Information

I regularly work with multiple Azure Active Directory and Office 365 tenants, recently I wanted to utilise a domain that was attached to a tenant that had expired in December 2015, but did not know how to recover it.

The various portals that you can utilise offer very little guidance.

Azure Active Directory was a little more than useless

AAD Error

but the new Office 365 portal offered hope, with an indication as to which tenant it was attached to.

O365 Clue

So now what are my credentials?

Recover Account

Fortunately there is a link to reset your account details which were emailed to my @outlook.com email address which I added when creating the tenant.

So once I had recovered my credentials then I could access the portal and delete the domain.

Remove

If you get the message below, you have objects(users, groups or contacts) in the directory that still have the domain you are trying to delete associated to them.

progress

The domain is now removed and can be utilised in another tenant.

Gone

 

 

nitialize-ADSyncDomainJoinedComputerSync

Azure Active Directory Connect (AADConnect) is the tool that connects your on-premises Active Directory to Azure Active Directory.

At the end of the setup there is a rather unhelpful message asking you to run

AdSyncPrep:Initialize-ADSyncDomainJoinedComputerSync

Translated to English this means. (also see Update 20/07/2016)

  1. Open PowerShell and set your execution policy to unrestricted.
    set-executionpolicy unrestricted

  2. Change directory to
    C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep

  3. Then
    import-module .\AdSyncPrep.psm1

  4. Then
    Initialize-ADSyncDomainJoinedComputerSync

  5. Supply values for the following parameters:

    AdConnectorAccount: your AAD connector account.
    i.e.identitatem\svc_aadconnect@identityproject.co.uk

    AzureADCredentials: your credentials for Azure.
    logon@identityproject.co.uk

  6. If successful you should see
    Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.Configuration Complete

  7. As good practice, set  your execution policy back to restricted.
    set-executionpolicy restricted

Update 20/07/2016:

This must be run from a computer that has the Active Directory module for Windows PowerShell and the AD DS Snap-Ins and Command-Line Tools installed.

Tooling

Failure to have both options installed will result in two errors:

The first error is obvious.

ADSyncPrepError

The second is not quite so obvious, a dsacls.exe error is generated as the command line tooling is not installed.

DSAcls Error

 

 

 

Why

This is a book that I have read a few times and I have found it invaluable in how I approach issues in life, the office and specifically issues around IT.

This book has made me no longer approach the problem with the question “What are you trying to do?”, but with “Why are you doing this?“.

Understanding the “Why

Attempting to understanding the “Why” has helped me immensely when implementing a solution or service, if it does meet the “Why”, it has made me think perhaps I should not be doing it.

Amazon Link

 

Blatant self-promotion, but I wanted to share a blog post from OneLogin that gives their list of top Active Directory experts (including me) and our top tips on “What you should never do when working with Active Directory“.

Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow

Experts

Does anyone else have any other “No No’s” they would like to share?