cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

On-Premise AD restructure

Fish_Tacos
Brass Contributor

‎Jun 16 2021 08:44 AM - last edited on ‎Jan 14 2022 03:26 PM by

‎Jun 16 2021 08:44 AM - last edited on ‎Jan 14 2022 03:26 PM by

On-Premise AD restructure

We have a long neglected AD infrastructure and internal will has finally risen to restructure into New OUs. Other than keeping AAD Connect pointed at the new OU Structure is there any major concerns I need to worry about? I don't think changing OU structure effects AAD users Since the are connected via UUID and ProxyAddresses. What other things should I look at? 

692 Views
1 Like
1 Reply
Reply
1 Reply
best response confirmed by Fish_Tacos (Brass Contributor)
shehanjp

‎Jul 10 2021 06:19 PM

‎Jul 10 2021 06:19 PM

Solution

Re: On-Premise AD restructure

@Fish_Tacos 

If you later uncheck an OU from the AAD, in the next 'initial' sync, the users in that OU will be deleted from Azure AD, so make sure the OUs are selected in the scope as always.

 

Set the AzureAD sync account as mentioned by Microsoft. So it will have only the appropriate access to perform the sync/ password resets (if you are using passthrough or pw hash sync) and etc.

 

Set the AAD Delete threshold to a lower number. I think the default is 500 (if that is enabled) this will stop bulk deletions (https://shehanstechblog.com/2021/02/04/aad-deletion-threshold/)

 

Try to change the Source Anchor to msdsconsistencyguid as that is unique even if you decide to perform a user migration to a different domain and will not conflict.

 

Hope this helps.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Fish_Tacos (Brass Contributor)
shehanjp

‎Jul 10 2021 06:19 PM

‎Jul 10 2021 06:19 PM

Solution

Re: On-Premise AD restructure

@Fish_Tacos 

If you later uncheck an OU from the AAD, in the next 'initial' sync, the users in that OU will be deleted from Azure AD, so make sure the OUs are selected in the scope as always.

 

Set the AzureAD sync account as mentioned by Microsoft. So it will have only the appropriate access to perform the sync/ password resets (if you are using passthrough or pw hash sync) and etc.

 

Set the AAD Delete threshold to a lower number. I think the default is 500 (if that is enabled) this will stop bulk deletions (https://shehanstechblog.com/2021/02/04/aad-deletion-threshold/)

 

Try to change the Source Anchor to msdsconsistencyguid as that is unique even if you decide to perform a user migration to a different domain and will not conflict.

 

Hope this helps.

View solution in original post

0 Likes
Reply