AD Connect Synced Users Restore After On-Prem AD Encryption Or Loss

The Issue

My organization was using AD connect to sync users to Azure AD. The below settings were in use:

  • Password Hash Sync
  • Password Write Back
  • ms-DS-ConsistencyGuid

In a ransomware attack, all domain controllers AD sync server and backups are compromised. We rebuilt the domain controllers with same forest and domain names, but the SID has changed. We have recreated the users with same display name and UPN, as on the previous domain controller.

We are utilizing M365 for Teams, emails, etc.


Restore the syncing of AD users to Azure AD from the newly created domain.

On-prem requirements are not covered here.


The solution will be executed in four steps:

  • Converting Ad Synced users into Cloud Users.
  • Hard match for the users that we need to resync
  • Running Pilot Sync Batch
  • Examining restored M365 services
  • Cleanup of old AD Connect Servers

Before starting the resolution steps, it's important to check and verify the existing state of the Azure AD Tenant.

Converting Ad Synced users into Cloud Users

In this step, we will disable the AD sync service via PowerShell. This can take up to 72 hours, depending on the numbers of users. In the lab setup for five users, this was done in under 10 minutes.

Set-MsolDirSyncEnabled –EnableDirSync $false

After some, depending on the numbers of users ad synced, accounts will be converted to cloud only accounts, and they will keep the same password as the ones of on-prem when they were last synced.

Hard match for the users that we need to be resynced

Install the new AD connect server with required setting and then proceed for Hard Match. Hard match can also be done prior to the new AD connect Installation.

On the Domain Controller, open a PowerShell window and run the command Import-Module Active Directory.

Run the command Get-ADUser -Identity “Enter Local AD logon ID in these quotes." Once you run the above command, you should see an output like this:

Now, copy the object GUID from the output and open the website Paste the same on the textbox as what is shown in the image and click on convert. You should be getting the B64 value and copy the same. Make sure that there are no spaces when you paste the value in the textbox.

Although, there are other ways to get the Base64 value from a GUID. I recommend this approach as it is simple, and you can get the same results from PowerShell.

$user = ""
$guid = [guid]((Get-ADUser -Identity "$user").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())

Now, open PowerShell so we can connect to cloud & run the command Import-Module MSOnline.

Run the command Connect-MSOLService. You should see a prompt to enter credentials. Enter the Office 365 global admin credentials here.

Once you remove the account, run the command Set-MsolUser -UserPrincipalName -ImmutableId QX00ApTUDEiiEm5kX0WP2w== . Here you need to enter the UPN/Sign-in address of Office 365/azure AD against which you wish to perform a hard match. After the -immutableID flag, enter the B64 value that you copied from .

Once this is done run a delta sync.

Check the AD Connect status.

Check the sync status of the user

Login into the user account to verify mailbox, Teams, etc.

Go to AD connect in to check the sync services health.

We can see both old and new AD connect servers listed here. The old one is in an unhealthy state.

We will open the old AD connect and delete it.

You will see a challenge screen when you press the delete icon.

We can now see the new AD connect listed.


In this article, we restored AD syned users after on-prem AD encryption or lose.

Similar Articles