Azure AD Connect – write ms-DS-Consistency-Guid using Synchronization rules Editor

One of my customers came to me the other day with a problem on an Azure AD Connect server that was not syncing any newly created objects. When I asked them about the last time they updated AD Connect, I was not surprised to hear that they hadn’t added it to their update schedule (Ill take some blame for this. They are, my customer, after all..). The next question I asked was “what source anchor are you using?”. Eventually they came back to me with the ‘ms-DS-Consistency-Guid’.

“That’s interesting,” I said. “Can you check and see if your new users have that attribute populated?” In a few minutes they came back with a solid “No”.

The default ‘sourceAnchor’ attribute used in previous versions of ADConnect was the ‘ObjectGuid’ of the user/group object. Every new user that gets created in Active Directory gets an ‘ObjectGuid’. The ms-DS-Consistency-Guid is used in rare instances to compare Guid’s from other account databases. Legacy applications (i.e. SCCM2007) used this field to match/compare identities, which explains why this field is populated in many mature forests.

New versions of ADConnect will populate the ms-DS-Consistency-Guid with the ObjectGuid of the user with the addition of several new Sync and Transform rules to their Synchronization engine. Sadly, even if my customer had updated to the latest version of ADConnect those rules would not have been created without a full re-install.

A re-install is never an answer that works for me, so I decided to build the sync rules to check for and write the ObjectGuid to the ms-DS-Consistency-Guid where it was needed.

In order to edit and work with the ADConnect Synchronization Rules Editor, we need to be a member of the “ADSyncAdmins” local group on the ADConnect server.

Once verified, we can open the Synchronization Rules Editor:

Ensure that the ‘Direction’ is set to ‘Inbound

Select ‘In from AD – User Join’

Choose Edit and then click Yes when prompted to copy the rule

Provide a meaningful Name (e.g. In from AD – User Join Custom)

Set the Precedence

Note: Use the lowest precedence value to process this first

Click Next twice

On the Join Rules page, in the existing join rule, change the Source Attribute to mS-DS-ConsistencyGuid and the Target Attribute to sourceAnchorBinary

On the Join Rules page, click Add group

On the Join Rules page, in the new join rule, change the Source Attribute to objectGuid and the Target Attribute to sourceAnchorBinary

Click Next

On the Transformation page, edit the second rule so that the FlowType is ExpressionTarget Attribute is sourceAnchor and the source is

  • IIF(IsPresent([mS-DS-ConsistencyGuid]),IIF(IsString([mS-DS-ConsistencyGuid]),CStr([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid])),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])))

On the Transformation page, add a third rule so that the FlowType is ExpressionTarget Attribute is sourceAnchorBinary and the source is

  • IIF(IsPresent([mS-DS-ConsistencyGuid]),[mS-DS-ConsistencyGuid],[objectGUID])

Click Save

If prompted with an Expression Warning, click Yes

Repeat for each additional Forest being synchronized

Overriding User ‘AccountEnabled’ and ‘User Common’ Rules for sourceAnchor

Use this process to create a new rule to override each of the default rules

Note the precedence value you’re up to

Click Add New Rule

Provide a meaningful Name for the rule (e.g. In from AD – Override mS-DS-ConsistencyGuid)

Set the Connected System to the Forest you’re configuring for

Set the Connected System Object to user

Set the Metaverse Object Type to person

Set the Link Type to Join

Set the Precedence

Note: Use the lowest precedence value to process this first

Click Next three times

On the Transformations page, click Add transformation

Set FlowType to Expression

Set Target attribute to sourceAnchor

Change the source expression to

  • IIF(IsPresent([msExchRecipientTypeDetails]),IIF([msExchRecipientTypeDetails]=2,NULL,IIF(IsPresent([mS-DS-ConsistencyGuid]),IIF(IsString([mS-DS-ConsistencyGuid]),CStr([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid])),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])))),IIF(IsPresent([mS-DS-ConsistencyGuid]),IIF(IsString([mS-DS-ConsistencyGuid]),CStr([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid])),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID]))))

Click Add

If prompted with an Expression Warning, click Yes

Repeat for each additional Forest being synchronized

Creating a Rule to Write sourceAnchorBinary back into mS-DS-ConsistencyGuid

Now that we have rules that correctly populate sourceAnchor and sourceAnchorBinary in the Metaverse, we need to create rules that write sourceAnchorBinary back into the on-premises mS-DS-ConsistencyGuid attribute as follows:

Change the rule editor filter to show Outbound rules

Take note of the precedence of the last rule in the list

Click Add new rule

On the Description page, set the Name to Out to AD – mS-DS-ConsistencyGuid

On the Description page, set Connected System to the Forest you’re currently configuring the rule for

On the Description page, set Connected System Object Type to user

On the Description page, set Metaverse Object Type to person

On the Description page, set the Precedence to a value higher than the precedence noted above

Note: Use the highest precedence value to process this last

Click Next three times

On the Transformation page, click Add transformation

In the new transformation set the FlowType to Direct, the Target Attribute to mS-DS-ConsistencyGuid, the Source to sourceAnchorBinary and the Merge Type to Update

Click Add

Repeat for each additional Forest being synchronized

Close the rules editor

Trigger a Full Sync

Open a PowerShell prompt on the ADConnect server and execute

Start-ADSyncSyncCycle Initial

You should now find that users are successfully synchronized to Azure Active Directory and that sourceAnchor is written back into ms-DS-ConsistencyGuid for on-premises objects

The Bottom Line

The rule changes configured here use the mS-DS-ConsistencyGuid as the sourceAnchor source, while only copying the  objectGuid when mS-DS-ConsistencyGuid has no value or is NULL. The sourceAnchorBinary is then written back to mS-DS-ConsistencyGuid in the on-premises object. We do this so that the sourceAnchorBinary attribute is always used after the initial sync, even after a migration of the user object between Forests.

Leave a Reply

Datarift LLC 2020 Cloud Solutions
Phoenix, Arizona