Forum Discussion
Azure AD Connect - procedure to change source of anchor from ObjectSID to Ms-DS-ConsistencyGUID
Hello, We are an organization of + 1000 users with ADs (domain and subdomains) linked to Azure AD via Azure Ad Connect. Currently the anchor source is ObjectSID, UPN = mail and Hybrid Exchange. ...
Before proposing the solution, I invite you to test it because it depends on your ADDC configuration and your Azure Ad connect. As well as the architecture of your domains.
This solution works under the Azure AD connect version 1.XXX
The idea is to remap the Azure AD accounts present on the cloud with a user AD object present in another domain.
Prerequisite, your "new" domain must be known under Azure AD.
Scenario:
Our new AD user object will be remapped to the Azure AD account. The old one will remain in its domain before eventual decommissioning in order to be able to do a rollback if necessary.
Procedure :
Each new AD object has a SID object which is used for rematching.
Please make a backup of the old AD accounts and Azure AD accounts with the parameters SamAccount, Username, Mail, SID for AD and UserPrincipalName, ImmutableID, ObjectID for Azure under a CSV
It is advisable to temporarily stop your Azure AD sync in order not to launch a sync during your maipualtions. But if your CSV and powershell scripts are performing well, it is not necessary!
Procedure for an account
Retrieve the information of your New User Object
get-aduser -server XXXX -Filter {sAMAccountName -eq "SamAccount"} | Select-Object SamAccountName,SID, UserPrincipalName | Export-CSV -path C:{yourPath}
When you have your information you can already create the new ImmutableID which will allow the matching of the two accounts. To do this, we take the SID of our new user and we will parse it with the PowerShell command below then we will store the immutable ID in a separate CSV or on the same CSV
$userSid = $user.SID
$SidStrAc = $userSid.value
$ot = New-Object System.Security.Principal.SecurityIdentifier($SidStrAc)
$c = New-Object 'byte[]' $ot.BinaryLength
$ot.GetBinaryForm($c,0)
$c | %{ $out += $("\{0:x2}" -f $_) }
$strB64SID=[System.Convert]::ToBase64String($c)
:
Now you have your ImmutableID linked to your new user
We'll move on to the rematching stage
1. Move your old USER to an OU not synchronized with AZure AD. By performing this step, your Azure AD account linked to your old AD account will be moved to the deleted user
2. Go to Azure AD and restore the account, will become Cloud Only (isolated from AD) but you will not lose any data - retention
3. Via powershell, you will now force the new immutable ID
Set-Msoluser -UserPrincipalName YOURUSERNAME -ImmutableID YOURNEWIMUTABLEID
4. Make sure the new immutableID is added to your azure Ad account
get-Msoluser -UserPrincipal YOURUSERNAME | Select-Object UserPrincipalName, ImmutableID, ObjectID
4.Go to your other ADDC and move your new account from a non-synchronized OU to a synchronized OU. force the sync if necessary
5. It is possible that your account will revert to delete user as the matching of the account on the azure ad sync database did not work correctly.
Don't panic, go back to Azure AD, restore your account again and re-sync your Azure AD.
6. If you need to change the userprincipal name do it now by forcing the new one with this command
Set-MsolUserPrincipalName -UserPrincipalName OLDUSERNAME -NewUserPrincipalName NEWUSERNAME
Known problems:
Problem matching boxes between Exchange ECP and Exchange Online after move.
To fix this you often have to rematch the information from your Exchange ECP and your Exchange Online which is often linked to the Archive under ECP.
Here is an article about this problem : https://www.2azure.nl/2019/10/08/how-to-solve-failed-to-sync-the-archiveguid-in-office-365-manual/
This solution works under the Azure AD connect version 1.XXX
The idea is to remap the Azure AD accounts present on the cloud with a user AD object present in another domain.
Prerequisite, your "new" domain must be known under Azure AD.
Scenario:
Our new AD user object will be remapped to the Azure AD account. The old one will remain in its domain before eventual decommissioning in order to be able to do a rollback if necessary.
Procedure :
Each new AD object has a SID object which is used for rematching.
Please make a backup of the old AD accounts and Azure AD accounts with the parameters SamAccount, Username, Mail, SID for AD and UserPrincipalName, ImmutableID, ObjectID for Azure under a CSV
It is advisable to temporarily stop your Azure AD sync in order not to launch a sync during your maipualtions. But if your CSV and powershell scripts are performing well, it is not necessary!
Procedure for an account
Retrieve the information of your New User Object
get-aduser -server XXXX -Filter {sAMAccountName -eq "SamAccount"} | Select-Object SamAccountName,SID, UserPrincipalName | Export-CSV -path C:{yourPath}
When you have your information you can already create the new ImmutableID which will allow the matching of the two accounts. To do this, we take the SID of our new user and we will parse it with the PowerShell command below then we will store the immutable ID in a separate CSV or on the same CSV
$userSid = $user.SID
$SidStrAc = $userSid.value
$ot = New-Object System.Security.Principal.SecurityIdentifier($SidStrAc)
$c = New-Object 'byte[]' $ot.BinaryLength
$ot.GetBinaryForm($c,0)
$c | %{ $out += $("\{0:x2}" -f $_) }
$strB64SID=[System.Convert]::ToBase64String($c)
:
Now you have your ImmutableID linked to your new user
We'll move on to the rematching stage
1. Move your old USER to an OU not synchronized with AZure AD. By performing this step, your Azure AD account linked to your old AD account will be moved to the deleted user
2. Go to Azure AD and restore the account, will become Cloud Only (isolated from AD) but you will not lose any data - retention
3. Via powershell, you will now force the new immutable ID
Set-Msoluser -UserPrincipalName YOURUSERNAME -ImmutableID YOURNEWIMUTABLEID
4. Make sure the new immutableID is added to your azure Ad account
get-Msoluser -UserPrincipal YOURUSERNAME | Select-Object UserPrincipalName, ImmutableID, ObjectID
4.Go to your other ADDC and move your new account from a non-synchronized OU to a synchronized OU. force the sync if necessary
5. It is possible that your account will revert to delete user as the matching of the account on the azure ad sync database did not work correctly.
Don't panic, go back to Azure AD, restore your account again and re-sync your Azure AD.
6. If you need to change the userprincipal name do it now by forcing the new one with this command
Set-MsolUserPrincipalName -UserPrincipalName OLDUSERNAME -NewUserPrincipalName NEWUSERNAME
Known problems:
Problem matching boxes between Exchange ECP and Exchange Online after move.
To fix this you often have to rematch the information from your Exchange ECP and your Exchange Online which is often linked to the Archive under ECP.
Here is an article about this problem : https://www.2azure.nl/2019/10/08/how-to-solve-failed-to-sync-the-archiveguid-in-office-365-manual/
- About Rollback procedure, if you have saved the immutable ID of your old account, redo the operation with this old immutable ID. This will remap the old AD user with the corresponding Azure AD account.
If you did not save the immutable ID of your old account, then you will have to rerun the parsing code of the SID attribute before launching the rematching procedure.
