HOWTO: Check if you can use the mS-DS-ConsistencyGUID attribute as source anchor for Azure AD Connect

Reading Time: 2 minutes

Azure AD Connect Splash Screen

In recent versions of Azure AD Connect, you can use the mS-DS-ConsistencyGUID attribute as the source anchor attribute. This provides flexibility in cross-forest migration scenarios. However, if another solution in the networking environment has already claimed the mS-DS-ConsistencyGUID attribute for its purposes, Azure AD Connect won’t allow you to use this attribute and instead default back to the objectGUID attribute.

 

About mS-DS-ConsistencyGUID

As shared in my previous posts in a series, the mS-DS-ConsistencyGUID attribute helps in overcoming the cross-forest migration and accidentally deleted objects challenges. By filling the mS-DS-ConsistencyGUID attribute with the Base64 representation of the value in the objectGUID attribute when an Active Directory object comes in scope, Azure AD Connect can overcome these challenges as the hard match is performed on the unchanged value in the mS-DS-ConsistencyGUID attribute instead of the changed value in the objectGUID attribute.

You can set the mS-DS-ConsistencyGUID yourself, too, to Attach a previously sync’ed Azure AD Tenant to a new AD Forest, for example.

 

Checking the mS-DS-ConsistencyGUID

One of the requirements to use mS-DS-ConsistencyGUID attribute as the source anchor attribute is that the objects in the directories in scope for Azure AD Connect cannot have values specified.

The following lines of Windows PowerShell can be used on a Domain Controller or on any domain-joined device with the Active Directory Module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADUser -Filter * -Properties CN,mS-DS-ConsistencyGuid | Where-Object {$_.'mS-DS-ConsistencyGuid' -ne $null} | Select-Object CN,SamAccountName,mS-DS-ConsistencyGuid

 

These lines of Windows PowerShell return all the user objects in Active Directory that have values in their mS-DS-ConsistencyGUID attributes. If any objects are returned, Azure AD Connect will not allow you to use the mS-DS-ConsistencyGUID attribute, by default.

Since Azure AD Connect version 1.5.18.0, groups default to using the mS-DS-ConsistencyGUID attribute as the source anchor attribute, so check these too:

Get-ADGroup -Filter * -Properties CN,mS-DS-ConsistencyGuid | Where-Object {$_.'mS-DS-ConsistencyGuid' -ne $null} | Select-Object CN,SamAccountName,mS-DS-ConsistencyGuid

 

This additional line of Windows PowerShell return all the groups in Active Directory that have values in their mS-DS-ConsistencyGUID attributes. If any objects are returned, Azure AD Connect will not allow you to use the mS-DS-ConsistencyGUID attribute, by default.

 

Concluding

When the mS-DS-ConsistencyGUID attribute is in use in your Active Directory environment, you can’t use it, by default in Azure AD Connect.

If another or a previous installation of Azure AD Connect is responsible for filling these attributes, you can opt to install Azure AD Connect using the /SkipLdapSearch command-line switch.

Further reading

HOWTO: Attach a previously sync’ed Azure AD Tenant to a new AD Forest
KnowledgeBase: You receive “the mS-DS-ConsistencyGuid attribute is already in use” when you change the source anchor on a Staging Mode Azure AD Connect installation
Azure AD Connect v1.5.18.0 brings mS-DS-ConsistencyGUID as source anchor for Groups
Azure AD Connect: objectGUID vs. mS-DS-ConsistencyGuid, Part 1

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.