Then Uncheck the unwanted OU’s, for example i need to uncheck Users OU, but by mistake let say i unchecked Employees OU as well as below:
Then I tried to run Initial sync using PowerShell As below:
When i went to AD Connect Management Console, i got below result:
from above snapshot, i ended up with 895 objects to be deleted! This is what i did by mistake since Employees OU contains this number of objects, fortunately in this case am very luck and thanks for AD Connect since it will prevent this process to be exported based on the deletion threshold feature, as the number of objects to be deleted exceed 500 objects then the process will be terminated as below snapshot:
Again, Thanks for AD Connect to prevent this accidental deletion for my objects, but what Next and how to deal with this?
Be careful, in this demo i already know that i unchecked Employees OU only, if i go and check the Employees OU again it will solve the issue, but assume that you don’t know which OU’s that was unchecked or another admin who did this!
in this situation, first, let’s go to Azure AD Connecter and click on search connector Space option as appears below:
Then from Scope choose Pending Export Option, check the delete checkbox and finally click search, as appears below all object that will be deleted will appears in the result, in our case it’s under pending Export since AD Connect prevent the completion of this process as below:
so, till now, we know that i have more than 500 objects to be deleted by Mistake, also i know that AD Connect terminate this process.
Note: if the number of objects to be deleted less than 500 objects then the process will complete successfully and the objects will be deleted from Azure AD which may interrupt cloud services such as exchange online. In this case, you need to revert the changes back and sync the objects again, don’t worry because AD Connect will match the objects again.
in this stage, be very careful, if you are trying to guess which OU’s should be selected and in any level, you reach below than 500 objects to be deleted then the process will be completed and you will lose some objects in Azure AD which will interrupt the cloud services until you sync the objects again.
the best approach in this case is to enable the staging Mode for AD Connect server, i will not discuss the staging Mode deeply here (maybe in Next Articles), but simply this action makes the server active for import and synchronization, but it does not run any exports which means that nothing will be commit in Azure AD or local AD and this is what we need till we correct the AD Connect OU filtering operation.
To enable the staging Mode, Run AD Connect Wizard Again, click Configure as below:
Choose “Configure Staging Mode” and click Next:
Enter the GA credential and Click Next:
Check the “Enable Staging Mode” option and click Next:
Finally, click Configure:
Once the configuration completed, click Exit:
if you go to the AD Connect management console, we can see that no export operation was executed as below:
Also, to double confirm, i ran initial sync again as below:
Again, no export operations was executed as below:
For Now this is Great as i can modify and try to correct the configuration without be worried, if we go now to the Azure Connector and search for connector space, we still see the pending deleted objects, Now even while i am correct the configuration ends with less than 500 objects, it will not be deleted since the export operation will not be executed as we are currently in staging mode:
In you case, you need to correct the configuration, and you can go every time to the connector space and see if there is still pending deletion objects or not, in my case i know that the Employees OU should be included again in the sync to prevent this deletion, in your case if you are not sure you can click in any pending export deletion object and see in which OU for example it’s located to check it as below:
Note: From My point of view, if you still not sure which OU’s should be selected, i prefer to select the whole directory then you can exclude one by one based on your requirements.
I went back and check the Employees OU as below:
Once i ran the initial sync again, i can see again that the export not executed as we are still in the staging mode as below:
I went again and search in the Azure AD Connector, i found nothing will be deleted and this make sense since now AD Connect doesn’t see anything to be deleted as Employees OU included in the Sync again as below:
Once i verified nothing will be deleted, i will disable the staging Mode, the same procedure as enabling it but now Just uncheck the option:
Once, the configurations finish, i can see that the export executed without any deletion as below snapshot: ( I Have some errors in export for other objects so don’t worry about that 🙂 )
Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.