5- Azure AD Connect Sync : Duplicate Identities troubleshooting Scenario-1 : IT Admin Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys welcome to another video for mighty sense my name is vessel and this time i'm covering a scenario which is related to again too soft and hard matching and about syncing users from azure ready connect to azure 80 i mean from on-prem to azure ad using as you ready connect in typical office 365 scenario where all your mailboxes are in office 365. so scenario is what if if on-prem user account go out of sync scope let's say i'm syncing an oh you called or let me just show you actually this will be much better um i go to my domain controller right currently i'm using aedconnect and i'm use i am syncing corp oh you and it's several you which have all my user account user one two three and four and test ou so these are the ou's i am syncing at the moment and as you can see in my office 365 user one two three and four have synced identities right they are synced from on premises we did matching hard and soft matching and all that we fix all those duplicate identities issue and we merged them and we all fixed now i no issues related to that so what if if i or accidentally start a deletion by the way if i move this user to let's say user account to some other ou let's say if i have call let's see another ou called sales just an example okay what if i move this users this user to [Music] to sales well technically user to user account will not get deleted from on-prem it's just moving from one ou to another right it means as far as on-prem services are concerned user two still will be able to log into its computer or workstation i mean it you'll still be able to use file and print services still will be able to use database services let's say sql is using windows based authentication right for example and what not browse internet based on ad authentication oh everything however in terms of adsync from on-prem to azure ad if when i move this user account to another ou and when azure ad connect will run its next replication cycle it will detect this change and it will take this change as delete and it will notify us your active directory that user o2 doesn't exist anymore and what will happen my user to account from azure 80 will get deleted and will be resting under deleted users because from azure ad connect perspective this user doesn't exist anymore and that will impact my all office 365 services because my mailbox is in office 365 for example right and it's not just mailbox my onedrive my microsoft teams or whatever what not whatever office 65365 services i'm using or sorry user 2 is using will be affected because points to remember user mailbox in office 365 no on-prem exchange no hybrid nothing and going out of sync means sync account will get deleted from us your active directory so if this happened how to recover it how to fix this problem this is what i'm gonna show you in this video so we will simulate so i will wear a hat of an id admin and assume and pretend that i'm dealing this issue first time like many of other i.t admins out there some of you may already know this all right and you know how to fix it but some of you might not so i'm pretending that i don't and let's see this happens that what are the logical steps that i may think or come think across and follow in order to make sure that i can fix this issue before to proceed just to show you my user to account i log into office 365 mailbox and i can access everything so account is working as expected it can access mailbox and everything but now things is gonna change okay so let's begin so the first thing first i go to my active directory and let's move user two to sales so now as azure ad connect is syncing only core and it's subfolder and test and user 2 is not doesn't exist in any of these ou's so if i go to azure ad connect server and okay okay adsing sync cycle policy type delta and i open azure ad sync service and it will trigger in a minute yeah it started while it's doing this i can pause the video but i want to show you something it may pop up shortly just bear with me um i want to show you as it happens so won't take long you see deletes one so if i click on deletes one right and under distinguished name so the properties it says user two user zero two idsense.net delete so it notifies azure 80 that hey delete user o2 from azure 80 it doesn't exist anymore on-prem which is incorrect user account of azure user o2 is still exist on-prem right it's just in another ou so from as far as on-prem services are concerned user 2 is still active he's still accessing databases print services file services no issues at all but from office 365 perspective this user will be in big trouble because you won't be able to use his mailbox anymore and what not depends what other services of office 365 because if we go here and refresh user 2 is gone and as i said earlier it's resting [Music] under deleted user it's got deleted so it means if by any chance if i refresh this mailbox okay i'm getting something sort of a cash copy or something but so if i see new message yeah see your account or password is incorrect it's showing signed in but say incorrect it's not a password problem because we know the problem is in the account itself it doesn't exist anymore right it's got deleted oh man some new id admin wasn't aware of how ind connect works and just he