I was recently working with a customer on cleaning up their Azure AD Connect synchronisation configuration.
Initially, the customer had enabled sync for all OU’s in the Forest (As a lot of companies do), and had now come to a point in maturity where they could look at optimising the solution.
We identified an OU with approximately 7000 objects which did not need to be synced.
So…
I logged onto the AAD Connect server and launched the configuration utility. After authenticating with my Office365 global admin account, I navigated to the OU sync configuration and deselected the required OU.
At this point, everything appeared to be working as expected. The configuration utility saved my changes successfully and started a delta sync based on the checkbox which was automatically selected in the tool. The delta sync also completed successfully.
I went to validate my results, and noticed that no changes had been made, and no objects had been deleted from Azure AD. ????
It occurred to me that a full sync was probably required in order to force the deletion to occur. I kicked off a full synchronisation using the following command.
Start-ADSyncSyncCycle -PolicyType initial
When the sync cycle reach the export phase however, I noticed that the task had thrown an error as seen below:
It would seem I’m trying to delete too many objects. Well that does make sense considering we identified 7000 objects earlier. We need to disable the Export deletion threshold before we can move forward!
Ok, so now we know what we have to do! What does the order of events look like? See below:
- Update OU synchronisation configuration in Azure AD Connect utility
- Delect the run synchronisation option before saving the AADC utility
- Run the following powershell command to disable the deletion threshold
- Disable-ADSyncExportDeletionThreshold
- Run the following powershell command to start the full synchronisation
- Start-ADSyncSyncCycle -PolicyType initial
- Wait for the full synchronisation cycle to complete
- Run the following powershell command to disable the deletion threshold
- Enable-ADSyncExportDeletionThreshold
I hope this helps save some time for some of you out there.
Cheers,
Shane.