SOLVED

Problems setting up Azure AD Connect

Brass Contributor

Hello!

 

Ive recently installed Azure AD Connect on one of our DCs.

Ive started out with an testing OU with 1 user.

This user also existed in Office365/AzureAD as "In-cloud" user.

 

I made the user a member of a group called Office365 Sync

I forced the sync- and the user is now synced with on-prem AD

 

However, i moved my own account into this testing OU, made myself a member of "Office365 Sync"

Forced the sync.

My In-Cloud account isnt being converted to a "Synced with local AD" account.

 

Ive matched the mailattribute and proxyaddress.

 

This is my first time setting this up.

 

Basically, the problem is the soft-matchning, i want my Office365 In-cloud to become a "Synced with local AD" account

19 Replies
UPN is set as well on premises , to match the Domain in 365?

Hey,

 

Yes thats correct.

UPN in AD matches the UPN in AzureAD

 

 

The default value that syncs an account in the cloud to an account in your AD is your email address.

 

When you setup AADC you have to option to change your "source anchor" which is what would be used to identify accounts, but that should not change the original matching.

 

Did you do a full sync or a delta sync? Make sure you try a full sync, then look at the logs to ensure it is syncing two objects.


Start-AdSyncSyncCycle -Policytype Full

 

Adam

Hey Adam!

I have tried both
Start-AdSyncSyncCycle -Policytype Initial
Start-AdSyncSyncCycle -Policytype Delta

I have not changed the default source anchor, from what i know atleast, is there any way to check this?

During the setup, i choose.

"Uniquely identifying your users
• User identities exist across multiple directories. Match using:
•Mail attribute

Select how users should be identified with Azure AD
• Let Azure manage the source anchor"

Hey Martin,

 

That sounds correct and fine. Can you take a look at the logs?

 

This article shows exactly where you need to go - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing

 

Find the connector you have setup, and the update that is syncing your objects (a new full one should show two), and look for any errors there. If you look at the first SS on that doc, they have selected a connector, and then a task (in this case updates, but you may be adds on a full sync), then the errors should show in the bottom right.

 

That is your next step to figure out what is going wrong.

 

If you want, you can come back with screenshots or the error and we would be happy to help.


Adam

What happens during sync? Is the ad user created as a second account or nothing happens?

Hey!

I ran a Start-AdSyncSyncCycle -PolicyType Initial
Checked the logs, however, i dont see any errors.


Only thing i see is "Connectors with flow updates"

Check the print.

 

I went through all the logs.
No errors from what i could see.

best response confirmed by Martin Andersson (Brass Contributor)
Solution

You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-...

 

For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.

 

One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.

Hello!


Thanks for all the replys.

Do you think it would be easier for me to just reinstall Azure AD Connect, but just use express settings?

If i understood this correct, it goes for ImmutableID first, if ImmutableID doesnt match it just stops?

But if immutableID is empty- it checks for a soft-match?

 

The OU im syncing has 3 accounts.

Account A - This account actually got synced to Office365

Account B - Does not get synced to O365

Account C - Does not get synced to O365

 

All 3 accounts has In-Cloud accounts in O365

 

 

I’d redo it with express settings which works fine in most scenarios! You can always configure additional settings after!

Hey,

 

Im currently installing it with express settings :)

For starters i want to define which users by a group that get synced.

 

Since this is just a testing-phase.

 

Appreciate all the help im getting :)

Great! Let us know how it goes!!

Adam

Hey!

 

It went great, now it syncs like it should.

I have some questions though.

 

In order to change a persons SMTP-address, is it by default the ProxyAddresses attribute- or do i have to configure Azure AD Connect to sync that attribute aswell?

 

With the express settings, is it using hard- or softmatch?

As i have around 80 other users to convert from in-cloud to "Synced with local AD"

I haven't tried doing it the way you are going about it, but is the ImmutableID now present on both on-prem and cloud identity? If that's the case, you should be able to change SMTP-address locally and it would sync to the cloud.

As of right now its working really good.

However, in-cloud we have alot of distribution groups.

 

Is there a quick way to export- then import these groups, with the members to the local AD?

Then use Hard/softmatch to pair them together?

 

There is a feature called group-writeback but you'll need premium license for that! 

 

Here you can find a script that creates objects from your 365 tenant in your ad! Needs a little sweaking though..

http://www.slashadmin.co.uk/how-to-sync-an-existing-office365-tenant-into-a-new-active-directory-dom...

Hey,

 

Thanks!

 

Took a look at that script, i understand some of it.

I would like to just remove some parts in order to only sync the groups.

From what i understood, the script is for Users, contacts & groups

Yes exaxtly! It seems to also add the members as well!
Correct, just edit out the users And contacts

@Martin Andersson 

 

Same here - same helped ;)

 

U make my day . . :D

1 best response

Accepted Solutions
best response confirmed by Martin Andersson (Brass Contributor)
Solution

You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-...

 

For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.

 

One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.

View solution in original post