AD Connect Source Anchor

Question

Hi,

i have multi forest enviroment, account forest and resource forest. Old AD Connect has source acnhor mS-DS-ConsistencyGuid. I installed AD Connect Version: 2.2.1.0, during configuration on "Uniquely identifying your user" page, i choose "Let Azure manage the source anchor for me"

Azure choosed ObjectID as a source anchor. Can this cause a problem?

Server is still in staging mode. Can i start syncronization?

Answer 1

Hi @Mario Grdiša ,

Later versions of Azure AD Connect (in your case 2.2.1.0) use the ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects, but ObjectGUID is still used for other object types.

Also, for any given on-premises AD user object whose ms-DS-ConsistencyGuid attribute isn't populated, Azure AD Connect writes its ObjectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. Once an on-premises AD object is imported into Azure AD Connect, you can't change its sourceAnchor value anymore. Reference: Using ms-DS-ConsistencyGuid as sourceAnchor

The ms-DS-ConsistencyGuid attribute is recommended to use as the sourceAnchor attribute when possible, since it is writable. This is valuable in unplanned situations such as accidental user deletion, which may require you to edit the value on-premises to match the on-premises user object with the cloud user object, so this is a potential consequnce of using the ObjectGUID. In the past the wizard would select the “ObjectGUID” because it is a globally unique value. But the disadvantage of using ObjectGUID is that it is not writable and can cause problems in cases of accidental user deletion or multi-forest migration. (I have written a blog postthat discusses these attributes as well.)

Let me know if this helps and if you have further questions.

If the information helped you, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching similar questions.