I'm trying to recover a complicated environment that's had its fair share of mismanagement. Currently, I have a solid Entra Connect configuration linking my domain, DC, and sync server to our Microsoft 365 tenant, and I'm determined not to disrupt that sync. However, there are some orphaned accounts—including users, contacts, and a distribution group—that originated from an old 2008 server that no longer runs Entra Connect. My knowledge about when that server was decommissioned is limited due to sparse documentation. This old server is on a totally separate domain with no trust relationships to my main domain. The only link between them is that the UPNs are subdomains of my current, healthy domain.
I've set up a new server for the orphaned domain and installed Entra Connect. My objective is to synchronize those orphaned users and contacts to restore their editability, after which I intend to de-synchronize them to make them cloud-only. I'm worried that adding another forest or a different sync server might mess with my existing, functional primary sync server and domain. While the documentation warns against this kind of setup, it seems like it may work in practice.
Additionally, I noticed that my working domain sync uses ms-ds-consistencyguid while the orphaned domain uses objectGUID instead. Can anyone share their insights on how to handle this situation? Is there a more streamlined method to deal with the orphaned items without dipping into unsupported synchronization? If I decide to go down that unsupported path, what precautions should I put in place to ensure the integrity of my current sync remains intact?
3 Answers
If the goal is just to unsync the orphaned items, why not go ahead and do that? Since it's a separate domain, you can flag that entire domain as unsynced, which will anchor all those objects to the cloud.
However, if it’s tied to your primary domain somehow, clearing the immutableID might be the way to go to un-link those specific objects.
Bringing in multiple Entra Connects from different domains into a single tenant can get really tricky, and I wouldn't recommend it. Is there a reason you can't just add those orphaned objects to your current domain? You can tweak the DNS suffix and adjust their UPNs accordingly.
If the orphaned objects in M365 already have immutable IDs set, you can just replicate those IDs for the new objects—what they were using before doesn’t really matter. If you can’t recreate the objects in your main domain, consider setting up a trust with your primary domain and add the orphaned one to the Entra Connect Sync.
A simple way to handle those unwanted accounts is to convert them into cloud accounts and then just delete them.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures