Submit a request

Nerdio Help Center

How do I synchronize users in a pre-existing AD synched domain?

While moving a pre-existing IT environment to Nerdio, you may encounter a scenario where AD Sync has been enabled and is running in the pre-existing environment. Since AD Sync is already running, the users will be flagged as "Synced with Active Directory" in Office 365. Follow the steps below to import users from such an environment in to Nerdio.

If you haven't connected to O365 yet, you'll need to complete that step first. You can do this by following the instructions found here

Nerdio Tip
  • IMPORTANT: The procedure below only applies if the existing user objects are "Synced with Active Directory". You should consult with a Nerdio onboarding engineer if your scenario is even slightly different or if you have any questions. You may need to leverage Nerdio’s Hybrid AD feature.
  • This process can take up to 72 Hours, as explained by Microsoft HERE

 


Step I: Prepare pre-existing environment

Complete the following on steps in the pre-existing environment:

  1. Stop dir sync on Office 365 account. You can issue the following command using Powershell:
    Set-MsolDirSyncEnabled -EnableDirSync $false
  2. Stop and disable AAD Sync service in the current domain.
  3. Wait for Office 365 users to show users as "In Cloud" instead of "Synced with Active Directory". 
    NOTE! This is something we've recently seen take anywhere from 1-24 hours, up to 24-72 hours in some cases. 
  4. Run the script below to clear Immutable IDs. Note you must set $custDomain to users' primary domain.
    $custDomain = "*company.com"
    $syncedUsers = Get-MSOLUser | Where {($_.userprincipalname -like $custDomain) -and ($_.ImmutableID -ne $null)}
    foreach ($user in $syncedusers){
    Set-MSOLUser -Userprincipalname $user.userprincipalname -immutableid "$null"
    }
    1. You can check the progress to see how many users have been set to $null and are ready to sync with the Azure AD by running the code below where $custDomain = "*customer.com" 

      Get-MSOLUser | Where {($_.userprincipalname -like $custDomain) -and ($_.ImmutableID -eq $null)}

      Nerdio Tip
      • If there are 200+ AD users in your environment you'll need to add "-All" to Get-MSOLUser, which should then look like "Get-MSOLUser -All | Where..."
  5. Once the previous step completes, verify that the primary domain is listed in NAP.
    1. Go to Onboard - Domains and make sure your domain is listed on the screen.
    2. Click button "Set as default" to set your domain as the default for when users are added to Nerdio.
  6. Finally, Re-Enable AD Sync in Office 365 and allow the sync to originate from DC01. 
    Set-MsolDirSyncEnabled -EnableDirSync $true
    1. An error may occur that is "unable to turn OFF sync" when you are in-fact trying to turn it ON. In this case there is nothing to do but wait until the command stops erroring and lets you actually turn it back ON. See source article HERE.  See troubleshooting below for more details on what to expect and how to manage. 

Troubleshooting: As noted above, it can take an extended period of time for Microsoft to allow you to re-enable DirSync, as instructed in item #6. During this time there are a few things to check in an effort to confirm the process is still moving along. 

When attempting to run the command in item 6 you may receive an error. That error will look like the one below and means it hasn't finished deactivation yet. You'll need to wait for that to finish before Step 6 can be completed:

Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
At line:1 char:1
+ Set-MsolDirSyncEnabled -EnableDirsync $True -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNot
AllowedException,Microsoft.Online.Administration.Automation.SetDirSyncEnabled

You can check the status of the process by running the script below: 

Get-MsolCompanyInformation

It will populate with information similar to the following:

mceclip0.png

What you care about is the last 5 lines and more importantly the 5th line from the bottom. You'll want to see the time update to the current time and eventually DirectorySynchronizationEnabled becomes "True".  You can continue to perform step 6 until the error message no longer appears and DirectorySynchronizationEnbable has a value of "True".

At this point your users should be "In Cloud" and DC01 will be available and capable of syncing with O365.  Now when new users are created in NAP or you start to import users, they will sync to the Office 365 account automatically.


Step II: Complete standard on-boarding process

Now that users are flagged as "In cloud", you may proceed with the standard on-boarding process documented in this KB article.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

Please sign in to leave a comment.