AD Connect makes changes to local AD in Exchange Hybrid.


  • Hi Forum.

    This Friday I saw that a new installation of AD Connect (setup with the Exchange Hybrid enabled) started to make changes to the clients local AD.

    Honestly, I have newer seen this happen before (I do believe that I have done my fair share of "AD Connect" installations in the past)

    What happened was that there were a few (around 10) users had some errors... (after the initial cleanup using IDFix)

    Duplicates + invalid values....

    In the past I would have manually cleaned out the errors by hand (after verifying what the client needed to happen)

    This time AD Connect starts to cleanup errors by itself, it is to be diplomatic “not so good”.

    My process is this:

    Check AD for errors using IDFix (will find almost all errors - not all) make changes by hand with client.

    Setup AD Connect with the OU scope and filters needed.

    The service account for AC Connect I setup is a standard domain user, with only the write access to the attributes needed for the implementation.

    Then apply staging mode  to verify the attributes getting synced to Office 365 (Azure AD) and then enabling sync.

    How do I make sure what changes will be made to the local AD. Will a connector space search on the local AD Connector give me desired outcome looking for pending exports?

    Should I wait with proving the service account the access rights that it need to make changes and not enable “Exchange Hybrid” before I have seen the changes needed to be made.

    Please provide a best practice for a scenario using “Exchange hybrid” to avoid changes being made by AD Connect the local AD not get out of hand.

    Kind regards


    Monday, March 13, 2017 8:49 AM

All replies