Multi-tenant sync and Azure AD Connect source anchor error

wmtechlab 1 Reputation point
2022-09-09T16:38:36.773+00:00

Hello,

I'm working on a configuration that involves syncing users from one on-premises Active Directory domain to both Tenant A and Tenant B. The domain currently syncs user and other objects to Tenant A with Azure AD Connect. When I install a second Azure AD Connect specifically for Tenant B and configure it to look at the same domain, I'm warned that the source anchor attribute ms-DS-ConsistencyGuid is already in use. Which it is - by Active Directory and Tenant A.

According to the documentation, this topology is now supported and apparently the same source anchor can be used for syncing multiple tenants. So why this error? It's a concern. I see that I can run Azure AD Connect with a particular switch that omits the check but I'm worried proceeding might have serious repercussions for objects already synced to Tenant A. Is my only or safest option to customise and select a different immutable attribute as a source anchor for syncing to Tenant B?

Thanks,
Tara

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,432 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,370 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KurtBMayer 836 Reputation points
    2022-09-09T17:30:23.217+00:00

    @wmtechlab

    See this article for some more information on the warning: KnowledgeBase: You receive “the mS-DS-ConsistencyGuid attribute is already in use” when you change the source anchor on a Staging Mode Azure AD Connect installation.

    Is it possible there is/was a staging server in either environment, or another AD Connect installed? Check on this and proceed with caution.

    Please upvote or accept this thread as answered if it's helpful, thanks!

    0 comments No comments

  2. wmtechlab 1 Reputation point
    2022-09-09T17:38:32.24+00:00

    Yeah, I saw that article. This is not the situation.

    I just attempted the same configuration in my own lab and while Azure AD Connect completed it's install and is linked to Tenant B, it selected ObjectGUID as the source anchor. When I re-ran Azure AD Connect and opted to "Change Source Anchor" it told me I could not change the source anchor to ms-DS-ConsistencyGUID as it was already in use.

    It would appear the documentation is incorrect in stating the same source anchor can be used to sync the same object to multiple tenants, unless I have misunderstood it. I may need to think about another attribute for source anchor, perhaps employeeID.

    Thanks
    Tara

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.