Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute

Denis Debijađi 15 Reputation points
2023-09-14T06:35:05.4166667+00:00

Hello everyone

I have a hybrid setup (PHS) in which the clients are Azure Ad Join and users use WHFB with cloud trust to log in to them. In the synchronization service manager, every now and then it gets the status for Delta import completed warnings exported-change-not-reimported for some users, and when I go to the details, it shows me the msDS-KeyCredential-Link attribute. Under the event log, I get the event ID: 6951:" The export change was not confirmed by the import operation". Mention users get Kerberos TGT from DC after logging in with WHFB. This warning seems to be present only when users login to laptops via the corporate network. Anyone know why this warning is showing up, if this is a problem, and how to resolve it? I didn't find anything useful on blogs.

Thank you in advance.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

3 answers

Sort by: Most helpful
  1. Denis Debijađi 20 Reputation points
    2024-03-01T12:19:44.4466667+00:00

    I can confirm that this issue was resolved by the last Entra ID Connect update for me as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-09-14T21:36:16.8533333+00:00

    Hi @Denis Debijađi ,

    The warning "exported-change-not-reimported" means that the imported object's attributes do not match with the object attribute set when it was last exported. One of the *potential *reasons this happens is the value being deleted or changed in the connected data source after being set through the export of Azure AD Connect.

    Are you able to see the value that was exported in the destinated connected data source? Since you mentioned msDS-KeyCredential-Link , it sounds like there could be a permissions issue. Make sure that the following permissions are added:

    You can also try running a full sync cycle with: Start-ADSyncSyncCycle -PolicyType Initial 

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

    Let me know if this helps and if you still face this issue.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.


  3. Dustin Berkley 5 Reputation points
    2024-02-20T17:05:38.82+00:00

    I have the same issue as explained here. It started happening after we implemented WHfB. The errors never seems to have any real impact, in that users are able to authenticate to their workstation, they are authenticated to the network share, and SSO to MS365 works. The Imported Value and Export Value are always the same. The errors usually show up in the morning, and clear out throughout the day. Also, usually if I do an Initial Sync, or two Delta Syncs in a row, there usually aren't any errors. Also there's usually no errors overnight. My hunch is that it happens when someone uses WHfB to login to their computer, then on the next Delta sync, it throws the issue. It's almost as if the key is getting re-registered, (even though it's the same key) and then it tries to sync, but the update doesn't work because it's not actually an update. It seems harmless enough, but I'd love some insight on this. It seems like something isn't quite right.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.