For all ODM projects, you can follow Microsoft’s instructions on how to Delete an Enterprise Application to remove the Quest On Demand service principals from your tenants for workloads that are no longer in use. For ODM projects that included Directory Sync, AD Migration, Domain Move, or Domain Rewrite, you should first perform the cleanup tasks listed in the next sections, and then proceed with removing the service principals. Note: In addition to performing the cleanup tasks below, you can also submit a request to Support to enable the Offboarding feature for ODM AD, which will allow you to fully delete your data from the Quest environment. Once this feature is enabled, you will be able to delete your environments and projects using ODM AD Offboarding. ODM Domain Rewrite and Domain Move:At the end of a domain move project or when domain rewrite is no longer needed, Domain Rewrite should be disabled in the ODM project to remove the configuration specific to domain rewrite. If there are any access issues editing the project, submit a Service Request at https://support.quest.com for assistance.
1.) Log into Quest On Demand and use the left navigation to open the Domain Move or Domain Rewrite interface2.) Click on the Domain Move or Domain Rewrite project3.) Click the Setup icon on the Dashboard4.) Scroll down and click the section title “Email Address Rewriting”5.) Select the Radio Button “No, Maybe Later” and click the double-arrows to Skip to Summary
Disabling domain rewrite will automatically remove the following Exchange Transport rules and Connectors that were created in the source and target tenants to facilitate the rewrite. This process can take up to an hour to complete:
· Transport Rule Names start with “BT-IntegrationPro” or BT-IntegrationPro-Out-S-internet
o BT-IntegrationPro-Out-S-[GUID]
o BT-IntegrationPro-Out-S-[GUID]-From
o BT-IntegrationPro-Out-S-[GUID]-ToCc
o BT-IntegrationPro-Out-S-From
o BT-IntegrationPro-Out-S-ToCc
o BT-IntegrationPro-In
o BT-IntegrationPro-In-Dkim
· Connector Names start with “BT-IntegrationPro”
o BT-IntegrationPro-In
o BT-IntegrationPro-Out
After confirming the transport rules and connectors have been removed, you can manually delete the groups and service accounts that were auto-created by ODM Domain Rewrite or Domain Move:
· Source Tenant Groups:
o BT-IntegrationPro-DayOne
o BT-IntegrationPro-DayTwo
o BT-IntegrationPro-DayOne-[GUID]
o BinaryTreeCDSPowerShellGroup.[GUID]
· Target Tenant Groups:
o BT-IntegrationPro-DayOne
o BT-IntegrationPro-DayOne-[GUID]
o BT-IntegrationPro-DayTwo
o BT-IntegrationPro-DayTwo-[GUID]
o BT-IntegrationPro-[GUID]
o BT-IntegrationPro-NC-[GUID]
o BinaryTreeCDSPowerShellGroup.[GUID]
· Accounts that were auto-created by ODM – Source and Target Tenants, as long as they are not in use by ODM Directory Sync or ODM for Active Directory
o BinaryTreePowerShellUser.[GUID]
o BinaryTreeCDSPowerShellUser.[GUID]
Review and delete any groups and service accounts that were manually created specifically for the project, as long as they are no longer needed for other applications, including ODM Directory Sync and ODM for Active Directory
· Custom Groups that were created for scoping
· Cloud-only service accounts that were used to connect the tenants - source and target
· Service accounts used by Directory Sync Agents in Hybrid environments
Remove application servers and environmental configurations that were specific to the project, as long as they are no longer needed for other applications, including ODM Directory Sync and ODM for Active Directory
· Decommission the Directory Sync Agent servers - source and target
· Remove DNS TXT records that were created as part of the Domain Rewrite Project, including DKIM and SPF records
· Review any changes that were made to enable toolset functionality and revert as needed
o Considerations include firewall exceptions, transport rule modifications, program exclusions, enabled protocols, and tenant settings
ODM Directory Sync and ODM for Active Directory:When AD migrations are complete and directory sync functionality is no longer required, cleanup should be performed to disable automatic scheduled workflows and environment discoveries. To disabled scheduled workflows:
1.) Log into Quest On Demand and use the left navigation to open the Directory Sync or Domain Move or Active Directory interface2.) Select the Hamburger Menu in the upper left and select “Workflows”3.) Workflows with scheduled execution will have a date and time listed under “Next Run”4.) Select a Workflow with a scheduled run and click the “Settings” button5.) Click “Schedule” in the menu on the left, select “Manually”, and click “Save”6.) Click “Back” in the lower left and repeat for other workflows as needed
To disable schedule environment discoveries:
1.) Log into Quest On Demand and use the left navigation to open the Directory Sync or Domain Move or Active Directory interface2.) Select the Hamburger Menu in the upper left and select “Environments”3.) Environments with scheduled Discoveries will have a date and time listed under “Next Discovery”4.) Click on an Environment with a scheduled discovery and click the “Settings” button5.) Click “Discover” in the menu on the left, select “Manually”, and click “Save”6.) Click “Back” in the lower left and repeat for other environments as needed.
Delete cloud-only accounts and groups that were auto-created by ODMAD, as long as they are not in use by ODM Domain Move or ODM Domain Rewrite
· BinaryTreeCDSPowerShellUser.[GUID]
· BinaryTreeCDSPowerShellGroup.[GUID]
Review and delete any groups and service accounts that were manually created specifically for the project, as long as they are no longer needed for other applications, including ODM Domain Move and ODM Domain Rewrite
· Custom Groups that were created for scoping
· Cloud-only service accounts that were used to connect the tenants - source and target
· Service accounts used by Directory Sync Agents in Hybrid environments
Remove application servers and environmental configurations that were specific to the project, as long as they are no longer needed for other applications, including ODM Domain Move and ODM Domain Rewrite
· Delete the BTPass folder from C:\Windows on Domain Controllers that were used for password sync – source and target
· Decommission the Directory Sync Agent servers - source and target
· Review any changes that were made to enable toolset functionality and revert as needed
o Considerations include firewall exceptions, transport rule modifications, program exclusions, enabled protocols, and tenant settings