wanted to test some group policy or whatever reason he just moved an account and boom shakalaka we have an issue right now user two is faced so how to fix this issue what should we do okay let's say i'm in junior id admin and what the what the first thing that will come to my mind i may say oh okay okay what should i do uh how about if i just go to because i move this how about i move it back will it fix it so if i take this and bring it under to users again all right and then go to ad connect keep in mind we're all pretending we are id admins not too much experienced right but trying to solve based on thinking right we don't know for sure how it will be solved but we are taking steps sometimes logically sometimes may become illogical but anyway so as an id admin i put the user back on that ou and now i'll run delta keep this in mind it's not just about the user account it's about services there are male i mean there is a mailbox emails important emails are sitting in that mailbox and that associated with that user account we just got deleted and sitting in recycle bin or under deleted users to be precise so let's see so my admin things it may solve this problem so my admin is saying to user two yeah yeah it's in the process just give me five minutes it will be all hunky-dory but will it be it says add one something got added and it's user two we can confirm it's added okay maybe this will fix it maybe my admin is spot on so let's go here and go to active users and user two is getting synced right okay these are two good things but is it the same user with office 365 license well looks like it isn't it because under the license class is there it's not a brand new user because if it's a brand new user it won't get automatically it won't get licensed assigned automatically right and if i click and i would see it has exactly same license that i have assigned exchange office on the web sharepoint and all so what about if i click under deleted users nothing so it means when we bring the user back to the sync ou azure ad connect and next delta will notify us your active directory that hey user to account needs to be added so azure 80 connect will check and it recall that user account from the deleted items or sorry from the deleted users and put it back where it belongs with under active users because don't forget it's still matching username is matching slash upn is matching and email address is matching and on top of that on top of that we have also did hard matching right by using object good right and stamp it in immutable id so it's a smart software it knows okay it was gone it went to deleted item but as soon as the object came back under the synced scope right it realizes it and instead of creating a brand new user account it recognizes that an object with the sim a user with the similar attributes it's still there under deleted user and it bring that back with all its glory so it means if i try again looks promising yes please and my user too in a happy mood right now because he got his mailbox okay so this is a simplest and easy way so well done junior admin you did the right thing you took right steps and fix the issue on time without panicking it may have gotten worse maybe what if if we try to restore the object from deleted items if you go that path keep this in mind that it will office 365 will restore that user as cloud user okay and then again we have to fix it to make sure it's got sync properly all right so let's twist it a little bit okay uh what i'm trying to say is this if i can explain to you let's say let's take user 3 as an example now okay so before we move on we can say solution bring the user on-prem user account back to sync scope underwrite ou which where it was sinking and it worked so tested and confirmed okay so we have tested that just bring the user back to the synced scope again our admin bring that user back to the same ou where it was or in replication scope right and and it's gotten fixed automatically right but let's say i have another admin somewhere in some other company and this admin takes a step little differently i'll tell you what i mean let's take user 3 as an example okay so i hope it asked me that a password because i don't want to use user 2 yes perfect so i would say use other accounts so user003 at itsens.net all right let's take user 3 as an example i'm opening the mailbox of user3 so again we can you know confirm that it's working or not working so user3 this time is the guy okay let's say another company and we have another junior admin it's another company user three login checking mailboxes and again same thing happens as you can see user three account is synced currently admin moved this user 3 account to sales ou which is not getting synced right and after 30 minutes it as your ad connect runs the sync and it finds that user 3 account doesn't exist under those synced ous and what will happen it will get deleted right we don't want to wait 30 minutes of course so that's why i just manually triggered sync so as expected we should be able to see that user3 account will get deleted from azure ad again on-prem user 3 account is still exist with all will all with all its glory with all its objects and attributes uh we're not sorry i mean attributes it's an object itself so user 3 will not notice anything as long as he's accessing on-prem resources right but there are many other services that he's using from office 365 and mailbox emails one of them again as expected deletes one so click here [Music] user three right as expected right now user 3 is spaced so let's refresh user three let's just was using microsoft teams or office 365 all right one email and tried to compose a message or wanting to attend a very important meeting using team slash skype for business or anything else and now user three having some issues right and user three now ask for a solution right how to fix that so let's see what happens in the cloud so if i go here and refresh user 3 is gone and as expected it's right there right now admin cap on i'm not the same admin who has tackled this before i'm somebody else come somehow i just keep getting it i think it's the cache or some some reason just to confirm i am logging into user3 yep i think there's some glitch or whatever anyway [Music] so back here let me try to compose a new method in c2 amazing if it can still work see i don't see user 3 itself because it's gone but somehow i can open the mailbox unbelievable some glitch okay so test message and and send okay while that fail um i don't know there is some sort of a it's weird glitch i think it's just taking time to realize that mailbox doesn't exist good for an admin the guy is getting its own time but see what i'm trying to uh explain here basically so let me refresh the mail didn't show up of course so yeah mail didn't show up mail is not going so yeah that's one of the indicator that mailbox is not working as is expected so anyway let's move on to this path which is so the user tool user 3 will realize it very shortly or very quickly that emails are not getting delivered you need to send some important emails and then yeah you may see results more quickly if you are using outlook client but let's move on to the subject here that i'm another admin and i want to fix this issue okay or in case if you're wondering let's just do it right sign out and okay let's say bent back to lunch or something for some reason he got simon sorry about this glitch and it's just a weird stuff so but it's good it's good that if it's happening at least it's giving some time to user or to do an admin actually then and this guy is oh not user one my friend come on okay now user tree yeah finally okay it took some time and some glitch so anyway so user3 will be calling the admin and this time what admin is gonna do it's another admin by the way it says oh okay oh it's got deleted so what if it goes there and say restore and if you click restore look what it's saying before you restore you need to make sure you have a product license available because it will restore all the associated data license and everything it's asking for a password it means it has full intention to restore this user user 3 as cloud users right that's why it's asking password right because if it's gonna restore the sync user passwords are getting synced from on-prem ed it shouldn't ask me this password right so my guess is it's gonna restore it as a cloud user sorry store okay close so if we go under active users as expected user 3 it's not synced anymore it's appearing as in cloud entity and as this admin type a different password it won't solve a problem can user 3 log into his mailbox well user3 will be able to log in to the mailbox if we type the password of the cloud user identity that admin has just created then he will get the mailbox fine but if on-prem password and cloud password is different because of course the admin won't know his password then he won't be able to log in because now there is no more synced right sync is broken they are not matched anymore so what about as user 3 as admin realized that is cloud identity and what he tried to do he tried to fix this how by bringing that user three now after restoring user from deleted user it really realizes that that user has been restored as cloud user so he wants to try something different or next step which is bringing this user back to our application scope remember admin 1 in previous case we did this first and it was successful but now unfortunately admin 2 which is junior admin he restored that account first in office 365 and as it appeared as cloud account now he wants to restore this or bring this account back to its original place or it's or synced scope i would say right so it's there and instead of waiting of course let's run sync and see will it fix this issue or not i know video is getting longer and longer and bigger but this videos are also fun right like trying to predict what's gonna happen next for some users or for some people i know you might might be boring but for those who have never experienced this before might be interesting so i'm having fun at least pretending to be an idea admin uh a junior id admin to be precise so all right so let's see a sink finished or not yet um some warnings unchanged export change not reimported you see that delete wow okay unchanged one sync error for user three unchanged all right let's see that's fine let's go to the win controller and this time let's refresh it still cloud maybe it's a glitch like yesterday's our previous video right so we go to azure 80 just to confirm refresh users see user 3 directory synced no it means it's still not synced it's still a cloud identity so this time it's not a glitch from the interface glitch it's really a cloud identity oh man now this junior