Ever encounter in an environment where IT does not have visibility of the previous IT actions? Frustrating and irritating right? They were unsure whether is sync service running or not or exist or not.
At first, you will go to portal.office.com to find the DirSync Status, but this is where the funny part, there is a DirSync Management and it has resulted or hint that this Office 365 had Synchronization Service. As you can see below, there is no service account and no last directory sync.
Next, I went into their Domain controller > Active Directory Users and Computers > Users OU. I was able to locate 2 Synchronize’s Service accounts, that are not disabled. To locate their location (server), double click on the account to launch the properties. At the description attribute or value, you can identify the location (server name).
- 1 Service account with no indication of this sync service’s server location in the Description Information
- Able to locate it, it was inside a Window Server 2008 R2
- 1 Service account with an indication of its location (inside one of the Domain controller, Windows Server 2012 R2)
I access both of these servers, able to capture
- Sync tool exist
- Sync service is running (inside the services.msc)
- No Operation of sync
- No connectors in the sync service to be found
- Windows Server 2008 R2 running Microsoft Online Services Directory Synchronize Service version 2013 year
- Window Server 2012 R2 running Windows Azure Active Directory Service tool version 2014 year
New version Sync tool naming is “Azure Active Directory Sync Service”.
Another round to proof your findings is to run the PowerShell command to get all attributes of the user list in Active Directory on-premises and Azure Active Directory user list. (If you prefer to filter only a few attributes, then it is up to you.)
For Active Directory
#Run this command in domain controller's windows PowerShell
Get-ADUser -Properties * -Filter * | Export-Csv "filename.csv"
Get one of the oldest (before the year of 2013) and an active employee’s objectGUID.
For Azure Active Directory
- .NET Framework installed (latest)
- Microsoft Azure Active Directory Module or PowerShell
- Windows PowerShell
#Connect to Azure AD service
#Key in your Global admin credential
#Run this get command to get all user list with its attribute
Get-MsolUser | Export-Csv "filename.csv"
Next, you find the same oldest employee’s immutable id value, if there is value means this environment had sync service running before. You could compare the value that is valid and convert the objectGUID to an immutable ID or the other way around, using this converter.
After locating all this, now you can plan your clean up and recommendations. This may take a longer process, due to you need matching and creation.