question

SanderKlaassen-4202 avatar image
0 Votes"
SanderKlaassen-4202 asked GrahamLindsay-5365 answered

Azure AD Connect and AD Groups’s ms-DSconsistencyGUID

Hi All,

I’m doing a concept test in a lab environment and migrate groups between on-premises domains (from D12 to D16) both synchronized to a single tenant using Azure AD Connect (AADC version 1.5.45.0).
My goal is to migrate a synchronized group to the new domain. members of a migrated group differ in old and new domain.
My hope is that Azure AD connect combines members and show all members in azure of the synchronized group.

I cant get it to work like that, it always only show the members of the new domain only.

Here is what I tried:
• Create a group in the D12 (old) domain D12SecGroup.
• Use ADMT to migrate the group to the new domain (D16) (with sidhistory, but plays no role in this scenario)
• In D12\D12SecGroup add User12 as member, In D16\D12SecGroup add User16 as member,
• Then write the D12 group objectGUID to D16 group ms-ds-consistencyGUID:

 $D12SG2 = Get-ADgroup -Identity D12SecGroup2 -Server DC12.domain12.org
 $D16SG2 = Get-ADgroup -Identity D12SecGroup2 -Server DC16.domain16.org
 $D16SG2 | Set-ADgroup -Add @{'ms-ds-consistencyguid'=[GUID]$D12SG2.ObjectGUID}

• Start AADC sync cycle and wait a minute or 2
• Check Azure, and I see only User16 as member

I see this same behavior for security groups and Distribution lists.
Is my assumption wrong that is should combine these members?

I don’t see the effect of using ms-ds-consistency guid.
In the test above, I also created a “control” group, where I didn’t copy the ms-ds-consistencyguid. It behaves exactly the same.

Can anyone help me out / point me to documentation/blog that gives more insight in which power this new AADC feature unlocks ?
The only documentation i found was:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-migrate-groups
https://dirteam.com/sander/2020/04/03/azure-ad-connect-v1-5-18-0-brings-ms-ds-consistencyguid-als-source-anchor-for-groups/


thanks in advance,
Sander

windows-active-directoryazure-ad-connect
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just so that I understand correctly, you are trying to migrate the groups from one on-premises domain to another using group writeback? New Azure AD Connect installs default to mS-DS-ConsistencyGuid, which is writable. You can copy the values between forests to change the source object.

0 Votes 0 ·
daniel-niccoli avatar image
0 Votes"
daniel-niccoli answered daniel-niccoli edited

You didn't tell us how the Azure AD Connect topolgy looks like, so I'll be assuming that you are using the Multiple forests, single Azure AD tenant topology.


The docs state that "If you have more than one active account or more than one mailbox, the sync engine picks one and ignores the other." The same should apply to security groups. If you are migrating objects from one forest to another, you should exclude the object in the old forest from the sync. Either by deleting the group in the old forest, by deleting the ms-ds-consistencyguid or by setting the value of its adminDescription attribute to "Group_DoNotSync". The group that is synced to the cloud always reflects the setting on-premises. To have users from both the forests in the group, you need to add them to the security group on-premises first.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SanderKlaassen-4202 avatar image
0 Votes"
SanderKlaassen-4202 answered SanderKlaassen-4202 commented

Thanks for your answer @daniel-niccoli
I indeed have 2 AD forests and a single server running Azure AD Connect to one tenant.

Excluding a group in the old forest will cause a problem. Because some members of that group are not migrated yet to the new domain, they rely on membership of a group in the old domain.

Azure Groups synchronized from those forests offer access to 2 types of azure resources:
- enterprise apps
- distribution groups.