admin is getting panicked what to do we'll try to run sync again maybe something different happen this time okay let's see let me pause the video or just to save some seconds right so i will be back okay sync has completed still it's showing something one is unchanged no error though but poor admin guy is now sweating right because it goes to the wind controller let's try to sync it oh don't sync it i mean just refresh it it's still cloud-based right and user 3 is an executive and it's one of the executive i would say not happy and this junior admin is really really confused what to do so he did not know that if he instead of recovering a deleted user from here if we just bring that sync object or this user back to the synced scope back to those ou's which are getting synced by ad connect from azure from on-prem 80 to azure 80 the problem would be fixed it was a matter of minutes all he had to do just bring the user account back to those one of those ou's which are getting synced through azure ad connect and azure ad connect will do the rest will notify it will notify us your 80 and as your ad will matches that user attribute against the deleted user because it realized it user with this attributes it's there but it's under deleted user oh it's the same user it will bring that user back from deleted items or from deleted users automatically to active users like what happened like what we did or not i mean what the first admin did in first case right easy peasy but now something needs to be done okay so while browsing on the internet someone sure a little trick someone he calls somebody and says i have something to tell you um try this okay keep this in mind user3 account was not deleted from active directory right so it still has the same object good however user 3 is back as a cloud user you think you have to do hard match and it will fix the issue before doing that and all this user3 wants to sorry admin wants to try a simple trick that his friend told him over the phone he says go to on-prem ad go to user3 properties and just change his user account to let's say underscore changing the upn not changing the pre windows login name and user3 using this one to login to workstation and accessing file prints and all if you change this then user3 will paste furthermore right and for um luckily upn is using these upns when it's using office 365 and while it's on premise using slash this or user o3 only without the whole upn so anyway he says just change this okay and then let's do a another sink we broke the rule of matching right so let's see let's wait for sink sink think sink kitchen sink well not kitchen sink exactly okay oh who still says unchanged though connectors with raw update one okay and here it's in progress update one correct and let's see what's this update it says the update it's for user three correct it's saying user three user three but it's not showing that underscore over here correct just to confirm we had this and what was that unchanged anyway anyway anyway just to confirm we did put an underscore yep okay let's refresh this boom shakalaka think from on-prem yes username is changed but synth worked so it goes there email address has also changed by the way right because this is the username slash email address sorry primary email address is still there readysense.net but upn has changed but our junior admin with the help of a phone call from his friend he fixed this he got some confidence okay so now what he can do he can just quickly jump over to domain controller again which happens to be the same machine i believe but i think i have closed 80 users and computers so i just go to right go to user 3 change it back apply ok minimize jump tools already connect delta please all right and let's see so change a slight attribute correct and thanks to his friend he got some results right and he's keeping his fingers crossed that after he make this change revert the change and remove underscore results still stay the same like it doesn't change back again to cloud identity because he wants to be stay that way he wanted to stay as on-prem synced identity update one and it's looking good at the moment yes it's related to user three okay yeah old value was user underscore 03 new value is us03 okay so it looks like he got it finally but it was a tough tough call for this poor chap so let's see moment of truth yeah it's changed u03 so he called now to u03 he says sir please can you try to access your emails now using your on-prem password so the guy who was working in something else now says okay let me try let me click previously i was even clicking here and i was not going through further so let's try this let me click this identity sorry about that but we click this identity and yeah okay i will type my domain password oops what's that oops my password is not accepting okay all right so let me close it and open again [Music] it's just a glitch guys so office so do sorry about that internet spit slow so i'm just which user is this user one i don't know why user ones keep showing up here let's go to van let's edge is not one of my favorite browser by the way so uh sorry about that and sign in and user zero three at i t sense.net um okay um hmm okay in this case something funny happened the user three trying to log in right and his on-prem password somehow not work did not work so this admin is saying telling him to use the password