Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute

Question

Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute

Denis Debijađi 0

Hello everyone

I have a hybrid setup (PHS) in which the clients are Azure Ad Join and users use WHFB with cloud trust to log in to them. In the synchronization service manager, every now and then it gets the status for Delta import completed warnings exported-change-not-reimported for some users, and when I go to the details, it shows me the msDS-KeyCredential-Link attribute. Under the event log, I get the event ID: 6951:" The export change was not confirmed by the import operation". Mention users get Kerberos TGT from DC after logging in with WHFB. This warning seems to be present only when users login to laptops via the corporate network. Anyone know why this warning is showing up, if this is a problem, and how to resolve it? I didn't find anything useful on blogs.

Thank you in advance.

JamesTran-MSFT 32,876 Reputation points Microsoft Employee

2023-09-25T19:34:00.9233333+00:00

@Denis Debijađi

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Denis Debijađi 0 Reputation points

2023-09-27T12:09:04.6533333+00:00
@JamesTran-MSFT

I still get exported-change-not-reimported with the msDS-KeyCredential-Link value after adding Azure AD Sync (MSOLXXXX)user as a member of the Enterprise Key Admins security group and run Initial Sync. We use cloud Kerberos trust technology for WHFB for log in to clients.

I have an additional question unrelated to this case. I intend to filter the synchronization of user objects using attributes, and I have configured a rather complex rule in the synchronization rules editor and customer have more then 2000 users, so I would like to know if there is some possibility of a preview so that I can see what will be affected by the rule before I start the initial synchronization.
When i try this method I always get empty template:

After the synchronization, all changes are staged to be exported. Before you actually make the changes in Microsoft Entra ID, you want to verify that all these changes are correct.

Start a command prompt, and go to %ProgramFiles%\Microsoft Azure AD Sync\bin.

Run csexport "Name of Connector" %temp%\export.xml /f:x.
The name of the Connector is in Synchronization Service. It has a name similar to "contoso.com – Microsoft Entra ID" for Microsoft Entra ID.

Run CSExportAnalyzer %temp%\export.xml > %temp%\export.csv.

You now have a file in %temp% named export.csv that can be examined in Microsoft Excel. This file contains all the changes that are about to be exported.

*Make the necessary changes to the data or configuration, and run these steps again (Import, Synchronize, and Verify) until the changes that are about to be exported are what you expect.

Thank you in advance.

BR

JamesTran-MSFT 32,876 Reputation points Microsoft Employee

2023-09-25T19:34:00.9233333+00:00

@Denis Debijađi

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Denis Debijađi 0 Reputation points

2023-09-27T12:09:04.6533333+00:00

@JamesTran-MSFT

I still get exported-change-not-reimported with the msDS-KeyCredential-Link value after adding Azure AD Sync (MSOLXXXX)user as a member of the Enterprise Key Admins security group and run Initial Sync. We use cloud Kerberos trust technology for WHFB for log in to clients.

I have an additional question unrelated to this case. I intend to filter the synchronization of user objects using attributes, and I have configured a rather complex rule in the synchronization rules editor and customer have more then 2000 users, so I would like to know if there is some possibility of a preview so that I can see what will be affected by the rule before I start the initial synchronization.
When i try this method I always get empty template:

After the synchronization, all changes are staged to be exported. Before you actually make the changes in Microsoft Entra ID, you want to verify that all these changes are correct.

Start a command prompt, and go to %ProgramFiles%\Microsoft Azure AD Sync\bin.

Run csexport "Name of Connector" %temp%\export.xml /f:x.
The name of the Connector is in Synchronization Service. It has a name similar to "contoso.com – Microsoft Entra ID" for Microsoft Entra ID.

Run CSExportAnalyzer %temp%\export.xml > %temp%\export.csv.

You now have a file in %temp% named export.csv that can be examined in Microsoft Excel. This file contains all the changes that are about to be exported.

*Make the necessary changes to the data or configuration, and run these steps again (Import, Synchronize, and Verify) until the changes that are about to be exported are what you expect.

Thank you in advance.

BR

Answer 1

Marilee Turscak-MSFT 27,721 Microsoft Employee

Hi @Denis Debijađi ,

The warning "exported-change-not-reimported" means that the imported object's attributes do not match with the object attribute set when it was last exported. One of the *potential *reasons this happens is the value being deleted or changed in the connected data source after being set through the export of Azure AD Connect.

Are you able to see the value that was exported in the destinated connected data source? Since you mentioned msDS-KeyCredential-Link , it sounds like there could be a permissions issue. Make sure that the following permissions are added:

Add the AADSync account to the "Enterprise Key Admins" group
Make sure you have added all of the permissions and prerequisites for updating this value is shown in this article.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync#configure-permissions-for-key-synchronization

You can also try running a full sync cycle with: Start-ADSyncSyncCycle -PolicyType Initial

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

Let me know if this helps and if you still face this issue.

If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

Denis Debijađi 0 Reputation points

2023-09-15T07:31:39.2466667+00:00

Hi @Marilee Turscak-MSFT ,

Yes, I am able to see export values, and it shows values that are deleted and added (export change:update).
I also added the Azure AD Sync user as a member of the Enterprise Key Admins security group and run Initial Sync, but the situation is the same. I still get exported-change-not-reimported with the msDS-KeyCredential-Link value. We use cloud Kerberos trust technology for WHFB.
Denis Debijađi 0 Reputation points

2023-09-27T08:41:28.8966667+00:00

Hi @Marilee Turscak-MSFT ,

Yes, I am able to see export values, and it shows values that are deleted and added (export change:update).
I also added the Azure AD Sync user as a member of the Enterprise Key Admins security group and run Initial Sync, but the situation is the same. I still get exported-change-not-reimported with the msDS-KeyCredential-Link value. We use cloud Kerberos trust technology for WHFB.
Marilee Turscak-MSFT 27,721 Reputation points Microsoft Employee

2023-09-28T21:41:47.7933333+00:00

Denis Debijađi ,

I'm sorry to hear that you are still facing this issue. It sounds like it's an issue with mismatched values then.

What's the conflicting attribute value you are seeing?

If you would like to open a support case to look into your environment, you can send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID, and I can get a one-time free case opened for you.

Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute

1 answer

Activity