Skip Ribbon Commands
Skip to main content

Xadean's Empirical Musing

:

Quick Launch

Xadean's Empirical Musing > Posts > Cannot Enable Directory Synchronization After Disabling Due to Extended Deactivation Time
June 30
Cannot Enable Directory Synchronization After Disabling Due to Extended Deactivation Time

Environment:

  • On-premises Active Directory 2012 R2
  • Azure AD Connect with Directory Synchronization Enabled
  • Federated Domain Shared Name Space for Skype for Business and Exchange
  • AD FS with Web Application Proxy
  • Office 365 Tenant Subscription w/ E5 Licenses

Description of Issue/Error Encountered:

In performing an AD health check and attempting to cleanup user objects with corrupted AD attributes, we found ourselves in a situation where we needed to disable directory synchronization between on-premises AD & Office 365 Azure AD in order to clear cloud attributes in the user object that cannot be changed from the O365 Admin Center since the on-premises AD owned the management scope. Under the direction of Microsoft Technical Support referencing case number 30126-5865017, I disabled directory synchronization using the following command:

Set-MsolDirSyncEnabled –EnableDirSync $false

After running that command, we waited the 72 hours that Microsoft states it could take up to and it still had not finished deactivating.

Cause:

The root cause remains unknown. Microsoft stated that this could be due to environments that have over 50,000 objects in Active Directory; however, that was not applicable in our environment.

Resolution:

From my perspective, we had to wait over 120 hours for deactivation to finish. I am told (which I have no evidence to prove or any cmdlets that were executed to validate) that the solution was applying a few internal synchronizations for your organizations to resolve the issue in the backend that can be applied by frontline in the future if it's needed.

References:

Directory synchronization for Office 365, Azure, or Intune can't be activated or deactivated
https://support.microsoft.com/en-us/help/2654338/directory-synchronization-for-office-365,-azure,-or-intune-can-t-be-activated-or-deactivated

Active Directory Synchronization

https://msdn.microsoft.com/en-us/library/azure/dn144766.aspx

 

Comments

There are no comments for this post.

Add Comment

Title


Body *


CAPTCHA *

 

Attachments