(2016-05-07) Azure AD Connect – Identifying Objects In AD And In Azure AD (Part 3)
Posted by Jorge on 2016-05-07
Part 2 can be found here
UPDATE 2016-12-15: With Windows Server 2016 a new attribute called “ms-DS-Source-Anchor” is introduced which could be used as the source for the immutable ID in Azure. Like the attribute I use myself, this attribute is a string attribute. Therefore, where you find the attribute “iamTECImmutableID” in the text, or “extensionAttribute15” could be replaced with “ms-DS-Source-Anchor”. Taken from the protocol documentation. As mentioned earlier, be very careful in using default attributes in the AD schema if its use is not clear.
The msDS-SourceAnchor attribute defines a unique, immutable identifier for the object in the authoritative directory.
searchFlags: fPDNTATTINDEX | fPRESERVEONDELETE
Version-Specific Behavior: Implemented on Windows Server 2016.
This all starts when running the setup wizard of AAD Connect. At some point you will see the following screen
Figure 1: (Uniquely) Identifying (Your) Users – “Users identities exist across multiple directories. Match using: ‘<Custom Attribute>’”
As a “CUSTOM ATTRIBUTE” and as a “SOURCE ANCHOR” you choose:
- “extensionAttribute15” if you want a Unicode String attribute
- “mS-DS-ConsistencyGuid” if you want an Octet String attribute
As a “USER PRINCIPAL NAME” you choose:
Now DO NOT continue by clicking [Next]! Why? If the attributes chosen do not exist in the metaverse (MV) with the exact same name, the installation of AAD Connect will fail at the end and you will need to uninstall and reinstall again. Read more about this here.
Therefore open the Synchronization Service Manager and go the Metaverse Designer. Add or configure the following attributes to both the “person” and the “group” objects and also configure it as displayed.
Figure 2: A Unicode String Attribute Being Used As Both The Custom Matching Attribute And The Source Anchor
Or you configure…
Figure 3: An Octet String (Binary) Attribute Being Used As Both The Custom Matching Attribute And The Source Anchor
The following attribute is also needed as an initial matching attribute. Later I will elaborate more about it. Add the following attribute to both the “person” and the “group” objects and also configure it as displayed.
Figure 4: An Additional Octet String (Binary) Attribute Also To Be Used As A Matching Attribute
After doing this all, you can continue with the AAD Connect installation wizard! At the end make sure you DO NOT enable synchronization!
Continue with part 4 here
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
This entry was posted on 2016-05-07 at 23:02 and is filed under Azure AD Connect, Windows Azure Active Directory. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.