Fixing Hybrid-User Sync Issues with Azure AD Connect

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
have you ever had issues with a sink problem in AD Connect have you ever had a user on-premise show up as to users in the cloud one of them is saying to the user on-premise but not the right one will stick around because we're going to talk about how to resolve that hi everybody this is Joe malarkey with a secure CRC update so I was having a conversation with a colleague the other day and they mentioned a problem with their ad connect they have a hybrid environment where they have Active Directory on-premise and they have office 365 obviously in the cloud with Azure Active Directory they are copying their users from on-premise to the cloud in keeping them in sync now they happen to be using ad FS as the logon method but the issue they were having happens no matter what the logon method is password hash sync or pass through authentication the issue was occasionally a user would get out of sync from their on premise account to their cloud account a lot of times that this will happen when you delete a user on-premise and then as your ad Connect doesn't pick up the deletion for whatever reason a lot of times you'll end up with two accounts in the cloud and you'll see this clearly these days one of the accounts will have a username and then a four-digit code and then the @ symbol and their a UPN suffix after that it's an indication that somehow the user on-premise got out of sync with the user in the cloud and the cloud thought that it should create a new user and now the user on-premise is linked to that user with the funny name you don't want to be linked to that user with the funny name though because that user doesn't have anything they didn't have a mailbox with a bunch of mail in it they haven't been working with other things like SharePoint so we want really the user to be linked with the other account in Azure ad Connect but it's not so how do you fix that well traditionally there has been a way if you worked with Microsoft to to modify a property of cloud user to match it up with an anchor property back on premise and that would fix things Microsoft noticed though that lots of companies were having this issue and so they made a little change in AD connect a few years ago in in the middle of 2017 that used a different property to keep linked between an on-premise account and the cloud account ad Connect is the tool that actually does that and when it copies a user from on-premise to the cloud it has to keep those two objects in sync it has to keep them linked together somehow the way it does it is it uses what's called a source anchor attribute it's just a property in Active Directory that's linked to a property in the cloud on the same user and as long as we know the the property is the same on-premise and in the cloud we can keep those users in sync it's how it knows which users should be connected to which users from the cloud to on-premise now traditionally this this property was the object gooood object goo it is a unique global unique identifier on-premise that every active directory object gets in Active Directory for a forest it's a fine one to use and and Microsoft used it because it was guaranteed to be unique which is really one of the first qualities that we need in something like this a problem with it though is that the gooood the object good on-premise cannot be modified Active Directory doesn't allow you to change that so if a user ever gets out of sync in the cloud meaning that that that property on-premise the value for it is different than the cloud value for it then we're in trouble because we can't change that value on-premise to link them back we'd have to change the cloud one to link them back now in the cloud this property is called the immutable ID they didn't call it whatever you call it on-premise because on premise you could use anything really for you didn't have to use the global unique identifier the object good you could use a different property no matter what property you on premise we refer to that as the source anchor in the cloud if you look at a user it's always referred to as the immutable ID a little bit confusing but here's the bottom line if you chose to use the object good for on premise then you'd look in the object good for a user on premise and you'd match that with the immutable ID of that object in the cloud and if they were the same those two users were linked so the problem here is though that the object gooood would not change on-premise and so Microsoft occasionally would allow people to change it in the cloud to link those objects back but that's not a good idea so they change things a few years ago to use by default a different property on-premise a property called MSDS consistency gooood now the MSDS consistency goo and normally is empty for every user it's just a property that's been laying around since the beginning of Active Directory really not doing anything well it's a good candidate to use as an anchor property for two reasons number one it's probably not being used number two we can put something into it we can edit it and if something goes wrong we can change it and that's the good part about using that instead of the object good so in default installations of azure ad connect the azure ad connect checks to see if this if this a consistency good is a good match if it will work and they really the only reason it might not choose it automatically is if any user actually has a value written into it then of course the tool would assume that some other application was currently using