One of my customers came to me the other day with a problem on an Azure AD Connect server that was not syncing any newly created objects. When I asked them about the last time they updated AD Connect, I was not surprised to hear that they hadn’t added it to their update schedule (Ill take some blame for this. They are, my customer, after all..). The next question I asked was “what source anchor are you using?”. Eventually they came back to me with the ‘ms-DS-Consistency-Guid’.
“That’s interesting,” I said. “Can you check and see if your new users have that attribute populated?” In a few minutes they came back with a solid “No”.
The default ‘sourceAnchor’ attribute used in previous versions of ADConnect was the ‘ObjectGuid’ of the user/group object. Every new user that gets created in Active Directory gets an ‘ObjectGuid’. The ms-DS-Consistency-Guid is used in rare instances to compare Guid’s from other account databases. Legacy applications (i.e. SCCM2007) used this field to match/compare identities, which explains why this field is populated in many mature forests.
New versions of ADConnect will populate the ms-DS-Consistency-Guid with the ObjectGuid of the user with the addition of several new Sync and Transform rules to their Synchronization engine. Sadly, even if my customer had updated to the latest version of ADConnect those rules would not have been created without a full re-install.
A re-install is never an answer that works for me, so I decided to build the sync rules to check for and write the ObjectGuid to the ms-DS-Consistency-Guid where it was needed.
In order to edit and work with the ADConnect Synchronization Rules Editor, we need to be a member of the “ADSyncAdmins” local group on the ADConnect server.
Once verified, we can open the Synchronization Rules Editor:
Ensure that the ‘Direction’ is set to ‘Inbound’
Select ‘In from AD – User Join’
Choose Edit and then click Yes when prompted to copy the rule
Provide a meaningful Name (e.g. In from AD – User Join Custom)
Set the Precedence
| Note: Use the lowest precedence value to process this first |
Click Next twice
On the Join Rules page, in the existing join rule, change the Source Attribute to mS-DS-ConsistencyGuid and the Target Attribute to sourceAnchorBinary
On the Join Rules page, click Add group
On the Join Rules page, in the new join rule, change the Source Attribute to objectGuid and the Target Attribute to sourceAnchorBinary
Click Next
On the Transformation page, edit the second rule so that the FlowType is Expression, Target Attribute is sourceAnchor and the source is
- IIF(IsPresent([mS-DS-ConsistencyGuid]),IIF(IsString([mS-DS-ConsistencyGuid]),CStr([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid])),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])))
On the Transformation page, add a third rule so that the FlowType is Expression, Target Attribute is sourceAnchorBinary and the source is
- IIF(IsPresent([mS-DS-ConsistencyGuid]),[mS-DS-ConsistencyGuid],[objectGUID])
Click Save
If prompted with an Expression Warning, click Yes
Repeat for each additional Forest being synchronized
Overriding User ‘AccountEnabled’ and ‘User Common’ Rules for sourceAnchor
Use this process to create a new rule to override each of the default rules
Note the precedence value you’re up to
Click Add New Rule
Provide a meaningful Name for the rule (e.g. In from AD – Override mS-DS-ConsistencyGuid)
Set the Connected System to the Forest you’re configuring for
Set the Connected System Object to user
Set the Metaverse Object Type to person
Set the Link Type to Join
Set the Precedence
| Note: Use the lowest precedence value to process this first |
Click Next three times
On the Transformations page, click Add transformation
Set FlowType to Expression
Set Target attribute to sourceAnchor
Change the source expression to
- IIF(IsPresent([msExchRecipientTypeDetails]),IIF([msExchRecipientTypeDetails]=2,NULL,IIF(IsPresent([mS-DS-ConsistencyGuid]),IIF(IsString([mS-DS-ConsistencyGuid]),CStr([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid])),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])))),IIF(IsPresent([mS-DS-ConsistencyGuid]),IIF(IsString([mS-DS-ConsistencyGuid]),CStr([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid])),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID]))))
Click Add
If prompted with an Expression Warning, click Yes
Repeat for each additional Forest being synchronized
Creating a Rule to Write sourceAnchorBinary back into mS-DS-ConsistencyGuid
Now that we have rules that correctly populate sourceAnchor and sourceAnchorBinary in the Metaverse, we need to create rules that write sourceAnchorBinary back into the on-premises mS-DS-ConsistencyGuid attribute as follows:
Change the rule editor filter to show Outbound rules
Take note of the precedence of the last rule in the list
Click Add new rule
On the Description page, set the Name to Out to AD – mS-DS-ConsistencyGuid
On the Description page, set Connected System to the Forest you’re currently configuring the rule for
On the Description page, set Connected System Object Type to user
On the Description page, set Metaverse Object Type to person
On the Description page, set the Precedence to a value higher than the precedence noted above
| Note: Use the highest precedence value to process this last |
Click Next three times
On the Transformation page, click Add transformation
In the new transformation set the FlowType to Direct, the Target Attribute to mS-DS-ConsistencyGuid, the Source to sourceAnchorBinary and the Merge Type to Update
Click Add
Repeat for each additional Forest being synchronized
Close the rules editor
Trigger a Full Sync
Open a PowerShell prompt on the ADConnect server and execute
Start-ADSyncSyncCycle Initial
You should now find that users are successfully synchronized to Azure Active Directory and that sourceAnchor is written back into ms-DS-ConsistencyGuid for on-premises objects
The Bottom Line
The rule changes configured here use the mS-DS-ConsistencyGuid as the sourceAnchor source, while only copying the objectGuid when mS-DS-ConsistencyGuid has no value or is NULL. The sourceAnchorBinary is then written back to mS-DS-ConsistencyGuid in the on-premises object. We do this so that the sourceAnchorBinary attribute is always used after the initial sync, even after a migration of the user object between Forests.