(2016-05-07) Azure AD Connect – Identifying Objects In AD And In Azure AD (Part 6)
Posted by Jorge on 2016-05-07
Part 5 can be found here
–
UPDATE 2016-12-15: With Windows Server 2016 a new attribute called “ms-DS-Source-Anchor” is introduced which could be used as the source for the immutable ID in Azure. Like the attribute I use myself, this attribute is a string attribute. Therefore, where you find the attribute “iamTECImmutableID” in the text, or “extensionAttribute15” could be replaced with “ms-DS-Source-Anchor”. Taken from the protocol documentation. As mentioned earlier, be very careful in using default attributes in the AD schema if its use is not clear.
The msDS-SourceAnchor attribute defines a unique, immutable identifier for the object in the authoritative directory.
cn: ms-DS-Source-Anchor
ldapDisplayName: msDS-SourceAnchor
attributeId: 1.2.840.113556.1.4.2352
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
schemaIdGuid: b002f407-1340-41eb-bca0-bd7d938e25a9
systemOnly: FALSE
searchFlags: fPDNTATTINDEX | fPRESERVEONDELETE
systemFlags: FLAG_SCHEMA_BASE_OBJECT
rangeLower: 1
showInAdvancedViewOnly: TRUE
Version-Specific Behavior: Implemented on Windows Server 2016.
–
UPDATE 2017-05-16: With AAD Connect version 1.1.524.0 and higher, it enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it is empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section Azure AD Connect: Design concepts – Using msDS-ConsistencyGuid as sourceAnchor.
–
The next object we need to take into account is the group object for inbound synchronization
Clone and disable the synchronization rule called “In from AD – Group Join”.
While on the “Description” node:
- Assign the name “In from AD – Group Join (Custom – <AD Forest FQDN>)” to the clone
- Assign the description “Cloned Sync Rule From ”In from AD – Group Join”” to the clone
- Assign the precedence of 80
- With regards to configuring a tag, it apparently is not possible to do that right after cloning a synchronization rule. Finish the configuration of the rule, save it, export it to a PowerShell script, edit the script and add a tag and save the script, and rerun the script to update the cloned synchronization rule
Apply the exact configuration as explained above for the cloned rule called “In from AD – User Join (Custom – <AD Forest FQDN>)” (part 4 figure 2 or 3, 4).
–
Clone and disable the synchronization rule called “In from AD – Group Common”.
While on the “Description” node:
- Assign the name “In from AD – Group Common (Custom – <AD Forest FQDN>)” to the clone
- Assign the description “Cloned Sync Rule From ‘In from AD – Group Common’” to the clone
- Assign the precedence of 84
- With regards to configuring a tag, it apparently is not possible to do that right after cloning a synchronization rule. Finish the configuration of the rule, save it, export it to a PowerShell script, edit the script and add a tag and save the script, and rerun the script to update the cloned synchronization rule
Click on the “Transformations” node:
Configure the yellow marked part to make sure the attribute listed is populated in the MV
If you are using a Unicode String Attribute, configure the transformation rules as followed (only taking the yellow marked parts into account)
Figure 1: Transformation Rules For The Cloned Synchronization Rule “In from AD – Group Common (Custom – <AD Forest FQDN>)””. When Using A Unicode String Attribute
–
For BOTH the target attribute “sourceAnchor” and the target attribute “extensionAtttribute15”, the source is:
IIF(IsPresent([extensionAttribute15]),[extensionAttribute15],ConvertToBase64([objectGUID]))
The expression can be better seen as:
IIF(
IsPresent([extensionAttribute15]),
[extensionAttribute15],
ConvertToBase64([objectGUID])
)
–
If you are using a Octet String Attribute, configure the transformation rules as followed (only taking the yellow marked parts into account)
Figure 2: Transformation Rules For The Cloned Synchronization Rule “In from AD – Group Common (Custom – <AD Forest FQDN>)”. When Using An Octet String Attribute
–
For the target attribute “sourceAnchor”, the source is:
IIF(IsPresent([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid]),ConvertToBase64([objectGUID]))
The expression can be better seen as:
IIF(
IsPresent([mS-DS-ConsistencyGuid]),
ConvertToBase64([mS-DS-ConsistencyGuid]),
ConvertToBase64([objectGUID])
)
–
For the target attribute “mS-DS-ConsistencyGuid”, the source is:
IIF(IsPresent([mS-DS-ConsistencyGuid]),[mS-DS-ConsistencyGuid],[objectGUID])
The expression can be better seen as:
IIF(
IsPresent([mS-DS-ConsistencyGuid]),
[mS-DS-ConsistencyGuid],
[objectGUID]
)
The first yellow marked transformation (figure 17 and 18) will flow the value from either “extensionAttribute15” or “mS-DS-ConsistencyGuid” (whichever you are using) to the “sourceAnchor” if a value already exists. If not, the objectGUID in base64 format will be used as the value.
The second yellow marked transformation (figure 17 and 18) will flow the value from either “extensionAttribute15” or “mS-DS-ConsistencyGuid” (whichever you are using) to respectively the “extensionAttribute15” or “mS-DS-ConsistencyGuid” (whichever you are using) if a value already exists. If not, the objectGUID in base64 format will be used as the value.
