Forum Discussion
Problems setting up Azure AD Connect
- Oct 09, 2018
You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-attribute-resiliency
For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.
One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.
The default value that syncs an account in the cloud to an account in your AD is your email address.
When you setup AADC you have to option to change your "source anchor" which is what would be used to identify accounts, but that should not change the original matching.
Did you do a full sync or a delta sync? Make sure you try a full sync, then look at the logs to ensure it is syncing two objects.
Start-AdSyncSyncCycle -Policytype Full
Adam
I have tried both
Start-AdSyncSyncCycle -Policytype Initial
Start-AdSyncSyncCycle -Policytype Delta
I have not changed the default source anchor, from what i know atleast, is there any way to check this?
During the setup, i choose.
"Uniquely identifying your users
• User identities exist across multiple directories. Match using:
•Mail attribute
Select how users should be identified with Azure AD
• Let Azure manage the source anchor"
- Adam OchsOct 09, 2018Steel Contributor
Hey Martin,
That sounds correct and fine. Can you take a look at the logs?
This article shows exactly where you need to go - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing
Find the connector you have setup, and the update that is syncing your objects (a new full one should show two), and look for any errors there. If you look at the first SS on that doc, they have selected a connector, and then a task (in this case updates, but you may be adds on a full sync), then the errors should show in the bottom right.
That is your next step to figure out what is going wrong.
If you want, you can come back with screenshots or the error and we would be happy to help.
Adam- Martin AnderssonOct 09, 2018Brass Contributor
Hey!
I ran a Start-AdSyncSyncCycle -PolicyType Initial
Checked the logs, however, i dont see any errors.
Only thing i see is "Connectors with flow updates"Check the print.
I went through all the logs.
No errors from what i could see.- VasilMichevOct 09, 2018MVP
You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-attribute-resiliency
For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.
One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.
- Oct 09, 2018What happens during sync? Is the ad user created as a second account or nothing happens?