Posts Tagged ‘Active Directory’

Office 365 and Windows Azure Dirsync part 2: Filtering AD Groups…if you can!

This  is the second part of our Office 365 migration issues in hopes someone will find it helpful. When we were upgraded previously from the 2007 series of software to the 2010 series I had to make some changes to AD groups so they wouldn’t show up in Microsoft’s BPOS admin portal. Back then, they filtered your AD security groups in 3 different ways.

SecurityEnabledGroup objects are filtered if:

  • isCriticalSystemObject = TRUE
  • mail is present AND DisplayName isn’t present
  • Group has more than 15,000 immediate members

So I went about adding bogus email addresses to all of the groups that were showing up (roughly 50 or so.) No biggie, it worked….back then!

Now that I’ve upgraded to Windows Azure Dirsync w/ password sync, all of those groups that I painstakingly modified so they would be filtered out of BPOS now are imported automagically as “MailEnabled Security Groups” YAY! Needless to say, I didn’t want them to appear in the GAL so I had to take some steps to get them out of Office 365.

Now Office 365 filters SecurityEnabledGroups like so…

SecurityEnabledGroup objects are filtered if:

  • isCriticalSystemObject = TRUE

And that’s it!

Like I said previously, my big concern was removing them from the GAL so I went back through my AD Groups and removed all of the bogus email addresses and figured I was done. Not so fast! Upon the next sync, all of those groups were still present in the GAL but their email address’s had changed from to . Because the groups were still considered MailEnabled Security Groups, Office 365 reverts them back to your default domain email address and also changes the first half of the email address, the local part, to match the group name. Example: I gave the AD group “AccountingOnly” an email address of This way I knew I won’t have to worry about duplicate email addresses. When I removed the email address from AD, Office 365 filled it in with Bottom line, it was still showing up in the GAL and I wanted it gone. So, I had to do it via PowerShell like so.

Get-MsolGroup -ALL

This showed me all of the groups I had in Office 365. You can see the AD groups Dirsync uploaded as MailEnabledSecurity groups along with other groups that didn’t have an email address which appeared as just Security groups and also Distribution List groups. After scouring the MailEnabledSecurity groups to make sure they were all the ones I wanted gone, I simply did…

Get-MsolGroup -GroupType MailEnabledSecurity | Remove-MsolGroup -Force

This way I wasn’t being prompted to yes/no/suspend the operation for each one.

Once that was done, I changed the registry HKLM\SOFTWARE\Microsoft\MSOLCoExistence key “FullSyncNeeded” to 1 and issued a PS command of Start-OnlineCoexistenceSync which made it do another Dirsync right then. Surprisingly, the AD groups I just removed weren’t showing back up in Office 365 right away. It took another full Dirsync about 24+ hours later for all of the groups that were removed to show back up and this time they showed up as only Security groups not MailEnabled Security groups.

Also, if you’re like me, you’ll want to watch the Dirsync as it’s happening so open up your miisclient.exe which can be found in C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell directory.


Here’s a bunch of links for more info: (MS’s website which shows how Azure does its’ filtering. To me, this isn’t accurate any longer.) (Office 365 wiki link which shows how it filters now. Here you can clearly see they’ve changed filtering.) (Same Office 365 wiki but the main Directory Integration Services area.) (Main Dirsync content map page.) (KB page on “Mail-enabled groups that have an email address aren’t synchronized to Office 365” why couldn’t I have THAT problem!) (KB page on “Object that’s deleted from the on-premises Active Directory isn’t removed from Windows Azure AD after directory synchronization” talks about using PowerShell to remove them from Office 365 manually.) (Force Dirsync page via PowerShell.) (TechNet page on the Remove-MsolGroup PowerShell command.) ( Alian’s page which shows using pipes FTW!) (TechNet page on Get-MsolGroup PowerShell command. This command didn’t play nice for some reason when I used it.)


Office 365 and Windows Azure Dirsync part 1: Filtering AD User Objects

At work we use Microsoft’s Cloud offering called Office 365. We were one of the early adopters and signed on with BPOS back in 2010 ish time frame. Even back then, they had an Active Directory Sync tool and each time we were upgraded from 2007 toolset -> 2010 toolset to now 2013 toolset we had to tweak our AD Sync tool to keep our GAL clean of disabled or service accounts. This wasn’t an easy feat initially but I was pointed in the right direction by and have since managed to reapply the same filtering technique for Office 365’s new Dirsync tool called Windows Azure Directory Sync. We were pressed into upgrading our dirsync tool because they started blocking as of Oct. 1st 2013 the previous tool due to it being A) 32 bit and B) Microsoft Identity Lifecycle Manager 2007 fp1 at its core. They’ve now got us using Forefront Identity Manager 2010 R2 which has password synchronization! Yay! I managed to hold off implementing ADFS just long enough for Microsoft to find an easier way for our users to start using Same Sign-On.


