New Azure AD Connect instance chose wrong source anchor

Question

Migrating to a new Azure AD Connect instance and come across a weird result.

The current Azure AD Connect instance is using ObjectGUID as the source anchor and it says it got that information from Azure AD.

I am installing a new Azure AD Connect instance in staging mode. It informs me that Azure Active Directory is configured to use AD attribute mS-DS-ConsistencyGuid as the source anchor attribute.

Current Azure AD Instance

New Azure AD Connect Installation

Why did the new Azure AD Connect detect mS-DS-ConsistencyGuid if Azure Active Directory is currently using ObjectGuid? I really need to understand what is going on here to ensure nothing is awry with the current setup.

Answer 1

David,

By default, AAD Connect uses the Object GUID to populate the mS-DS-ConsistencyGuid if it is empty. In your case where you are using Object GUID, AAD Connect will use the object GUID to join to the Azure AD account and then write back to the mS-DS-ConsistencyGuid the object GUID value. From that time on, AAD Connect will use the mS-DS-ConsistencyGuid for future AD to AAD account joins. There are a number of scenarios where using the mS-DS-ConsistencyGuid is beneficial such as domain migrations.

Answer 2

I'm having this same concern here.

We have a server running Azure AD Connect where the Source Anchor is objectGUID.

We are about to decom this server, so I've installed the latest version of Azure AD Connect on a new server, and it's pretty much configured in the same way. At the moment the new server has sync disabled and staging enabled.

The only notable difference between the two is that the Source Anchor on the new server is mS-SD-ConsistencyGuid.

When I disable the sync tool on the old server by putting it into staging move, I will enable the sync on the new server and turn off staging mode. But my concern at this point is will it attempt to duplicate the users and entries? Or could something bad happen?