that value probably that's not the case so it's going to go ahead and use it now you might be asking okay well all of these users don't have anything in that value in that property so you know what good is it well actually what ad Connect will do when it chooses to use that property is it copies the object gooood of the on-premise user into the MSDS consistency good for the same user so the object good and the MSDS consistency consistency good become the same value great we can actually change that though on the MSDS consistency good if we need to so now we have a property that we're using to link objects on-premise in the cloud that we can actually change on-premise so if a user ever loses its connection between on-premise and the cloud we can go to the cloud user we can read what the immutable ID is and we can simply take that and put that in as the MSDS consistency good on premise and that will actually link those users back and it will start replicating once again this will fix a lot of problems including the duplicate user problem in the cloud we pick the user we want to be linked back to the on-premise user and we simply copy the or immutable ID from the cloud and put it into that MSDS consistency good on premise and then those two users are connected instead of the on-premise user being connected to the wrong version of that user in the cloud so for those of you who are using object good and relying on Microsoft to allow you to change the cloud attribute immutable ID they're not letting you do that anymore they're forcing people to go to this MSDS consistency source anchor and change it on-premise now the good news is you can change this if you're using the object good as your source anchor right now you can run the ad connect tool again and tell it that you would like to change the source anchor you'll notice that this is an option so let's take a look at a demo and I'll show you exactly what I mean let's take a look at a typical installation I have an active directory which I will bring up here on the right here's Active Directory users and computers with this company called a datum I'm not going to use a datum comm as my UPN value though I'm going to use a different UPN suffix for this in a test environment just because I can't use a datum com I'll use a different one and I'm only going to sync up the people in the IT oh you can see there's a few of those here already now I've already set up a tenant I have already added in a custom domain and I verified it so I should be able to go ahead and start syncing up users and you can see if I click on domains I see this one right here lamp 50 it's a crazy domain name but that's the one that I'm using this is my original tenant domain name that we don't really like to use the on microsoft.com this is the one that I'm going to use normally it would have been the name of my domain adatom com but we can't use that one so we're going to use this so everybody's going to get an email address or I should say UPN which would probably be their email address as well with this domain suffix so I'm going to end up getting a lot more users in here I have a few cloud accounts here already these are just cloud only accounts so I'm going to switch over to my azure ad or my ad your Active Directory tool as a review as your Active Directory is office 365's directory I have the same users under here as I have an office 365 if I click on Azure Active Directory and click on users we can see them the same four or five that I had I'm not interested in users here now though so I'm going to go back to this Azure Active Directory come down and choose as your ad connect this is the tool that will link us up and once it's linked up I can come back to you to this tab and take a look at how it was linked up but for now what I have to do is download as your ad connect and run it now I've already downloaded it so I'm just going to come in and run it here it is fact it looks like I've downloaded it twice I'm going to double click on Azure ad connect and it's going to let me install it on this computer so as your ad connect makes me agree to the license I will do that and then I'll move this up a little bit let me minimize everything here so I have anything confuse I'll click on continue I'm not going to use Express settings I could Express settings would turn on any connect with password hash syncing as our sign-on method and also it would pick the immutable or the source anchor property for me it will attempt to use MSDS consistency good but if it can't it will use object good the object gooood being the one that we really don't want why would it do that well the only real reason it would do that if is if it sees a user actually has a value already in MSDS consistency good then it will assume that another application is using that attribute and it will that will force 80 connect to automatically fall back to object do it so I'm going to click on customize so I can choose what it uses I'm going to click on install it's gonna look through a couple things eventually it should ask me to log on again alright so you can see it chooses password hash synchronization I'm good with that I'll stick with that I'll click on next it's gonna make me log in I have a user here that I'm using this is the UPN I'm going to use for everybody this weird one here just you can see the o365 ready the back of your mind alright I have to add a directory an on-premise directory so I'm going to have to log on as an existing account which I will do I'll click on next so it gives me a little bit of a hassle here about not verifying and adding my original domain a