There is a way to work around it, for enterprise apps its really easy, add the migrated to group to allow access to the enterprise app.
But for distribution groups its a lot more work.
Since they are "universal" AD groups, I can't add members from another forest. I can recreate ~1000 distribution groups in Azure and then nest the synchronised AD distribution groups to the new Azure distribution group.
Current distribution groups have owner/moderation/bypassmod/mustauthtomail2list/owner/nestedDG's settings etc. for 1000s of distribution lists i need to "copy" to the new Azure Distribution group.
I created a script that can do this. however the state of those current AD synced lists are not ideal. the exceptions take me days to figure out what actually the state is of a distribution group.
So I came across the new feature in AADC where I hoped AADC would merge members from 2 AD groups to a single Azure AD Group. but that doesn't work like i expect it to work. maybe it can be done with custom sync rules. but then I dont exactly see what the group ms-dsConsistencyGuid field does for groups.

I'm down to 8 distribution groups I need to figure out why they would fail when i use the current version of the script. then i can run it in production and this issue no longer blocks my project. but it would be nice if it works without having build complex scripts.

I will share the script on GitHub, that i will link in this thread. if anyone in the future might land here. The script creates the distribution groups in Azure and add Azure Recipients to the list. removing all dependencies from one premises AD.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But then I dont exactly see what the group ms-dsConsistencyGuid field does for groups.

I does one thing only: It creates an explicit 1:1 relationship between a synchronized group. If more than one on-premises security group share the same ms-dsConsistencyGuid, a random one is used. There is no merging. (Not sure what new feature you're talking about that apparently can do this. There is not one.)

There is a way to work around it, for enterprise apps its really easy, add the migrated to group to allow access to the enterprise app.

Are you talking about user assignment to an enterprise app? Because members of nested groups are ignored. Only direct members are respected.

0 Votes 0 ·

Did you ever find a solution for this. I have always had this problem and nothing has solved.

The issue is that once a group is copied to target forest with the ms-ds-consistencyGUID. Then the groups will be joined in the metaverse. The member list is a 1:1 attribute and can only be projected from one forest. If the target forest is a higher precedence and doesn’t contain all members then aadc will start removing users in AzureAD and sync from there

Ive had some success with reconfiguring aadc to “users are represented more than once” across forests and specifying an attrib to match on. This turns off the ms-ds-consistencyGUID rules

Paired with a new custom rule for groups

Create a New rule In AD - Group Common for all directories (ensuring target forest is the highest precedence)
• Under Transform, change members to "MergeCaseInsensitive" from “update”


However I expect this to be very much unsupported.

I like you am stuck still having to provision users in source to retain group membership and can only cutover group sync to target once I’ve finished the migration.

I’ve found some work arounds to help but I ultimately want groups to merge members from both sides!

0 Votes 0 ·

Unfortunately I did not

What I ended up doing:
~20 apps permission groups adding the migrated group to the app, so users from both domains have access.
1500 on-prem distribution lists, I wrote a PowerShell script defining 3 functions:

  • Export-DistListToTxt -MailAddresses <one or an array of DL mail adresses> -Delete (switch)
    exports the existing distribution lists to a text file for and optionally deletes the on prem one.

  • Start-AADCSyncAndWait -mail 'distlist1@domain.nl' -Action Delete
    starts azure AD sync, and waits for distlist1@domain.nl to be removed in Azure.

  • New-AzrDistListFromTxt -TxtFile c:\temp\DistList1.txt
    Reads the specified text file, and creates a distlist in office 365 accordingly

pretty tedious work around, that costed me a couple weeks of scripting. with my limited exchange knowledge to find all the distribution list features that were used.


0 Votes 0 ·
GrahamLindsay-5365 avatar image
0 Votes"
GrahamLindsay-5365 answered

Not a bad solution however I'm surprised you didn't have any issues with Exchange Permissions being lost.

Groups are not soft deleted in Azure but always hard deleted, your process would delete the group and reprovision it. Although you have the same email address and member list. This would mean that any access granted to that group in exchange online would also lost.


The sync chain is as follows:

Before:
OnPremGroupA--->AzureADGroupA--->ExchangeOnlineGroupA--->GrantedAccessToMailbox

After:
OnPremMigratedGroupA--->AzureADMigratedGroupA--->ExchangeOnlineMigratedGroupA


Since the group is fundamentally a new group access will not be re-established.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.