Azure AD Connect upgrade and change SourceAnchor

Question

Hi,

I have a scenario where there is a single AAD Connect version 1.1.6 and sourcenachor configured as ObjectGUID, there are 2 Domains linked to these AAD Connect and mapped to single AAD Tenant.

Domain A - User do not have ms-ds-consistencyGuid attribute and have ObjectGUID
Domain B - Users have MS-DS-ConsistencyGuid attribute and ObjectGUID

The mapping is via ObjectGUID between the Onpremise and Target Azure Tenant, now the requirement is to upgrade the existing AAD Connect to latest version and also to change the sourceanchor to ms-ds-consistencyguid. I am not sure why the Domain B users have ms-ds-consistencyguid populated, will it have any impact on the users mapping if I use the command /SkipLdapSearch?

Do I have to export the users and attributes from both the domains before I do an upgrade?
Do I have to manually/script the mapping of sourceanchor to Azure AD after the upgrade?
I have 5000 users and around 700 groups in scope.

Thanks.

Answer 1

@Azure Engineer

The object guid as source anchor for migration scenarios are not considered very reliable as that might change with the migration resulting in other problem with syncing. Changing it to ms-DS-Consistency to make sure it remains immutable throughout would be a good path to follow.

For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn't populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory.

For users who has ms-DS-ConsistencyGuid values already populated, you can check if the object GUID and ms-DS-ConsistencyGuid values are same in on-premises. If not, you can use some script to copy the object GUID values to ms-DS-ConsistencyGuid and make sure these are same.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.