Share via

Can I safely uninstall Azure AD Connect without losing users or groups and keeping authentication working?

Daniel Niccoli 196 Reputation points
2020-09-25T05:08:45.677+00:00

I took over an infrastructure comprising of

  1. three Active Directory Domain Controllers
  2. two Active Directory Federation Service servers
  3. one ADFS Web Application Proxy
  4. one Azure AD Connect server

I found a lot of issues with the current configuration, fixed most of them. We are now in the process of deploying Server 2019 and I am inclined to just set it all up from scratch, except for the domain.

We are using ADFS for authentication. Group-writeback is enabled in AADC. There is one custom sync rule configured in AADC.

Does uninstalling Azure AD Connect delete any users, groups or other objects on-premises or in the cloud? Will authentication via ADFS continue working after doing so?

If we reinstall and reconfigure AADC on a new server, will it work like we haven't touched it at all?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,697 questions
0 comments
Accepted answer
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2020-09-25T06:33:10.907+00:00

    @Daniel Niccoli Thanks for reaching out. If you have decided to build from scratch, you will have to perform the things in following order.
    Please do remember that turning this off would make users status as In-Cloud means they can no longer use the ADFS for authentication, and would have to depend on password sync as backup. Once you have setup the AAD connect on separate server and processed a full sync after 72 hours, the users would join back to original set and then you can perform ADFS auth again.

    1) Make sure you have password sync enabled for all users. as when you turn off the sync, all users will be using the synced password to login and not ADFS.
    If not, follow these steps.

    28207-passwordsync.png

    2) Once done, You will have to make sure to convert the Federated domain to managed then by using : Convert-MsolDomainToStandard commandlet
    https://learn.microsoft.com/en-us/powershell/module/msonline/convert-msoldomaintostandard?view=azureadps-1.0

    3) Turn of Dirsync (use powershell as mentioned in the link or use the office 365 portal to deactivate Sync ):

    4) Setup the AAD connect on new server and then uninstall the previous one.

    5) Turn on Dirsync after 72 hours

    6) Federated the Domain to start using ADFS again using : https://learn.microsoft.com/en-us/powershell/module/msonline/convert-msoldomaintofederated?view=azureadps-1.0

    Please note that there are many factors to consider, all of which cannot be written as answer here, but this is just a high level steps you would need to take. If you have decided to go this route and I would also suggest to open a support ticket with Microsoft when you do this as I have seen many scenarios where something might go wrong and these are prod users we are talking about which will generate more helpdesk calls if something goes unplanned.

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.