Copper Contributor
      Hi there Dominik,

      thank you for your reply. It is very much appreciated.

      I confirm that new AADConnect server is using different accounts in the on-prem AD as well as in Azure AD.

      I have also noticed that the following groups were created by the Azure AD Connect V1 installer: "ADSyncAdmins", "ADSyncBrowse", "ADSyncOperators" and "ADSyncPasswordSet". These groups were created as Active Directory domain groups as the old Azure AD Connect V1 server was previously installed on a domain controller. I believe it is safe to go ahead and remove them manually as the new Azure AD Connect V2 server is installed on a dedicated member server ?

      Thanks and Regards,

      Massimiliano Rizzi
      • picku's avatar
        picku
        Copper Contributor
        Hello @Massimiliano,

        For groups I am not so sure if they are not shared with the new infrastructure. To verify that, please add a test account to ADSyncBrowse and try to open AADConnect console with that account. If there would be an error, then group is not used by AADConnect and you can remove it.
        So what you should do:
        1. Create a test account
        2. Add test account to ADSyncAdmins or ADSyncBrowse
        3. Try to log in to AADConnect server and AADConnect console with test account.
        4. If that works, group is still used. If that won't work, you should be safe to remove the groups.
        5. You can do additional test as well by removing one of existing members from ADSyncAdmins (to be 100% sure).

        Best,
        Dominik

Resources