Multi-tenant sync and Azure AD Connect source anchor error

Tara WM 1 Reputation point


I'm working on a configuration that involves syncing users from one on-premises Active Directory domain to both Tenant A and Tenant B. The domain currently syncs user and other objects to Tenant A with Azure AD Connect. When I install a second Azure AD Connect specifically for Tenant B and configure it to look at the same domain, I'm warned that the source anchor attribute ms-DS-ConsistencyGuid is already in use. Which it is - by Active Directory and Tenant A.

According to the documentation, this topology is now supported and apparently the same source anchor can be used for syncing multiple tenants. So why this error? It's a concern. I see that I can run Azure AD Connect with a particular switch that omits the check but I'm worried proceeding might have serious repercussions for objects already synced to Tenant A. Is my only or safest option to customise and select a different immutable attribute as a source anchor for syncing to Tenant B?


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,645 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,867 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KurtBMayer 826 Reputation points

    @Tara WM

    See this article for some more information on the warning: KnowledgeBase: You receive “the mS-DS-ConsistencyGuid attribute is already in use” when you change the source anchor on a Staging Mode Azure AD Connect installation.

    Is it possible there is/was a staging server in either environment, or another AD Connect installed? Check on this and proceed with caution.

    Please upvote or accept this thread as answered if it's helpful, thanks!

    0 comments No comments

  2. Tara WM 1 Reputation point

    Yeah, I saw that article. This is not the situation.

    I just attempted the same configuration in my own lab and while Azure AD Connect completed it's install and is linked to Tenant B, it selected ObjectGUID as the source anchor. When I re-ran Azure AD Connect and opted to "Change Source Anchor" it told me I could not change the source anchor to ms-DS-ConsistencyGUID as it was already in use.

    It would appear the documentation is incorrect in stating the same source anchor can be used to sync the same object to multiple tenants, unless I have misunderstood it. I may need to think about another attribute for source anchor, perhaps employeeID.


    0 comments No comments