In this article, we continue to review the special characters of Office 365 Directory synchronization…
Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23
In the current article, we describe characters of a typical Exchange Online mailbox restore mistake in Office 365 Directory synchronization environment and describe the characteristics of an optional solution.
- The restore mistake is – that a NEW Active Directory user created, instead of restoring the original Soft Deleted On-Premise Active Directory user account.
- The provided solution, based on a concept of “reversing thing back”, to the point in time, before the “Exchange Online mailbox recovery mistake” executed.
Table of contents
- The Exchange Online restore mailbox article series
- Directory synchronization based environment | best practice for recovering Exchange Online mailbox
- Mistake 1 – New On-Premise Active Directory User Account was created and synchronized to the cloud
- Solution 1#2 – Delete the New On-Premise Active Directory User Account, and restore the “Original” On-Premise Active Directory User account
- The next article in the current article series
The Exchange Online restore mailbox article series
There are two common scenarios, in which a deleted Exchange on-Premises mailbox restore process is implemented Improperly in Office 365 Directory synchronization environment:
- Restore Exchange Online Mailbox Mistake 1#2 – Scenario in which a NEW Active Directory user created, instead of restoring the original Soft Deleted On-Premise Active Directory user account.
- Restore Exchange Online Mailbox Mistake 2#2 – Scenario in which a Synchronized Soft Deleted Office 365 user account restored, and his Exchange Online mailbox also restored, instead of restoring the original Soft Deleted On-Premise Active Directory user account.
The current article dedicated to the description of “Restore Exchange Online Mailbox Mistake 1#2”.
In the next articles:
- Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23
- Restoring Exchange Online mailbox content to another mailbox using PowerShell command New-MailboxRestoreRequest | Part 22#23
We provide a step by step description of – two optional solutions which we can use, for “fixing” the Exchange Online mailbox restore mistake that executed Improperly.
The second common mistake “Restore Exchange Online Mailbox Mistake 2#2”, will be reviewed in the article – Reviewing the characters of Exchange Online mailbox recovery mistake – Soft Deleted Office 365 restored | Part 20#23
Directory synchronization based environment | best practice for recovering Exchange Online mailbox
Before we begin with the description of the specific characters of the “Problematic Exchange Online mailbox restores scenarios” in Directory synchronization based environment, and the possible solutions that can be implemented, let’s start with a quick reminder, about the “best practice” guideline for restoring Exchange Online mailbox in Directory synchronization environment:
Online mailbox in Office 365 Directory synchronization environment are:
- Start the restore process, by restoring the Soft Deleted On-Premise Active Directory user account that is “bound” to the Office 365 user account, which considers as the owner of the Soft Deleted Exchange Online mailbox (number 1).
- The information about the restored On-Premise Active Directory user reaches the Office 365 Directory that locates the Soft Deleted Office 365 user account that is “bound” to the restored On-Premise Active Directory user. The Azure Active Directory automatically starts the restore process of the Soft Deleted Office 365 user account. The Exchange Online license will also be restored automatically (number 2).
- The information about the restored Exchange Online license synchronized to Exchange Online infrastructure. Exchange Online will automatically start the restore process of the Soft Deleted Exchange Online mailbox and the restore Exchange Online mailbox, will be “attached” to the restored Office 365 user account (number 3).
The scenario description
To be able to understand better the specific character of the “problematic Exchange on-Premises mailbox restores scenario,” in which a NEW Active Directory user account is created instead of restarting the original Soft Deleted Active Directory user account, let’s use the following scenario:
Organization mail infrastructure
- An organization uses Office 365 services, and Exchange Online as his mail infrastructure.
Directory infrastructure
- Directory management is implemented via the On-Premise Active Directory, and Directory synchronization server (Azure AD Connect).
- The Directory synchronization server is responsible for synchronizing information from the local On-Premise Active Directory to the Office 365 Directory (Azure Active Directory).
The Directory user deletion event
- Active Directory user account deleted, and the information about the user deletion synchronized to the Office 365 Directory (Azure Active Directory).
