Forum Discussion

Gaet_W's avatar
Gaet_W
Copper Contributor
Oct 15, 2020

Azure AD Connect - procedure to change source of anchor from ObjectSID to Ms-DS-ConsistencyGUID

Hello, We are an organization of + 1000 users with ADs (domain and subdomains) linked to Azure AD via Azure Ad Connect.   Currently the anchor source is ObjectSID, UPN = mail and Hybrid Exchange. ...
jbrahms-es's avatar
jbrahms-es
Copper Contributor
Oct 26, 2021

Gaet_W We did this previously because we were using extenstionAttribute1 because of multiple domains and trying to keep the source anchor consistent across multiple domains.

 

When we contacted MS about this, we got the following procedure (copied straight from the email we got back).  It will require a full disconnect of AADConnect.

 

  1. Turn off Directory Synchronization for Microsoft 365 via PowerShell
    • Set-MsolDirSyncEnabled -EnableDirSync $false
    • https://docs.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide
  2. Wait 72 hours to change the status of user accounts in the cloud from synced to Cloud Only
  3. During the 72 hours, obtain the following information:
    • Take note of all settings and configuration modifications in AzureAD Connect. This service resides on aadsyncserver
  4. Export all user ImmutableIDs to external CSV file for recovery if needed.
  5. Verify all users are cloud only, then delete all Immutable IDs from cloud users.
  6. Verify all users have a null Immutable ID.
  7. Uninstall AzureAD Connect on sync server.
  8. Reinstall AzureAD connect on sync server and configure using ms-ds-consistency-guid as new source anchor
    • In configuration, remove decommissioned domains – domain2.com and domain3.net
    • These domains are no longer in use in Azure.
  9. UPN and Primary SMTP Address of user accounts on-premise will soft-match with users in the cloud.
    • During this sync cycle, on-premise object will sync and obtain a new ImmutableID and place that new attribute in the correct location.

There is no downtime using this method. Just a temporary desync of objects for a weekend.

 

There is a risk of some passwords becoming unsynced as people reset or change passwords, but we mitigated this by requiring anyone who had a password change near our maintenance window to update it before we started. We also had a process to allow people to access both on-prem resources and office 365 if they did need a password reset.

Resources