datum I can't because that's in use from Microsoft so I mean I'm not going to verify that I mean I'm going to stick with this one the o365 ready one I have all my users using that one on premise I'm all good to go so I'm just gonna tell it ignore that a datum when I'm not using it not a you normal thing that you will do for most companies but I'm gonna do that in this case now it's gonna ask me who all is getting synced well I don't want to sync the whole company I'm just gonna sink the I tou so I'm gonna choose iti can sync everyone else later maybe I'm just doing a pilot here's the important part two things here uniquely identifying your users how are they going to log on and what represents them in their logon name well the top part here will usually use will leave the alone users are represented only once this however might not be the case you might have one forest where you have users another forest where you have for instance an exchange installation so the users and the user forest are linked to the exchange mailbox in the exchange force in which case that user is actually in bull forest so we have two different representations of them so if we had something like that we'd have to tell it but we don't so let's ignore that the bottom part is the part that I want us to pay attention to that as your manage the source anchor this is this is a property on-premise that will become the immutable property in the cloud the immutable ID normally it will try and choose msds consistency good in fact if I told that I want to choose that defaults to that but I am going to tell it specifically to use the old-school method object gooood the one we really don't want but again I want to show you how to switch it in the future so I'm not going to filter out any users anymore than I already have I'm going to keep the defaults here and just get this done it's going to start a synchronization when I click on install so it'll set it up it's using the object GUI on premise and it's going to translate that into an immutable ID in the cloud let's take a look at this I'm gonna use it for a user named Ida here Ida is going to be one of the users getting synced let's double click on this person go to attribute editor and find object gooood here it is you can see it starts out 48 50 75 now we can take that good number and we can put it into hexadecimal or we can put it into a binary a couple of different formats the weird thing is that you will have to eventually do that if you need to synchronize resynchronize a user because in the cloud that number gets put into immutable ID format which is a different format than this good format which is also a different format than hexadecimal format fortunately there is there are ways to translate it I'll show you a script that we'll use for that in just a little bit and how to get that script so I'm going to scroll up a little bit and find another attribute called MSDS consistency gooood here it is you can see there's nothing in there in fact there isn't anything in there for anyone right now there will be though when we switch over to use it alright looks like my configuration is complete it's telling me it's a good idea to enable Active Directory recycle bin it is actually because of what I'm talking about one of the issues that we run into is when you delete a user on-premise if you were to try and recreate the user it would be a brand new user you would end up getting two users and as your Active Directory because of that and the Active Directory recycle bin keeps the user around for the tombstone lifetime all of its properties as well so that's always a good thing to turn on let me click on exit here so now everything is working and things are getting saying to the cloud so I'm gonna take a look at some users here I'll do it through the PowerShell and also through my office 365 admin Center let's start here and take a look at our users I only had I think four users before now you can see I got a lot of users and they all had this lab but whatever o365 domain name so I have a lot more users here in the cloud great one of them in fact is Ida there she is well let's take a look at Ida I've already installed the MS online act as your Active Directory module I have installed an act as your ad connects same module I'm gonna come in and find Ida's name here here's a get em Sol user for Ida I'm typing into a format list I want to see the user principal name the immutable ID and even an office property I do that because I mean I'm going to change the office so you can see that it actually changes here see this immutable ID that is that good that we saw before it's just in a different format I will show you how to put that in correct format in just a little bit so let's go back to Active Directory on-premise so here's my on-premise premise Ida I can look at her or him through PowerShell as well but let's take a look at this office New York let's change it to Chicago I'll click on OK the next time things get synced that should change in the cloud it doesn't change right away though I'll see it's still New York I have to wait for this thing to happen well I'm impatient so I'm going to start the sync myself there's a command called start ad sync cycle it's part of the ad sync module that I've installed it takes a parameter called policy type policy type will usually be Delta but it could also be initial which you can probably figure out does everybody but Delta just does the changes I can watch these changes if I get into the ad connect synchronization service so I'm a little late but I see that it was a success that happened at 10:15 you can