So, how do you configure the new Dirsync tool so it won’t send every single AD User Object into Office 365? By filtering your Active Directory Connector Management Agent using miisclient.exe.

1) Open up your miisclient.exe and go to the Management Agents option.

2) Next, right-click your Active Directory Connector listed under Management Agents and select properties.

3) Now select Configure Connector Filter and scroll down on the right-hand side until you find User. Here the user filter is declared thankfully so we can tweak it the way we want (unfortunately group is a Rules Extension which has changed and will be addressed in Part 2 of the write up.)

4) While user is selected, and you can see the 15 different filters for users, select “New…” across the bottom and create a filter appropriate for your organization. For ours, we selected attribute = ipPhone, Operator = Does not equal and Value = 1. This way, it will only synchronize AD User Objects that have their ipPhone = 1 on their AD properties page (this way I don’t have to use ADSI Edit for each user w/ in our company.)


All in all, pretty straight forward. Now fixing our groups that got sucked up into Office 365 are another matter!



Here’s a couple of links I found useful regarding setting up this new filter inside Forefront Identity Manager 2010: (MessageOps website. Scroll to the bottom for Dirsync.) (Dirsync FAQ.) (MS’s steps for configuring filtering on Dirsync. I chose User Attribute Based filtering since we’re a small company and it was easier.) (Top level of Dirsync. useful info if this is your first time using AD sync w/ Office 365.) (Windows Azure Dirsync’s password sync feature. We definitely love it.) (Announcement that Azure sync now does passwords!) (Password sync troubleshooting guide.) (MS’s justification for making us bump up to 64 bit.) (general Dirsync blog)



USN Rollback on a Domain Controller

This one bit me in the behind a while back. Essentially, the AD server was restored from a snapshot but had USN numbers that were younger than another servers’ USN numbers which was trying to connect to the AD server. This put the AD server into “disabled” mode so it wasn’t being used for AD stuff. The only way I could permanently fix my USN rollback issue was by keeping the other server off and restoring it to a previous snapshot as well. Long story short, this sucked to fix.


Couple of links:


Configuring Windows Time Service on a Domain Controller

I’m getting ready to migrate our AD servers to a virtual environment and one of the things that can get messed up is the AD servers’ time. Also, I’m joining some non Windows systems to the Windows domain which might encounter some time sync issues since they aren’t currently configured to use the domain’s NTP server (easy fix I know but I’m saving that for another post!)

Short story long, your AD server typically uses its’ CMOS time versus an external NTP server which is all fine and good so long as A) it’s a real hardware server not a virtualized one and B) No other servers in your infrastructure use other NTP servers (ie. Linux server ‘A’ isn’t using which will have a different time then your main AD server which is going off of it’s CMOS clock!)

So, I did some searching on the interwebs and stumbled upon a couple of useful links on how to modify your registry on your AD server so it:

A) Uses an external time source versus the CMOS time & date.

B) Has a number of servers to attempt time updates from (use spaces to delimit servers! and don’t forget to append “,0x1” at the end if you’re using a FQDN versus an IP Address!)

C)…I forget C!


Anyhow, here’s some links I wrangled up. (this one was most helpful!)




Joining domain fails when domain suffix isn’t supplied

So I’ve got my own Active Directory server at home w/ multiple network segments. On one of these network segments, I’ve got a Win2008R2 server w/ a static IP address that needs to join the domain but isn’t on the same network segment as the AD server. When I attempt to join the domain I get the following error message.

Once I get the error message and do a reboot I’ve joined the domain w/ no perceivable errors except the one shown above. I can log into the server w/o any issues using domain user accounts and everything appears fine. Obviously not satisfied w/ this conclusion I start doing some searches and remove the server from the domain to see if I can repeat the above error message.

Finally after searching for an hour I stumble upon a similar domain joining error on Lumbgaps blog and add a domain suffix to my server via the advanced settings on my network card. Once joined, I remove the domain suffix w/o any issues. Seems the server was having a domain searching issue and wasn’t appending the right FQDN on the end of whatever it was doing. This fixed it.

Link to Lumbgaps blog:

Return top
Icons made by Freepik from is licensed by CC BY 3.0