How Do I Synchronize Users in a Pre-Existing AD Synched Domain?

While moving a pre-existing IT environment to Nerdio, you may encounter a scenario where AD Sync has been enabled and is running in the pre-existing environment. Since AD Sync is already running, the users will be flagged as "Synced with Active Directory" in Microsoft 365. Follow the steps below to import users from such an environment in to Nerdio.

If you haven't connected to M365 yet, you'll need to complete that step first. You can do this by following the instructions found here

Nerdio Tip
  • IMPORTANT: The procedure below only applies if the existing user objects are "Synced with Active Directory". You should consult with a Nerdio onboarding engineer if your scenario is even slightly different or if you have any questions. You may need to leverage Nerdio’s Hybrid AD feature.
  • We've seen this process take 72-94+ hours. View the source article HERE


Step I: Prepare pre-existing environment

Complete the following on steps in the pre-existing environment:

  1. Stop dir sync on Microsoft 365 account. You can issue the following command using PowerShell:
    Set-MsolDirSyncEnabled -EnableDirSync $false
  2. Stop and disable Microsoft Entra ID Sync service in the current domain.
  3. Users in Microsoft 365 should show as "In Cloud" instead of "Synced with Active Directory". 
    NOTE! This is something we've recently seen take anywhere from 1-24 hours, up to 24-72 hours in some cases, but also may not happen at all until you proceed:
  4. Run the script below to clear Immutable IDs. Note you must set $custDomain to users' primary domain. Also note that this sets a null immutableid value foreach user (All of them).
    $custDomain = "*"
    $syncedUsers = Get-MSOLUser | Where {($_.userprincipalname -like $custDomain) -and ($_.ImmutableID -ne $null)}
    foreach ($user in $syncedusers){
    Set-MSOLUser -Userprincipalname $user.userprincipalname -immutableid "$null"
    1. You can check the progress to see how many users have been set to $null and are ready to sync with the Microsoft Entra ID by running the code below where $custDomain = "*" 

      Get-MSOLUser | Where {($_.userprincipalname -like $custDomain) -and ($_.ImmutableID -eq $null)}

      Nerdio Tip
      • If there are 200+ AD users in your environment you'll need to add "-All" to Get-MSOLUser, which should then look like "Get-MSOLUser -All | Where..."
  5. Once the previous step completes, verify that the primary domain is listed in NAP.
    1. Go to Onboard - Domains and make sure your domain is listed on the screen.
    2. Click button "Set as default" to set your domain as the default for when users are added to Nerdio.
  6. Finally, Re-Enable AD Sync in Microsoft 365 and allow the sync to originate from DC01. 
    Set-MsolDirSyncEnabled -EnableDirSync $true
    1. An error may occur that is "unable to turn OFF sync" when you are in-fact trying to turn it ON. In this case there is nothing to do but wait until the command stops erroring and lets you actually turn it back ON. See source article HERE.  See troubleshooting below for more details on what to expect and how to manage. 
  7. After turning the sync back on, users who have been cleared need to show as "in-cloud only" status. If they do not, then please review the steps above carefully, and double check with Get-MSOLUser that the ID was actually nulled during the process.

Troubleshooting: As noted above, it can take an extended period of time for Microsoft to allow you to re-enable DirSync, as instructed in item #6. During this time there are a few things to check in an effort to confirm the process is still moving along. 

When attempting to run the command in item 6 you may receive an error. That error will look like the one below and means it hasn't finished deactivation yet. You'll need to wait for that to finish before Step 6 can be completed:

Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
At line:1 char:1
+ Set-MsolDirSyncEnabled -EnableDirsync $True -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNot

You can check the status of the process by running the script below: 


It will populate with information similar to the following:


What you care about is the last 5 lines and more importantly the 5th line from the bottom. You'll want to see the time update to the current time and eventually DirectorySynchronizationEnabled becomes "True".  You can continue to perform step 6 until the error message no longer appears and DirectorySynchronizationEnbable has a value of "True".

At this point your users should be "In Cloud" and DC01 will be available and capable of syncing with M365.  Now when new users are created in NAP or you start to import users, they will sync to the Microsoft 365 account automatically.

Step II: Complete standard on-boarding process

Now that users are flagged as "In cloud", you may proceed with the standard on-boarding process documented in this KB article.


Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.