Azure AD Connect warnings after moved from one server to another

Andreas 1,331 Reputation points
2023-12-14T07:04:53.8433333+00:00

Hi,

We moved our Azure AD Connect from one server to another. We exported the config, imported it, and all seems to be ok. But we do have some Delta Import - warnings in the Sync service manager. Have tried to add the MSOL user to Enterprise Key Admins security group and run Initial Sync, after some suggestions on the internet, but still same issue. Tried also to reset the MSOL rights with the Azure AD Connect Troubleshoot tool.

1

2

3

Anyone could explain what this problem is ? And what impact it has on the users ? No user have yet reported any problems.

Could it be because Device Writeback is not enabled ?

Thanks for any answers

/R

Andreas

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,862 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,153 questions
{count} votes

Accepted answer
  1. Givary-MSFT 35,216 Reputation points Microsoft Employee
    2023-12-14T09:34:32.5866667+00:00

    @Andreas Thank you for reaching out to us, As I understand you are trying to investigate the Azure AD Connect warnings after migration, during the delta import sync cycle, you get this error/warning - exported-change-not-reimported on further checking you notice this warning is related to msds-keycredentiallink attribute.

    "exported-change-not-reimported" means the imported object's attributes don't match with the object attribute set when it was last exported.

    The msDS-keycredentiallink attribute is being written by AAD Connect then something is removing it before next cycle re-imports the value.

    To fix these permissions, use Active Directory Users and Computers to grant Read/Write permissions over the msDs-KeyCredentialslLink to the sync account used by Azure AD Connect in domain that is synched.
    The permissions should be set at the top of each domain and apply to Descendant User Object:

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.


1 additional answer

Sort by: Most helpful
  1. Thameur-BOURBITA 35,436 Reputation points
    2023-12-14T10:34:02.5666667+00:00

    Hi @Andreas

    It seems that the service account used to sync forest has not all required permissions on the OU of impacted users.

    To fix permission issue you can refer to the following link :

    Microsoft Entra Connect: Configure AD DS Connector Account Permissions


    Please don't foeget to accept helpful answer


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.