Forum Discussion

Martin Andersson's avatar
Martin Andersson
Brass Contributor
Oct 09, 2018

Problems setting up Azure AD Connect

Hello!   Ive recently installed Azure AD Connect on one of our DCs. Ive started out with an testing OU with 1 user. This user also existed in Office365/AzureAD as "In-cloud" user.   I made the ...
Azure AD
office 365
  • VasilMichev's avatar
    VasilMichev
    Oct 09, 2018

    You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-attribute-resiliency

     

    For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.

     

    One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.

adam deltinger's avatar
adam deltinger
MVP
UPN is set as well on premises , to match the Domain in 365?
Martin Andersson's avatar
Martin Andersson
Brass Contributor
Oct 09, 2018

Hey,

 

Yes thats correct.

UPN in AD matches the UPN in AzureAD

 

 

  • Adam Ochs's avatar
    Adam Ochs
    Steel Contributor
    Oct 09, 2018

    The default value that syncs an account in the cloud to an account in your AD is your email address.

     

    When you setup AADC you have to option to change your "source anchor" which is what would be used to identify accounts, but that should not change the original matching.

     

    Did you do a full sync or a delta sync? Make sure you try a full sync, then look at the logs to ensure it is syncing two objects.


    Start-AdSyncSyncCycle -Policytype Full

     

    Adam

    • Martin Andersson's avatar
      Martin Andersson
      Brass Contributor
      Oct 09, 2018
      Hey Adam!

      I have tried both
      Start-AdSyncSyncCycle -Policytype Initial
      Start-AdSyncSyncCycle -Policytype Delta

      I have not changed the default source anchor, from what i know atleast, is there any way to check this?

      During the setup, i choose.

      "Uniquely identifying your users
      • User identities exist across multiple directories. Match using:
      •Mail attribute

      Select how users should be identified with Azure AD
      • Let Azure manage the source anchor"

      • Adam Ochs's avatar
        Adam Ochs
        Steel Contributor
        Oct 09, 2018

        Hey Martin,

         

        That sounds correct and fine. Can you take a look at the logs?

         

        This article shows exactly where you need to go - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing

         

        Find the connector you have setup, and the update that is syncing your objects (a new full one should show two), and look for any errors there. If you look at the first SS on that doc, they have selected a connector, and then a task (in this case updates, but you may be adds on a full sync), then the errors should show in the bottom right.

         

        That is your next step to figure out what is going wrong.

         

        If you want, you can come back with screenshots or the error and we would be happy to help.


        Adam

Share