Azure AD Connect: objectGUID vs. mS-DS-ConsistencyGuid, Part 3

In the first part of this series, I’ve explained how Azure AD Connect version 1.1.553.0 and beyond allows you to switch from objectGUID to mS-DS-ConsistencyGuid as the source anchor attribute , the benefits of doing so and what you may and may not expect when you make the switch.

Now that I’ve shown you the changes in Part 2 of this series, it’s time to see how you’d actually perform the switch from objectGUID to mS-DS-ConsistencyGuid as the source anchor attribute, when you come from a previous version of Azure AD Connect to version 1.1.561.0, or up. (since new installations of Azure AD Connect are automatically configured with mS-DS-ConsistencyGuid as the source anchor attribute).



Plan the switch

When you switch from objectGUID to mS-DS-ConsistencyGuid as the source anchor attribute for Azure AD Connect, it will trigger a Full Synchronization cycle. With current Full Sync cycles as long as 42 hours for some organizations, it is important to plan the switch at a point in time, that does not bode a slew of changes in on-premises objects. During the Full Synchronization no other cycles may run; any changes you make will flow to Azure AD only after the next synchronization cycle(s).

Document the Azure AD Connect configuration

In case something goes wrong, it’s a nice feeling when you know how to recreate the Azure AD Connect configuration. Documentation also helps you to perform root cause analyses when something goes wrong, and formally sign off on the changes in synchronization rules.

The following lines of PowerShell code will help you achieve this goal:

Import-Module ADSync
Get-ADSyncServerConfiguration -Path "C:\Install\Docu"

Document the Active Directory Federation Services (AD FS configuration

When you utilize Active Directory Federation Services (AD FS) for your Azure AD authentication scenario, it’s also a good idea to document the AD FS configuration before and after you switch.

The AD FS Rapid Recreation Tool does the job.

Ensure you can restore your Azure AD Connect Installation(s)

Making backups may be considered to be the most important safety net some systems administrator will come up with. However, being able to restore your Azure AD Connect installation(s) is more important. Make sure you can, by performing a test restore.

Do the work

As I mentioned in part 1 of this series, when you make the switch, you’ll need to make the switch on all Azure AD Connect installation(s) in your environment. Don’t forget to make the switch on your Staging Mode servers, because the source anchor attribute is a per-Azure AD Connect setting.


Switch Azure AD Connects Source Anchor

Perform these steps:

  • Log on interactively to the Windows Server installation that runs Azure AD Connect.
  • Open Azure AD Connect using the link on the desktop or by searching for (part of) its name in the Start Screen and then clicking it in the search results.
  • Click the Configure button on the Welcome to Azure AD Connect screen.

Azure AD Connect - Additional tasks (click for original screenshot)

  • Click on Configure Source Anchor in the Additional tasks screen.
  • Click Next.
  • Enter the credentials of an Azure AD account with Global Admin privileges for the Azure AD tenant you’re synchronizing with. Perform multi-factor authentication when this is configured.

Azure AD Connect - Configure Source Anchor (click for original screenshot)

  • The Configure Source Anchor screen provides more information on the source anchor best practice and informs you that Azure AD Connect did not find any other application that uses the mS-DS-ConsistencyGUID attribute. Click Next.

Azure AD Connect - Ready to configure (click for original screenshot)

  • In the Ready to configure screen, click Configure.

If you can’t perform the Full Synchronization associated with the Source Anchor switch, deselect the Start the synchronization process when configuration completes. option. Run the full sync at a better time, but please be aware that all synchronization stops until you manually trigger the full synchronization,

Azure AD Connect - Configuration complete (click for original screenshot)

  • Click Exit in the Configuration complete screen.

Azure AD Connect performs the Full Synchronization cycle. Half an hour after this cycle ends, by default, it will perform a delta synchronization cycle.


Additional Tasks

Switch Staging Mode Servers

When you have Staging Mode Azure AD Connect installations, perform the same steps on these servers.

Document Azure AD Connect Changes

When you want to document your changes in Azure AD Connect, run the PowerShell cmdlets mentioned above again. A tool like the Azure AD Connect Configuration Diagrammer provides a quick overview of the changes in the Azure AD Connect configuration.



That’s all there is to know about switching from ObjectGUID to mS-DS-ConsistencyGUID as Azure AD Connect’s source anchor attribute for user objects.

Good luck! Duim omhoog

Series Navigation

<< Azure AD Connect: objectGUID vs. mS-DS-ConsistencyGuid, Part 2

9 Responses to Azure AD Connect: objectGUID vs. mS-DS-ConsistencyGuid, Part 3

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.