New Azure AD Connect instance chose wrong source anchor

Question

Migrating to a new Azure AD Connect instance and come across a weird result.

The current Azure AD Connect instance is using ObjectGUID as the source anchor and it says it got that information from Azure AD.

I am installing a new Azure AD Connect instance in staging mode. It informs me that Azure Active Directory is configured to use AD attribute mS-DS-ConsistencyGuid as the source anchor attribute.

Current Azure AD Instance

New Azure AD Connect Installation

Why did the new Azure AD Connect detect mS-DS-ConsistencyGuid if Azure Active Directory is currently using ObjectGuid? I really need to understand what is going on here to ensure nothing is awry with the current setup.

Answer 1

David,

By default, AAD Connect uses the Object GUID to populate the mS-DS-ConsistencyGuid if it is empty. In your case where you are using Object GUID, AAD Connect will use the object GUID to join to the Azure AD account and then write back to the mS-DS-ConsistencyGuid the object GUID value. From that time on, AAD Connect will use the mS-DS-ConsistencyGuid for future AD to AAD account joins. There are a number of scenarios where using the mS-DS-ConsistencyGuid is beneficial such as domain migrations.

Answer 2

Microsoft switched to using mS-DS-ConsistencyGuid a while back, the message is simply informative and there will be no impact in a single-forest environment. More details here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#using-ms-ds-consistencyguid-as-sourceanchor

Answer 3

Before Azure AD Connect version 1.1.524.0, Azure AD Connect defaulted to the objectGUID attribute for objects as the source anchor. Azure AD Connect version 1.1.553.0 and higher defaults to the mS-DS-ConsistencyGuid for user objects, but objectGUID for groups and computer objects.

This (Part 1) and This (Part 2) article should be able to help you in this transition.

Answer 4

Thanks. I'm aware of the best practice of moving to ms-ds-consistencyguid, but currently I am looking at migrating to a new Azure AD Connect instance like-for-like.

If the existing Azure AD Connect instance uses ObjectGuid as the source anchor attribute and I select ms-ds-consistencyguid in the new Azure AD Connect installation wizard, then the matching will break and Azure AD Connect will do some bad stuff - likely try to create new duplicate objects.

To clarify my questions, I was more interested as to why the Azure AD Connect installation wizard was trying to automatically select ms-ds-consistencyguid if the current instance is ObjectGuid, and wanted to be sure there wasn't something awry going on.

I have performed some further research since and I think I understand why it's trying to guide me to use ms-ds-consistencyguid. I installed a new Azure AD Connect instance in staging mode and selected another source anchor attribute. When I try to install Azure AD Connect from a different server, it now wanted to autoselect that new source anchor attribute. This is a flaw in the product since it means the value in Azure AD does not necessarily match the attribute used by the production AAD Connect instance.

Answer 5

Hi Chris,

I obviously misread the design guide where it says this can also be done through a new installation using the logic that you just described. I have to stop reading older documentation. :-\

I will leave as objectGuid for now since this will require a bit of extra planning in relation to the AD FS rules.

Thanks all for the responses!