question

dbird03 avatar image
0 Votes"
dbird03 asked ·

Azure AD Connect sync service configuration differences with swing migration

I'm performing a swing migration and using the Azure AD Connect Configuration Documenter tool to compare the sync service configuration on the two servers while the new server is in staging mode. The two servers are running different versions of Azure AD Connect (hence why the swing migration is needed). I initially found three inbound custom rules that were created on the current (soon to be decommissioned) server, and I was able to export them and import them in to the new server. I re-ran the tool with the updated configurations, and the three custom rules are fine now, but the report is still showing a lot of differences between the servers. Most of the differences are metaverse attributes and transformation attributes of built-in inbound/outbound rules. The new server has some attributes that are not present on the current server but also has missing some attributes that are present on the current server.

How do I know what changes should/should not be made? Are these differences due to different versions of Azure AD Connect? Are the differences caused by a mistake I made during the custom install of Azure AD Connect on the new server? I know the tool can generate a PowerShell script of changes to save me the manual work, but I'm not comfortable running it without knowing why these differences exist.



azure-ad-connect
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello ** strong text


0 Votes 0 ·

1 Answer

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @dbird03,

You have mentioned that "Most of the differences are metaverse attributes and transformation attributes of built-in inbound/outbound rules. The new server has some attributes that are not present on the current server but also has missing some attributes that are present on the current server." There could be few possible reasons for that.

  • You might want to check the attributes to find exactly why they are different. The most common thing that could happen is that, on the new server mS-DS-ConsistencyGuid was selected as source anchor while installation. This may cause some changes in rules that you may see differently otherwise. You will need to manually check this or evaluate the output for the attributes .

  • A schema refresh would have been done in the local active directory since the old AD connect server was configured. And schema refresh have caused some new attribute additions and deletions which are evident on the new AD connect server because we have installed the new server recently . You could try to do a schema refresh on the old AD connect server but you need to make sure that no default sync rules have been customized because schema refresh does not touch custom rules which are created by duplication of existing sync rules but they do recreate the default rules as is again . So if your old server have any customization in existing default sync rules , it will be rewitten by default AAD connect configuration of that specific version. Mostly it does not changes much but sometimes you may see small changes .

  • The Directory Extensions may be different in both the AD connect configuration due to which attributes are different .

The above are the possible reasons i can think on top of my head and I have linked them with relevant articles. I would suggest you to go through the detailed articles to understand more. I would not says that you have made any mistake but its just a slightly different configuration.If you want to read more changes and bug fixes in the two versions you have you can check the Version release history . even that may give you some more insights. Also without looking at the configuration it is very difficult for anyone to know why some attributes are mapped in a certain way as per the AAD config documenter output. . In this case , I would suggest you to open a support case with us to clarify any doubts before making any changes using the powershell script as you rightly said.

Hope this helps . In case the information provided in the post helps you , please do mark it as answer so that its useful for other members of the community. If you have any further queries , please let us know and we will be happy to help .

Thank you.



· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@shashishailaj, thank you for your reply. I will be using the following variables to refer to the two servers in the swing migration:

$OldServer = Active server that will be decommissioned, AAD Connect is exporting changes

$NewServer = New server, AAD Connect is in staging mode

  • When I was performing a custom install of Azure AD Connect on $NewServer, I selected Choose a specific attribute: objectGUID for how users should be uniquely identified in Azure AD since there was a message telling me Azure is currently synchronized using objectGUID.
    2993-identifying-users.png

  • To the best of my knowledge, we have not done anything in our environment that would have changed our on-prem AD schema since Azure AD Connect was first installed on $OldServer years ago.

0 Votes 0 ·
  • I did confirm Directory Extensions are the same between the servers. In the Global Settings section of the report, Microsoft.OptionalFeature.DirectoryExtensionAttributes lists all the attributes and there are no differences highlighted.

I read through the Version release history page to see if I could find any explanations for the differences in my report, but I didn't find any relevant information.

0 Votes 0 ·

As an example of a difference, I've included a screenshot of the In from AD - Computer Join synchronization rule with my questions below.
2908-capture.png

  1. Why is Precedence different?

  2. Why is Tag different?

  3. Why does cloudFiltered and deviceOSType reference "WINDOWS" on $OldServer's configuration, but not $NewServer?

  4. Why does displayName reference "dNSHostName" on $OldServer's configuration, but not $NewServer?

  5. Why is distinguishedName in $OldServer's configuration but not in $NewServer's configuration?

I did open a support case with the goal of understanding why these differences exist before I make any changes, but I am still waiting on a definitive answer. I created a forum post in addition to opening a support case since I figured I can't be the first person with these questions and probably won't be the last person either.

0 Votes 0 ·
capture.png (53.4 KiB)