see it that was just a few seconds ago so it was successful I see there was an update here if I click on it and I click on this update I'll see New York and Chicago so I can see that it made a change let's go double check so before when I got did that get MS o L user I saw New York I'm going to use that command again and now I see Chicago so the change happened so these two are in sync now what I'm going to do is run a script let me scroll down a little bit to show you this immutable ID in the different translations of it I have a script on my hard drive which I got from a gentleman whose name I will show you because I forgot what it was here is that Nicholas human or human I'll put this blog entry in the notes in the more section on this video so you'd be able to get to it later but there it is blog dot Ju and Li ENCOM you can find the script called translate immutable ID well I'm going to run this script I have it right I have my powershell open so i'm going to run the script and it's going to ask me for a value i want to put this p9b value I'm gonna put that in there so I'll just do it the old-fashioned way I'll copy it I'll use this mark highlight it hit enter to copy it I'll right click down here and paste it in there great now I hit enter and look at the translations icon hexadecimal and gooood notice the good four eight five seven small d well let's go back and take a look at Ida's on premise account we were just looking at this under attribute editor under object gooood you can probably see it four eight five seventy it's the same so this value I have four immutable ID is the users do it it's just in a different format now when we switch over to use MSDS consistency good it's going to use yet a different format it's going to use hexadecimal so we'll actually see it in here as this 3ft five five seven we haven't done that yet though so when might we end up having to do that well once again sometimes the the online user gets out of sync with the on-premise user a lot of times this happens when we delete a user on-premise create another one or for whatever reason we have a delete and 80 connect doesn't pick the delete up we end up with an extra user online sometimes that user will have the regular user name followed by four digits and then the @ sign and if you're watching this video you very well may have had that situation beyond the on-premise user will be linked to the goofy user with the four digits we don't want that though because that's a brand new user you want the old user to be linked with your on-premise account that's what we're going to go over now how to get that linked all right so let's go back to my users here there is Ida let's say that these this Ida and my on-premise Ida somehow got out of sync and now I have to fix it well in order to fix it I'm going to have to switch the immutable ID the source anchor to use something different how do I do that well I have to run ad connect I'm going to click I'm going to go back into my as your ad connect same tool I just ran only I'm going to run it again let me minimize everything again so we can focus on this tool I'll click on configure and I have several tasks one of which is just to view the current configuration so I'll click on that click on next and I can see my source anchor here is object gooood I want to change that so I'm going to click on previous my option to change that is right here configure source anchor you usually only see this if your current source anchor is set to object do it so I'm going to click on that and click on next I'm going to login again which I will do it's going to recommend that I actually use the MSD as consistency and you can see here that I I'm using object gooood upgrading the MSD as consistency good as strongly MEK recommended as a best practice as it allows easy recovery of accidentally deleted on premise users well yes it really what it allows us to do is edit that value on premise to match the immutable ID of a user in the cloud thereby linking them again that's what it allows and yes the normal issue that that most companies have is with deleted and recreated users so let me click on next so it's going to do that it's going to start a synchronization after I click on configure so two things are going to happen number one it's actually going to take the object do it for all of my on-premise users and it's going to copy that to the MSDS consistency good for all my on-premise users it's just going to copy it right over and I can actually see that if I get back into Azure Active Directory here's Ida let's take a look at Ida's attribute editor the object gute is still there of course it never changes but let's take a look at the MSDS consistency value consistency good it was empty before we can see there's something in there if I double click we can see it's a big hexadecimal string and those of you with with good memories might remember the first few numbers here 3f d5 that was actually a translation of that immutable ID which was a translation of the object Guha they're all the same number in fact let's go back to my online user and take a look sure enough three FD five five seven that's the hex that is the same number all of these are the same number what happens if for some reason the immutable ID gets changed or we get a new Ida and things get out of sync well in order to demonstrate that what I'll do is actually purposely screw up the MSDS consists than C value so I'm actually going to do this on Ida I'll have to do that I'm not going to do it with Active Directory users and computers I'm going to do it with a different tool ADSI edit which