–
This synchronization rule is now fully configured and therefore you can save it.
–
Now we need to create a brand new synchronization rule for the “group” object so that the immutable ID value is written back to AD (outbound synchronization) in a manageable attribute of the user object.
REMARK: to AAD Connect to be able to write back the value, the account used in the AD connector must have Allow:Read/Write permissions on the group objects for which it is writing back a value into the chosen manageable attribute that will provide the immutable ID value. To configure the correct permissions you can use the following command:
DSACLS "\\<FQDN RWDC>\<distinguishedName of OU>" /G "<account used in the AD connector>:RPWP;<chosen immutable ID attribute>;group" /I:S
Create/add a new synchronization rule.
While on the “Description” node:
- Assign the name “Out to AD – Group Common (Custom – <AD Forest FQDN>)”
- Assign the description “New Sync Rule”
- Assign as connected system the AD forest
- Assign as connected system object type: “group”
- Assign as metaverse object type: “group”
- Assign as link type: “Join”
- Assign the precedence of 270
- Assign the tag “<companyname>.OuttoADGroupCommonCustom.001”
- Keep UNchecked “Enable Password Sync”
- Keep UNchecked “Disabled”
For the rest of it, apply the exact configuration as explained above for the new rule called “Out to AD – User Common (Custom – <AD Forest FQDN>)” (part 4 figure 7 or 8, 9, 10 or 11).
This synchronization rule becomes active on a group object in the MV after the listed attribute (part 4 figure 7 or 8) has been populated with a value
REMARK: to AAD Connect to be able to write back the value, the account used in the AD connector must have Allow:Read/Write permissions on the group objects for which it is writing back a value into the chosen manageable attribute that will provide the immutable ID value. To configure the correct permissions you can use the following command:
DSACLS "\\<FQDN RWDC>\<distinguishedName of OU>" /G "<account used in the AD connector>:RPWP;<chosen immutable ID attribute>;group" /I:S
–
Now to make sure you have a backup configuration of your AAD Connect installation, execute the following command:
Get-ADSyncServerConfiguration <some folder>
–
Now that everything is ready, you need to enable synchronization. You can do that through:
Set-ADSyncScheduler -SyncCycleEnabled $TRUE
If you want to kick synchronization to start right away, execute the following command:
Start-ADSyncSyncCycle -PolicyType Initial
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
Aengus Moran said
Thanks for this series. I recently implemented similar based on the first two links you referred to (with some minor modification).
The config wasn’t as difficult to implement as first appears and I am happy I went to the trouble of doing it, especially as we now have a domain consolidation project picking up steam.
Posts like this also reassure me that I made the right decision to setup the custom config and I encourage others that if you meet the criteria, take the time to consider doing this.
LikeLike
Jorge said
you’re welcome. Glad to hear it helped confirm your actions
regards,
jorge
LikeLike
Alan said
Thanks for the great set of posts. I am trying to implement this in my environment but it is all very new to me at the moment. Is it a requirement to implement the changes for iNetOrgPerson and Groups in addition to normal Users? Can I get away with just changing the user rules even though I have selected a custom attribute as the Source Anchor during installation? If I don’t need to change the rules for groups then what are the advantages from doing so?
Thanks again
Alan
LikeLike
Jorge said
You only need to implement/change the rules for the objects you want to manage/sync to azure ad. A reason for also doing the others is that you not need to worry about it later, or in other words forget about it
LikeLike
Gordon said
Hi Jorge, we have implemented this (correctly I think!)…but we are seeing an issue where Distribution Groups in AD are not syncing to AAD. In a metaverse search we are seeing them come in from AD but not go out to AAD. Any advise would be greatly appreciated.
LikeLike
Jorge said
Hi,
To understand what’s going on, you need to have a look at your data and the corresponding sync rules. That’s the only way to understand why it is not provisioned to AAD.
On an object in the AD CS, for which provisioning is not working, you can also use the preview to see if it display why it is not provisioning
Best Regards,
jorge
LikeLike
Jorge said
in addition and more specifically….
* check the data in the CS for an example group
* then check the inbound sync rules for AD and check the scoping filter to see if the rule applies
* then check the transformation of that same rule to understand what would flow to the MV
* check the data in the MV for the example group
* then check the outbound sync rules for AAD and the scoping filter to see if the rules applies
* then check the transformation of that same rule to understand what would flow to the AAD CS
LikeLike
(2016-05-07) Azure AD Connect – Identifying Objects In AD And In Azure AD (Part 5) « Jorge's Quest For Knowledge! said
[…] (2016-05-07) Azure AD Connect – Identifying Objects In AD And In Azure AD (Part 4) (2016-05-07) Azure AD Connect – Identifying Objects In AD And In Azure AD (Part 6) […]
LikeLike
(2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail « Jorge's Quest For Knowledge! said
[…] (2016-05-07) Azure AD Connect – Identifying Objects In AD And In Azure AD (Part 6) […]
LikeLike