- Azure Active Directory deletes the Office 365 user account that is “bound” to the deleted On-Premise Active Directory user + the Office 365 user Exchange Online license.
- The information synced to Exchange Online. The outcome is that the Exchange Online mailbox also deleted.
The Active Directory deleted user account details
The deleted Active Directory user account login name is: John@o365info.com
The mission
The organization IT was asked to:
- Recover the deleted Exchange Online mailbox.
- Enable the user access to his recovered Exchange Online mailbox and the data stored in the recovered Exchange Online mailbox.
Notice that we mention that – we need to recover the Exchange Online mailbox, and enable the user to access the Exchange Online mailbox.
We didn’t provide any instructions or guideline regarding the “user account,” that will be “attached” to restored Exchange Online mailbox.
Mistake 1 – New On-Premise Active Directory User Account was created and synchronized to the cloud
The mistake flows description
- The Administrator, create a NEW Active Directory user account with the same details as the deleted user – same login name, same E-mail address and so on.
- The information about the NEW Active Directory user synchronized to the cloud.
- A NEW Office 365 created, but the Administrator “believe” that the Office 365 user account is, the Soft Deleted Office 365 that restored.
Note that in reality, the Soft Deleted Office 365 was not restored, and instead; he is still located in the Azure Active Directory recycle bin.
- The Administrator, assign the “seemingly restored” Office 365 user account, an Exchange Online license (I use the term “seemingly” because, the Office 365 is not a restored user account but instead, a NEW Office 365 user without a license).
The cause of the “restore misconception” procedure
The basic assumption of the Administrator is that because the “NEW On-Premise Active Directory user” has identical identifiers (same login name and the same E-mail address) as the previously deleted user, the Directory synchronization will execute the process of Soft match mechanism.
The Directory Synchronization Soft Match will lead to the following:
- Automatic restore of the Office 365 Soft Deleted user account.
Automatic “binding” of the restored Office 365 user account to his “master” meaning the NEW On-Premise Active Directory user that was created. - Automatic recovery of the Exchange Online license assigned to the Soft Deleted Office 365 user account
- Automatic restore process of the Exchange Online mailbox that is associated with the restored Office 365 user.
The reason for the Soft Deleted failure
In reality, the Directory Synchronization Soft match process which supposed to automatically “bind” between the NEW On-Premise Active Directory user account, and the Soft Deleted Office 365 user account is not implemented!
The Directory Synchronization “Soft matches” process will not be activated because, the Soft Deleted Office 365 user account ImmutableID value, is already populated with the GUID value of the “original Active Directory user account” (the original Active Directory user who deleted).
The Directory Synchronization “Soft match” mechanism is not configured to “ignore” this information, and “run over” the existing value of the ImmutableID!
You can read more detailed information about this subject in the article – The special characters of Directory synchronization in an Office 365 environment | Article 1#2 | Part 11#23
The outcome
The outcome is a “mess.”
Now, we will have “two sets” of user accounts, and two sets of Exchange Online mailboxes.
- The action of creating a NEW On-Premise Active Directory user account will lead to a scenario, in which a NEW Office 365 user account will create (instead of the original intent, that the Soft Deleted Office 365 user account will be restored).
- When an Exchange Online license assigned to the NEW Office 365 user account, a NEW empty Exchange Online mailbox will be created.
Also, a “layer” of Soft Deleted objects, will continue to exist in the various recycle bins:
- The original Soft Deleted Active Directory user will continue to be stored in the Active Directory recycle bin.
- The Soft Deleted Office 365 user account that is “bound” to the Active Directory user will continue to be stored in the Azure Active Directory recycle bin.
- Soft Deleted Exchange Online mailbox, will continue to be stored in the Exchange Online recycle bin.
Note – in an Office 365 based environment, the Soft Deleted user account, and the Soft Deleted Exchange Online mailbox will be kept in the Office 365 recycle bin for 30 days.
At the end of this period, the Soft Deleted objects will be will be permanently deleted.
