Microsoft has introduced an impressive array of technologies and an awesome vision on Hybrid Identity. Their vision entails seamless access to corporate resources, services and applications for people, no matter where these resources, services and apps are located (either on-premises or in the cloud) while in the mean time allowing for strong authentication and granular authorization.

While Microsofts Azure Active Directory Hybrid Identity Design Considerations document details a lot of pitfalls you might want to avoid while implementing Microsofts Hybrid Identity technologies in the areas of process and architecture, my projects, on the other hand, have shown technical customer configurations beyond belief.

In this series I’ll detail these configurations, how they ruin Hybrid Identity dreams and how to fix them.

Today, let’s discuss group memberships for groups synchronized from your on-premises Active Directory Domain Services environment(s) to Azure Active Directory that have members that are not enabled for linked-value replication (LVR).

This is a scenario I was recently made aware of by Daniel Stefaniak, and I think this is a scenario large organizations with older Active Directory environments may run into.

About linked-value replication

The initial release of Active Directory in Windows 2000 Server defined the smallest scope of replication to an attribute. This works fine for most attributes but is terrible inefficient for attributes with multiple (linked) values. The members attribute for a group is one such attribute: It contains all the sIDs for all the group members.

The Windows Server 2003 and Windows Server 2003 Domain Functional Level (DFL) introduced the functionality of linked-value replication. When replicating an attribute with multiple (linked) values, only the values that have changed are replicated. For a group with thousands of members, linked-value replication makes sense in terms of efficiency: Now, when a group member is removed or added, only that one sID is replicated, instead of all the sIDs of all the group members.

Transitioning to the model of linked-value replication was seamless. Old memberships remained replicated on a non-linked value-replication basis and new memberships were replicated with linked-value replication.

However, when only one member in a group was added before linked-value replication was introduced, the entire group kept replicating using the old model. This slows down Active Directory replication. It also slows down synchronization to Azure AD using Azure AD Connect. With its 30-minute synchronization cycles, changes in group memberships may take a long time to process.

Getting rid of non-linked-value replication-enabled members

To list all the groups that feature non-linked-value replication-enabled members, we can use the following lines of Windows PowerShell on a device with the Active Directory module for Windows PowerShell:

Import-Module ActiveDirectory

$NonLVRGroups = Get-ADGroup -Filter * | Get-ADReplicationAttributeMetadata -Properties Member -ShowAllLinkedValues | Where-Object {$_.Version -eq 0}

$NonLVRGroups | Select-Object @{n="Group";e={$_.Object}} -Unique

The output of the above lines of Windows PowerShell helps you determine if you experience non-linked-value replication-enabled members in your Active Directory domain.

If you want an overview of the non-linked-value replication-enabled members per group, use the following additional line of Windows PowerShell:

$NonLVRGroups | Select-Object @{n="LEGACY";e={$_.AttributeValue}},@{n="Group";e={$_.Object}}

If you have any non-linked-value replication-enabled members, use the following lines of Windows PowerShell to remove members from a specified group and then add them again:

$DN = "cn=GroupName,cn=organization,dc=domain,dc=tld"

$NonLVRMembers =  Get-ADReplicationAttributeMetadata -Object $DN -Properties Member -ShowAllLinkedValues | Where-Object {$_.Version -eq 0}

Remove-ADGroupMember -Identity $DN -Members ($NonLVRMembers).AttributeValue

Add-ADGroupMember -Identity $DN -Members ($NonLVRMembers).AttributeValue

Concluding

When you have an oldActive Directory Domain Services environment(s) and groups with non-linked-value replication-enabled members, it’s a good idea to find these groups and optimize their replication and synchronization towards Azure AD.

Further Reading

Troubleshooting AD Replication error 8477
Azure Active Directory hybrid identity design considerations
Active Directory: Allow Linked Multi-Valued Attributes to use LVR
Remediate Active Directory Members that Don't Support LVR