Skip to main content

Cleanup AD Dirsync Partitions

If you just installed DirSync and started a sync between your AD and the Azure AD (Office 365) you will notice that all sorts of crap has been transferred online.

Time for a clean-up!

First of all, create an OU, Users if not already. Then make 5 more OUs, Active Users, Disabled Users, Shared Resources, Distribution Groups, Security Groups. Then move the objects you have active in there. You need to have a tidy AD to do this right!

Then on you dirsync server go to : C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe and start the client.

On the Management Agents Tab, select the Active directory connector, then properties, Configure directory partitions. Then Containers.  Select the containers you made in previous steps, excluding Disabled users.

Now, next sync will be only for those partitions! Now time for the actual clean-up. We need to get rid of all the extra items that have been carried into our 365.

On the same screen, go under “Configure de-provisioning” and select “Stage a delete on the object for the next export run”

Open Regedit and browse to HKEY_LOCALMACHINE\Software\Microsoft\MSOLCoExistence. Modify theFullSyncNeeded registry entry to a value of 1, and then click OK. This value will be reset to 0 after a full synchronization is completed.

Force a sync using powershell  (Import-Module Dirsync, Start-OnlineCoexistenceSync)

 

You are done!

 

 

Installing DirSync tool errors – Solved!

I have installed the dirsync tool in multiple instances for our clients. There has not been ONE time where everything went smooth, there is always an error, even in clean installations of the OS.
Here is the ultimate solution.

You might see errors like sqlexpress did not install, error code -2067922934 etc.

Consider the following scenario,
You are migrating a client to 365, so you need the dirsync tool to sync the 365 with the local AD.
Following the microsoft guidelines, you create a VM with 100GB HDD, and at least 4GB RAM running an updated version of 2008 R2 or 2012
You join the domain and you login with an account with admin rights.
Those are not enough. The importan step you are missing and the reason you ended up on this page is outlines in the following KB : http://support.microsoft.com/kb/2000257

 

Here are the steps :

  1. Log on to the computer as a user who has administrative credentials.
  2. Click Start, click Run, type Control admintools, and then click OK.
  3. Double-click Local Security Policy.
  4. In the Local Security Settings dialog box, click Local Policies, double-click User Rights Assignment, and then double-click Backup Files and Directories.
  5. In the Backup Files and Directories Properties dialog box, click Add User or Group.
  6. In the Select User or Groups dialog box, type the user account that is being used for setup, and then click OK two times.
  7. Repeat the procedure for the other two policies that are mentioned in the “Cause” section.
  8. On the File menu, click Exit to close the Local Security Settings dialog box.

You might want to make this into a domain GPO and add the admin user and apply it to all your clients so you don’t have this in the future

 

Here is how to check what the current user has before and after :

Download this tool : http://download.sysinternals.com/files/AccessChk.zip

Then run accesschk.exe -a yourdomain\yourusername *