The main issue
When the user tries to access his Exchange Online mailbox, he finds that the mailbox is empty!
In the following diagram, we can see an illustration to the “mess” that created when a NEW Active Directory user account created, the outcome is that now we have:
- One “set” of Soft Deleted objects: Soft Deleted On-Premise Active Directory user account; Soft Deleted Office 365 user account and Soft Deleted Exchange Online mailbox (set A in the diagram).
- One “set” of NEW directory objects: NEW On-Premise Active Directory user account, NEW Office 365 user account and NEW Exchange Online mailbox (set B in the diagram).
Solution 1#2 – Delete the New On-Premise Active Directory User Account, and restore the “Original” On-Premise Active Directory User account
To be able to deal with the “Exchange Online mailbox recovery mistake,” in which a NEW On-Premise Active Directory user account created, we will implement a solution, which I describe as “revert the Exchange Online restore mistake.”
In this solution, we need to reverse thing back, to the point in time, before the “Exchange Online mailbox recovery mistake” executed.
Our “secret mission” is to turn back the time, to the point before the NEW On-Premise Active Directory user account created.
After we are successfully complete to phase of – returning to the “earlier point in time” (before the recovery mistake done), we will need to implement the “right” procedure of restoring Exchange Online mailbox in Directory synchronization.
The meaning is – restore from the On-Premise Active Directory recycle bin; the “original” Soft Deleted user account.
Note: Another option for dealing with this type of Exchange Online mailbox restore mistake can be implemented by copying the content of the Soft Deleted Exchange Online mailbox to the NEW empty Exchange Online mailbox that created.
We will review this type of solution in the article – Restoring Exchange Online mailbox content to another mailbox using PowerShell command New-MailboxRestoreRequest | Part 22#23
Solution 1 – “Revert” the recovery mistake – flow of events
To be able to fix the recovery mistake, we will need to
- Remove (delete) all the “NEW objects” that were created.
- In the next phase, restore the original On-Premise Active Directory user account.
We will start the phase of deleting the NEW set of objects, by deleting the NEW On-Premise Active Directory user account that created, and then, synchronize the information to the Office 365 Directory (Azure Active Directory).
When Azure Active Directory gets the information about the deletion of the NEW On-Premise Active Directory user account that is “bound” to the NEW Office 365 user account, the NEW Office 365 account will also delete.
The deletion of the NEW Office 365 user account will also have deleted the Exchange Online license that attached to the user account.
When Azure Active Directory synchronizes the information to Exchange Online, Exchange Online will delete the NEW Exchange Online mailbox; that associated with the deleted Office 365 user account.
If you want to get a more detailed description of the chain of events when we deleted On-Premise Active Directory user account in Directory synchronization environment, you can read the article – The special characters of Directory synchronization in an Office 365 environment | Article 2#2 | Part 12#23
After we have reverted the “recovery mistake” (the creation of the NEW On-Premise Active Directory user account), we can continue with the – “best-practice practice solution” for recovering Exchange Online mailbox in Directory synchronization environment.
The recovery of the “Original “Exchange Online mailbox will be implemented in the following way:
- Restore the “original” Soft Deleted On-Premise Active Directory user account from On-Premise Active Directory Recycle bin.
- The information about the restored On-Premise Active Directory user account synchronized to the Office 365 Directory (Azure Active Directory).
- Azure Active Directory “understand,” that she needs to recover the associated Soft Deleted Office 365 user account from the recycle bin + the Exchange Online license that assigned to the Office 365 user account.
- Azure Active Directory synchronizes the information to the Exchange Online infrastructure.
- Exchange Online “understand” that he needs to recover from the Recycle bin, the Soft Deleted mailbox, that associated with the Office 365 user account that recovered (which his Exchange Online license recovered).
In the article – Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23, we provide a detailed step by step description of the offered solution (deleting the NEW Active Directory user account the created and restore the original Soft Deleted On-Premise Active Directory user).
This Post Has 0 Comments