Swing migration change SourceAnchor to ms-ds-consistencyguid

Question

Hello

The primary azure ad connect box is running version 1.5.45.0. However the "Source Anchor" is configured to use ObjectGuid. On the primary azure ad connect box, i am presented with an option to let azure ad connect configure the source anchor to use ms-ds-consistencyguid and connect to adfs and configure the required claim rules. I will be installing two new azure ad connect servers running the latest version of azure ad connect. I would like recommendations around when i should change the "Source Anchor" . Is it preferred to run the configuration wizard on the current primary azure ad connect server and configure it to change the source anchor , and let it automatically configure the ADFS rules? This sounds like a logical first step, because then i dont have to manually create adfs claims. Also if azure ad connect detects that "objectGuid" is currently being used for "Source Anchor" will it automatically change this to ms-ds-consistencyguid when i install azure ad connect on the new servers? or will it continue to use objectguid ? If it leaves it alone, then i dont have to configure any additional adfs rules

Answer 1

Hello @Skip Hofmann ,

Yes, it's safe enable use ms-ds-consistencyguid as the sourceAnchor attribute.

By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor attribute. When using this feature, Azure AD Connect automatically configures the synchronization rules to:

• Use ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID is used for other object types.
• For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn't populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. After the ms-DS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.

and yes If you are using Azure AD Connect to manage on-premises AD FS deployment, the Azure AD Connect automatically updates the claim rules to use the same AD attribute as sourceAnchor. This ensures that the ImmutableID claim generated by ADFS is consistent with the sourceAnchor values exported to Azure AD.

However, when you install new stagging servers, the express mode wizard automatically determines the most appropriate AD attribute to use as the sourceAnchor attribute from Azure AD (Example, new stagging server uses ms-DS-ConsistencyGuid attribute because the same attribute was used as sourceAnchor on primary server). To know more about express mode logic and how it pick sourceAnchor , refer this link.

Note: Only newer versions of Azure AD Connect (1.1.524.0 and after) store information in your Azure AD tenant about the sourceAnchor attribute used during installation. Hence, if older versions of Azure AD Connect used then above logic won't work and the wizard falls back to using objectGUID as the sourceAnchor attribute.

Since you are already utilizing the most recent version of Azure AD connect on the primary server, so the stagging server will continue to use the same source as primary server. Hope this helps.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.