of the account that we typed in office 365 and it worked so is it like using an office 365 account cloud-based identity because the password are not same well let's see so yeah i got a password but he could have logged in earlier by using the cloud-based password right so although it's showing synced password somehow did not go through we should have used should have used on-prem password to login to his mailbox which did not happen i had to type cloud-based password the password which was for the cloud identity so just to make sure that it is appeared as real sync we go to azure ad so now the old i mean the admin yes is directly synced but somehow password is playing up okay so now what he's gonna do poor admin chat he gonna reset this password okay and keep this in mind now this will affect this user uh other services as well on-prem services as well because password is changed the on-prem password has changed right so poor admin guy making decisions just keep struggling just because he did not take one right step in the beginning right so going there and running delta keeping swing across that the new password get synced as hash password hash gets synced and he will tell a typical request he will say a typical request like every it i or admin used to say can you restart your computer and try again and let's see just to get enough time so because it's because now the user on-prem password also change right so mr user 3 will be paste there is one update okay last password change anyway this isn't an update we have to check what was it must be the password anyway uh do you think anyway uh all fine uh so what we want yeah we will go there and it's it's showing as sync so it doesn't matter we don't have to refresh this the main issue is that it should work it should it should it should behave as a succinct one right so let's log off or sign out okay tell me something guys do you think it would have been fixed if we did if we perform hard matching again like instead of changing in small dash it would have matched those uh you know immutable id like object grid mapping to immutable id anyway uh let's go to office.com sign in okay let's see user03 at id sense.net and password this time i will write the password yes i typed the on-prem password the newly reseted one and it worked i did not type the cloud password this time so it looks like after few attempts we got it but look at the hassle he that junior admin restore it let's try to send an email don't let's not speak too early so so what i was saying that he went through the hassle of first he restored the account and then realized oops that it was uh it restored as cloud account right so what he did it then bring the count back to sync scoped or synced ou and after that still it didn't work right then he was thinking and thinking and finally he got a tip to just make a small change in username and that's all the synced problem but password was still not effecting not taking effect as it should so we had to reset the password again and do delta sync and after that it all worked as expected so far looks like it but just to confirm yes looks like we got it this time but of course user 3 is not as happy as he could either the problem could have been solved problem could have been sold earlier okay he's sending this report to its boss the oit admin boss that yes he got it finally but yeah it's delivered so it's working so to summarize it's been a long video or 55 minutes to summarize my friend solution uh restored from deleted users as cloud user change upn prefix and sync again change password and sync again then it worked to summarize not a great idea or great way to fix this type of issue so bottom line issue got fixed ultimately in scenario one and scenario i mean in solution one and solution two admin one fixed the problem admin two also fixed the problem but who fixed it better of course admin one all he did is just back bring back the account into synced scope to the ou where it was and that's it rest of it was done by azure 80 connect bytes by itself admin 2 had to juggle a lot and do lots of things to get the same result and he has to involve the user which is the toughest part can you please log off log in again log off log again you know all this type of shebang and it's not easy to ask this especially to happen to an executive right so anyway scenario one i hope you like this video i really enjoyed it and uh maybe by this time nobody is watching because around an hour long but the idea is to give help to provide help to new and younger admins you know to fix this problem in a better way and to understand the process thought process and what if i try this what if i try that so at the end there are no mysteries or puzzles left right so this is it guys thank you so much and before we go sorry sorry before we go before we go yeah thank you so much for watching please do subscribe to my channel or for any other request and training consulting assignments or anything please you can contact my website idsets.com so once again thank you so much for your time and take it easy

Info

Channel: ITCents

Views: 2,698

Rating: undefined out of 5

Keywords: Office 365, Azure AD Connect, Hard matching, soft matchng, duplicate identities, AD Sync error, Dirsync error, Exchange Online, It Admin

Id: UZEJb3KHzcU

Channel Id: undefined

Length: 59min 21sec (3561 seconds)

Published: Fri Nov 13 2020