cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

mrizzi2
Copper Contributor

‎Sep 13 2022 08:46 AM

‎Sep 13 2022 08:46 AM

Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

Hello experts,

 

hope your week is off to a good start.

 

Please consider a scenario where Azure AD Connect V1 has been migrated successfully to a new Azure AD Connect V2 server using a swing migration.

 

The old Azure AD Connect server has been shut down for a couple of weeks (just in case) and then it has been uninstalled. The wizard has uninstalled the various supporting components (Microsoft Azure AD Connect Health agent for sync, Microsoft Azure AD Connect synchronization services, and Microsoft SQL Server, however it appears that the uninstaller does not remove neither the old on-prem AD DS Connector account nor the old Azure AD Connector account in the cloud.

 

Is it safe to go ahead and remove them both manually ?

 

Are we required to be perform other cleanup tasks as part of removing the old Azure AD Connect V1 server ?

 

Any additional observations/recommendations on this matter will be greatly appreciated.

 

Thanks and Regards,

 

Massimiliano

Labels:
2,113 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by mrizzi2 (Copper Contributor)
Dominik Trojnar

‎Sep 15 2022 02:16 AM

‎Sep 15 2022 02:16 AM

Solution

Re: Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

@mrizzi2 make sure that new AADConnect server has a different accpunts in both AD and Azure AD. If that's true you can safely remove the old accounts.

0 Likes
Reply
mrizzi2

‎Sep 19 2022 12:55 AM

‎Sep 19 2022 12:55 AM

Re: Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

Hi there Dominik,

thank you for your reply. It is very much appreciated.

I confirm that new AADConnect server is using different accounts in the on-prem AD as well as in Azure AD.

I have also noticed that the following groups were created by the Azure AD Connect V1 installer: "ADSyncAdmins", "ADSyncBrowse", "ADSyncOperators" and "ADSyncPasswordSet". These groups were created as Active Directory domain groups as the old Azure AD Connect V1 server was previously installed on a domain controller. I believe it is safe to go ahead and remove them manually as the new Azure AD Connect V2 server is installed on a dedicated member server ?

Thanks and Regards,

Massimiliano Rizzi
0 Likes
Reply
Dominik Trojnar

‎Sep 19 2022 02:08 PM

‎Sep 19 2022 02:08 PM

Re: Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

Hello @Massimiliano,

For groups I am not so sure if they are not shared with the new infrastructure. To verify that, please add a test account to ADSyncBrowse and try to open AADConnect console with that account. If there would be an error, then group is not used by AADConnect and you can remove it.
So what you should do:
1. Create a test account
2. Add test account to ADSyncAdmins or ADSyncBrowse
3. Try to log in to AADConnect server and AADConnect console with test account.
4. If that works, group is still used. If that won't work, you should be safe to remove the groups.
5. You can do additional test as well by removing one of existing members from ADSyncAdmins (to be 100% sure).

Best,
Dominik
0 Likes
Reply
mrizzi2

‎Sep 20 2022 08:10 AM

‎Sep 20 2022 08:10 AM

Re: Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

Hi there Dominik,

thank you for your time. It is very much appreciated.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by mrizzi2 (Copper Contributor)
Dominik Trojnar

‎Sep 15 2022 02:16 AM

‎Sep 15 2022 02:16 AM

Solution

Re: Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?

@mrizzi2 make sure that new AADConnect server has a different accpunts in both AD and Azure AD. If that's true you can safely remove the old accounts.

View solution in original post

0 Likes
Reply