Azure AD Connect sync service configuration differences with swing migration

David Bird 1 Reputation point
2020-02-13T13:46:06.34+00:00

I'm performing a swing migration and using the Azure AD Connect Configuration Documenter tool to compare the sync service configuration on the two servers while the new server is in staging mode. The two servers are running different versions of Azure AD Connect (hence why the swing migration is needed). I initially found three inbound custom rules that were created on the current (soon to be decommissioned) server, and I was able to export them and import them in to the new server. I re-ran the tool with the updated configurations, and the three custom rules are fine now, but the report is still showing a lot of differences between the servers. Most of the differences are metaverse attributes and transformation attributes of built-in inbound/outbound rules. The new server has some attributes that are not present on the current server but also has missing some attributes that are present on the current server.

How do I know what changes should/should not be made? Are these differences due to different versions of Azure AD Connect? Are the differences caused by a mistake I made during the custom install of Azure AD Connect on the new server? I know the tool can generate a PowerShell script of changes to save me the manual work, but I'm not comfortable running it without knowing why these differences exist.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,171 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-02-14T13:43:09.697+00:00

    Hello @David Bird ,

    You have mentioned that "Most of the differences are metaverse attributes and transformation attributes of built-in inbound/outbound rules. The new server has some attributes that are not present on the current server but also has missing some attributes that are present on the current server." There could be few possible reasons for that.

    • You might want to check the attributes to find exactly why they are different. The most common thing that could happen is that, on the new server mS-DS-ConsistencyGuid was selected as source anchor while installation. This may cause some changes in rules that you may see differently otherwise. You will need to manually check this or evaluate the output for the attributes .
    • A schema refresh would have been done in the local active directory since the old AD connect server was configured. And schema refresh have caused some new attribute additions and deletions which are evident on the new AD connect server because we have installed the new server recently . You could try to do a schema refresh on the old AD connect server but you need to make sure that no default sync rules have been customized because schema refresh does not touch custom rules which are created by duplication of existing sync rules but they do recreate the default rules as is again . So if your old server have any customization in existing default sync rules , it will be rewitten by default AAD connect configuration of that specific version. Mostly it does not changes much but sometimes you may see small changes .
    • The Directory Extensions may be different in both the AD connect configuration due to which attributes are different .

    The above are the possible reasons i can think on top of my head and I have linked them with relevant articles. I would suggest you to go through the detailed articles to understand more. I would not says that you have made any mistake but its just a slightly different configuration.If you want to read more changes and bug fixes in the two versions you have you can check the Version release history . even that may give you some more insights. Also without looking at the configuration it is very difficult for anyone to know why some attributes are mapped in a certain way as per the AAD config documenter output. . In this case , I would suggest you to open a support case with us to clarify any doubts before making any changes using the powershell script as you rightly said.

    Hope this helps . In case the information provided in the post helps you , please do mark it as answer so that its useful for other members of the community. If you have any further queries , please let us know and we will be happy to help .

    Thank you.


  2. Muhammad Saeed 1 Reputation point
    2021-10-08T02:06:40.287+00:00

    Did you ever get any update on this, I am also struggling to understand the changes highlighted in the report file which got generated after running the tool, can you please let us know if we can igonore these or we have to address each one of them before we migrate, there are so many of them mostly the same as your screen grab.


  3. Muhammad Saeed 1 Reputation point
    2021-10-08T04:11:37.763+00:00

    Thanks alot, I did the same, waiting for reply.

    0 comments No comments