Follow Lucian on Twitter @LucianFrango.
A couple of weeks ago I deployed Azure AD Connect in production. It was a relatively smooth process. The wizard did most of the work which was great. There was a few hiccups (blog post) along the way, which, in most cases is expected if the problems are not so serious.
Fast forward to my second install of the latest and greatest sync service for Azure AD and Office 365 cloud identities and we have problem no. 2. This time, though, I can say that the process ran through allot smoother. There was no real errors. Things were looking straight great and I was looking at my next task with some enthusiasm.
However, come 8.30ish this morning and going over the AADConnect server once more for peace of mind, I had noticed that the “Export” profile task that runs as the last task in the scheduled hourly run for AADConnect synchronisation (I’ve set it to 60min), unfortunately had a nice little error for me:
Background
When I deployed AADConnect in this instance, the initial sync that ran from ADDS pulled everything in the on-premises ADDS environment. It was a relatively small sync with only 11,000 objects. Allot of these though were server and workstation objects that didn’t need to be there, as well as the usual service accounts and admin objects that don’t need to be in Office 365 / Azure AD.
As I was in a meeting the process ran in less than an hour and as you would expect, Azure AD had allot of unnecessary stuff in there. Not to worry, its not too difficult to change the selection and only sync certain OU’s. That done, and some manual Full Import and Full Sync profile tasks run, all was sweet. So I thought..
Context
Added in AADSync was a new feature called “prevent accidental deletions”. This feature is designed to prevent large number of deletions in Azure AD based on the threshold the administrator sets (500 objects by default). So when I had updates the selected OU’s for sync, basically removing half of those selected, I had reduced the 11K worth of objects down to about 6.5k. That’s allot more objects than the 500 object limit to delete. When this happens, the export task does nothing and the cleanup work in the backend doesn’t really happen. No ideal.
Solution
Back in AADSync days (AADConnect is now the new supreme sync service) this threshold of 500 objects to not accidentally delete was able to be set via the DirSync Powershell module. Digging around I’ve found that the AADSync Powershell module features are a little different. The same Powershell cmdlet is not available.
Googling my way around the interwebs for most of the morning, I’ve found some references to what needs to be amended. The solution is to disable the threshold temporarily, then enable it again after a successful Export profile task. The disable Powershell is as follows:
To enable the again, enter the following Powershell:
Final words
Azure AD Connect is a great tool with some really deep functionality. There’s allot more to it than meets the eye (no that’s not a Transformers reference.. well, I don’t think so). I hope this solution has helped you on your journey to Office 365 / Azure. If there’s anything else you’d like to know, please feel free to leave a comment below.
Thank you,
-Lucian
Follow Lucian on Twitter @LucianFrango.
Thanks for sharing . Good insighsts ..
Thank you! Worked perfectly.
Reblogged this on demagnum.
That was awesome thanks for that fix!
Perfect! Thank you. This is just what I needed. Fixed my issue.
Hi,
I am facing a same problem, but when i searched disconnected since it is showing current licensed accounts for deletion as well. Will it delete those accounts from office 365 as i got 3800 objects
Hi Harry,
If you have legitimate objects in Azure AD/Office 365, those will be fine.
If you’ve used OU or group filtering and have a large number of accounts to filter out, then this setting will remove all of those filtered out accounts.
Essentially this setting allows you to do large deletions/filter out actions and its original use was to be a safeguard for accidental large changes.
Hi Lucian,
Thanks for your Reply, all sorted as you indicated.
Can you add instructions on how to Successfully Export profile task?
Gil, if you execute the powershell cmdlet, restart the service, you can then re-run your sync tasks successfully. There’s not to much more to it than that! Cheers
Can someone confirm this will not affect the on-premise AD and only delete from the Azure AD?
Chris, the delete happens on Azure AD and AADConnect.
AADC is a one way sync from on-premises to the cloud.
So that “delete” action in this blog post is for the AADConnect metaverse objects and Azure AD objects ONLY.
On-premises ADDS is not affected.
I had this issue today. Synchronization Service Manager showed, “stopped-server-down” for Exports. Server also had a message that it needed a reboot because of a Windows Update, with the option to Postpone it. Well, solution was simply to restart the server and let Windows Update finish.
Great Article. But what is the process if you accidently removed a OU from the configuration and this option actually stopped you from deleting these accounts in AAD. The bottleneck caused by this stops Successful synchronisation. Would be great if there was a solution to clear this Metadata.