Choosing a sourceAnchor for Multi-Forest Sync with AAD Connect – Part 6, Moving off objectGuid

Update 25th May 2017:- As of AAD Connect May 2017 release, version 1.1.524, the default sourceAnchor used by the setup wizard is mS-DS-ConsistencyGuid. This renders most of this blog post series moot but it will be maintained for reference.


This blog post series is based upon and tested with AAD Connect, December 2016 release, version 1.1.380.0. Test all deployment designs before production implementation.

Table of Contents

Part 1, Introduction

Part 2, Lab Setup

Part 3, An Aside on EmployeeID

Part 4, Using msDS-SourceAnchor

Part 5, Using mS-DS-ConsistencyGuid

Part 6, Moving off objectGuid

Part 7, Migrating Users

Correcting an earlier choice of objectGuid

As it turns out, if you've previously selected objectGuid as you sourceAnchor, you can very easily change to using msDS-SourceAnchor or mS-DS-ConsistencyGuid.

Pause the sync service by opening a PowerShell prompt and executing

Set-ADSyncScheduler -SchedulerSuspended $true

Choose either msDS-SourceAnchor or mS-DS-ConsistencyGuid and make the rule edits described in Part 4 of this series for msDS-SourceAnchor or Part 5 of this series for mS-DS-ConsistencyGuid.

Open "C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"

Navigate to Connectors

Select the first Forest connector and click Properties

In the properties sheet, click Select Attributes

Check Show All

Scroll down and check msDS-SourceAnchor (or mS-DS-ConsistencyGuid if you're using that)

Click OK


Repeat for all other Forest connectors

Resume the sync service by opening a PowerShell prompt and executing

Set-ADSyncScheduler -SchedulerSuspended $false

Trigger a delta sync by executing

StartADSyncSyncCycle -PolicyType Delta

What about when other attributes are used for sourceAnchor?

Now you're in a world of hurt.

You need to uninstall AAD Connect and have the wizard remove all components including the sync database. You need to delete your users from Azure Active Directory and you need to start again.

An alternative to starting over is to change the ImmutableID by

Logging into

Navigating to the Azure Active Directory tenant

Selecting Directory Integration

Disabling Directory Sync


Note: It will take time to disable sync for all users … around 1 hour for every 2000 users. Due to the asynchronous nature of this task under the hood, it may not begin immediately (sometimes a delay of hours and in rare cases days). Sync cannot be enabled again until this task is complete.

Change the UPN for users to the tenant domain -

Set-MsolUserPrincipalName -NewUserPrincipalName -UserPrincipalName

Change the ImmutableID to the value you want to use for each user -

Set-MsolUser -UserPrincipalName -ImmutableId newValue

Change the UPN back to the public domain name -

Set-MsolUserPrincipalName -NewUserPrincipalName -UserPrincipalName

Enable sync for the Azure Active Directory tenant again (again more time for sync to start again)

AAD Connect configuration will need to be updated to reflect the use of the new sourceAnchor

Depending on the services you're using with your Azure Active Directory tenant, you may be facing mailbox export/import operations and various other problems.

I would recommend engaging with Microsoft Premier Field Engineering, Microsoft Consulting or a trusted cloud partner to help you through it.


Moving away from objectGuid over to msDS-SourceAnchor or mS-DS-ConsistencyGuid as your sourceAnchor is relatively easy.

Comments (6)
  1. Hey Mark

    Why did you change the UPN to before changing the immutable ID ?

    1. Mark Renoden says:

      In my testing this was a necessary step before changing of the ImmutableID was permitted. As always, this may have changed since I wrote the post – an artefact of the DevOps world we live in.

  2. phera says:

    hi, we are following this technique using ms-ds-consistencyGuid, to get off objectguid, when we ran the updated connectors on a staging server, we observed that we will get 4568 disconnections. Is this to be expected assuming that the next sync will reconnect the objects as now ms-ds-consistencyGuid matches the imutableid.

    1. Mark Renoden says:

      As noted at the top of the post, the information here is outdated since updated to the AAD Connect tool default to using ms-ds-consistencyguid. There is actually an automatic migration from objectguid to ms-ds-consistencyguid in the setup wizard for the latest AAD Connect wizard.

      1. phera says:

        Mark, the term green fields, made me skip that bit (i am not dealing with green fields), and did not realise there was also a migration tool. So the migration tool, also sets up the write back of the objectguid to the on premise ms-ds-consistencyguid and updates the ADFS claim rules?

        1. Mark Renoden says:

          As things rapidly change, it’s hard to keep these sorts of blog posts completely up to date. The latest AAD Connect documentation from Microsoft discusses your sourceAnchor options –

Comments are closed.

Skip to main content