allows me to change many things so here's Ida I'll get into the properties of Ida and I'll find that attribute again MSDS consistency gooood so right now it starts with a 3f let's just screw that up by making it a 3e this is not normally the way that accounts would get out of sync but it's going to provide us with the with the the proper technique anyway really all I want to do is get the user and the cloud back synched up with a user on premise so what I'm going to do now that I've changed that I'm going to start a sync cycle again it's going to have issues I could actually see those issues but we're not really interested with that we're interested in the fact that these two users are no longer in sync so let's go back into Ida now and I'm going to change let's see here I didn't click on okay so I might have to start that again oops so we'll started again now I'm gonna come back to Ida and I'm gonna change Chicago into something different let's pick how about LA I'll click on ok so now before when I did another sync cycle eventually it picked that change up and it changed it to LA so if I do this again and hit enter it should do that but it's not going to because these two accounts are now not the same account according to ad Connect ad Connect does not have them synced they are two separate accounts because the source anchor on premise MSDS consistency good and the immutable ID in the cloud now have different values so let's wait a little while and I'll see that I'll take a look at the get em Sol user it should have had enough time to change and it did change so we'll start the a the ad sync sync cycle command again wait a little bit and sooner or later it should have had time to make that change to Ida but you notice it's still Chicago and we could wait forever here and it will still say Chicago because these are not the same users anymore so these users are out of whack how do we fix that well you fix it by finding the immutable ID here in the cloud and translating translating that into the MSDS consistency good for back on premise once again the way we would do that is to find the immutable ID and here I've gotten I'm using get M Sol user from my user and one of the properties I'm looking at is a mutable ID then I would use that script that I ran before translate immutable ID and I would paste this immutable ID in here to get the hexadecimal value so let me do a copy here once again do a paste this hex decimal value is what I need to be placed into the MSDS consistency gooood on premise so I would just type that in so let's go back there and if you remember I just changed it a little bit so if I get into the properties of my on premise Ida and find MSDS consistency good I changed this initial 3f to a 3e let's just change it back to a3 yep but you can imagine where you just put the whole value in here I'll click on OK click on OK things are now fixed believe it or not let's do another sink cycle may take a little while to get that done but after it gets synced I'm going to see that this problem is fixed and the Chicago should change to an LA so let's go back here to my sync service I see there's a still a delta synchronization in progress well it was in progress looks like it got updated here's an update let's take a look at that and I see Chicago and LA so we can pretty much tell that it's fixed let's go take a look at it from the command line though let me scroll down just a little bit here and run the get em Sol user again and sure enough the office is back to LA not only that but everything else is synced including the users password well that'll just about do it everybody thanks a lot for sticking around I hope that clears up what the source anchor is as well as a good reason to go to the new source anchor the MSDS consistency good in your current installations remember though if you do change the the source anchor from object good to the MSDS consistency good on your ad connect make sure that you change it on all of the servers that you're running ad connect on it's a server specific setting so once you set out on the main server go to the standby servers a staging service and change it on those as well thanks for hanging around for this secure CRC update I'm Joe malarkey we'll see you next time you
Info
Channel: SecureCRC
Views: 33,149
Rating: undefined out of 5
Keywords: Cyber security, cyber-security, security training, Office 365, Azure Active Directory Sync Issues, AD Connect Sync Issues, MS-DS-ConsistencyGUID, ObjectGuid, ObjectGUID or MS-DS-ConsistencyGUID, ObjectGUID vs MS-DS-ConsistencyGUID, ImmutableID, SourceAnchor, Using MS-DS-ConsistencyGUID as your SourceAnchor
Id: e9f0VXNqCuY
Channel Id: undefined
Length: 31min 28sec (1888 seconds)
Published: Mon Mar 04 2019
Related Videos
Azure AD Connect Advanced Skills
Andy Malone MVP
4.8K
Picking which Azure AD Synchronization Technology! AAD Connect vs Cloud Sync
John Savill's Technical Training
37K
BATCH A : POWER BI : SESSION 10
Developers Guide
3
Azure AD App Registrations, Enterprise Apps and Service Principals
John Savill's Technical Training
192K
Microsoft Exchange Hybrid in Just 30mins
Andy Malone MVP
41K
What is Active Directory?
ManageEngine IAM and SIEM
269K
Setup On Premise Active Directory Sync to Office 365
Carson Cloud
48K
Hybrid Azure AD Join Devices | Managed Domains
Concepts Work
80K
Azure AD Connect Sync and Cloud Sync, What’s the Difference?
Travis Roberts
12K
Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
Adam Marczak - Azure for Everyone
676K
Learn how to join Windows 11 to Azure AD & Intune
Andy Malone MVP
38K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.