Share via

Is there a way to ADConnect sync to a new Active Directory because the old Active Directory crashed and cannot be recovered.

Goh Wee Suah 1 Reputation point
2022-05-30T10:21:52.617+00:00

Background:
We lost the AD Server because the disk crashed. Unfortunately, we were not able to find any good backup to restore.
The AD was ADConnected to the Azure AD.
After the disk crash, we are still operating on the AD objects that were sync to the Azure AD.

Recovery:
We built a new AD with the same names. We then synced to the Azure AD but the existing objects were not sync because there were no SourceAnchor and the SID were all different.

Advice Needed:
Is there a way to set the sourceAnchors and linked the Azure AD objects to the new AD Objects?

Thanks in advance.
Regards,
WeeSuah

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-05-30T20:33:16.92+00:00

    Hi @Goh Wee Suah ,

    To map your Azure AD objects with their on-premises counterparts, you would need to perform either a hard match or a soft match. A match on sourceAnchor is known as hard match, whereas a match on userPrincipalName and proxyAddresses is known as a soft match. Then when Azure AD finds an object where the attribute values are the same for an object coming from Connect and that it is already present in Azure AD, then the object in Azure AD is taken over by Connect and overwritten with the on-premises value.

    If you haven't seen it already, the guide Azure AD Connect: When you have an existing tenant goes over this scenario.

    As discussed in the guide, one option is to export the list of users and their attributes via PowerShell (using Get-MsolUser or Get-AzureADUser) or the Graph API. Then you would use leverage exported data to recreate them in AD and "match" the on-premises users with the cloud ones.

    Additional resources:

    How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization

    How to Sync an Existing Office365 Tenant into a New Active Directory Domain

    -

    If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    0 comments
  2. Goh Wee Suah 1 Reputation point
    2022-05-31T02:35:26.427+00:00

    Thank you for the reply.
    I will check out the solution.
    Many thanks.

    0 comments
  3. Goh Wee Suah 1 Reputation point
    2022-05-31T07:25:16.903+00:00

    Hi @Marilee Turscak-MSFT ,
    I have tried your advise but it is not working for my situation.
    My 365 users already have sync attributes. So the ADConnect failed as follows.

    Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:******@mydomain.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

    Tracking Id: 434c0b13-5eb8-45dc-96ea-a5a1555d4c34
    ExtraErrorDetails:
    [{"Key":"ObjectId","Value":["6a964425-2373-4c0e-906b-f44c9f079336"]},{"Key":"ObjectIdInConflict","Value":["d7e784c1-0401-41cf-8fea-90a3d1980fa8"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:******@mydomain.com"]}]

    Is there a way where I can reset the 365 Users such that they can be used to sync another AD?
    Thanks in advance.

    0 comments
  4. Martin Rublik 316 Reputation points
    2022-05-31T10:40:53.067+00:00

    You should use ms-ds-ConsistencyGuid for source anchor, populate it with ImmutableId from AzureAD and it should match your users.

    0 comments
  5. Goh Wee Suah 1 Reputation point
    2022-06-01T02:11:21.503+00:00

    Hi @Martin Rublik ,
    Thank you for your answer.
    I have set the ms-ds-ConsistencyGuid to the Object ID of the corresponding AAD user.
    However, the ADSyncing is still treating my AD user as a new user and so it failed to create the AAD object. Same error as before.

    ExtraErrorDetails:
    [{"Key":"ObjectId","Value":["6a964425-2373-4c0e-906b-f44c9f079336"]},{"Key":"ObjectIdInConflict","Value":["d7e784c1-0401-41cf-8fea-90a3d1980fa8"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:    *****@mydomain.com"]}]*

    This time, the ms-ds-ConsistencyGuid of my AD user and the AAD user, ObjectIdInConflict","Value":["d7e784c1-0401-41cf-8fea-90a3d1980fa8"] is the same.

    Where did I go wrong?

    Thanks in advance.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.