Choosing a sourceAnchor for Groups in Multi-Forest Sync with AAD Connect

  • Article

Introduction

Earlier this year I authored a post discussing choices for sourceAnchor in Multi-Forest Sync with AAD Connect. Following that series, the Azure Active Directory Product Group included sync rules that use mS-DS-ConsistencyGuid as the sourceAnchor for user objects. This was great because it all works out of the box and as an added bonus, there's an action that migrates you from objectGUID to mS-DS-ConsistencyGuid built into the AAD Connect wizard.

Recently, I was working with a customer who was migrating between Forests. These latest changes work terrifically well for user objects but on the current build of AAD Connect (1.1.614.0), the sync rules for Groups do not use mS-DS-ConsistencyGuid. This means, that for groups, you're right back at square one (refer to the earlier series Introduction for background information).

In this post, I'll walk through the setup for custom sync rules so that groups migrate cleanly between Forests and continue to sync with Azure Active Directory without duplication.

Preparation

Pause the sync service by opening a PowerShell prompt and executing

Set-ADSyncScheduler -SchedulerSuspended $true

Open "C:\Program Files\Microsoft Azure AD Sync\UIShell\SyncRulesEditor.exe"

Observe the lowest precedence built-in inbound sync rule (100 in this example) –

clip_image002

Observe the built-in inbound sync rules for Groups, two of each type for each Forest (4 in this example) –

clip_image004

You’ll need to duplicate each of these rules and modify the properties. You’ll set the precedence of the duplicated rules to be lower than the lowest value observed (100 in this example)

Creating Custom Join Rules for Groups

Select the first In from AD -Group Join rule and click Edit

Click Yes at the Edit Reserved Rule Confirmation

Change Description to something like In from AD – Group Join Custom, the Precedence to 4 less than the number observed earlier (96 in this example) and click Next twice –

clip_image006

On the Join Rules page, change the Source attribute to mS-DS-ConsistencyGuid

Click Add group and in the new group, set Source attribute to objectGUID and Target attribute to sourceAnchorBinary

Click Next

clip_image008

Click Save

Click Yes at the Expression Warning

Repeat for additional In from AD -Group Join rules, this time setting the precedence to one more than last time (97 in this example)

Creating Custom Common Rules for Groups

Select the first In from AD - Group Common rule and click Edit

Click Yes at the Edit Reserved Rule Confirmation

Change Description to something like In from AD – Group Common Custom, the Precedence to one more than the last rule (98 in this example) and click Next three times –

clip_image010

On the Transformations page,

Change sourceAnchor from

 ConvertToBase64([objectGUID])

To

 IIF(IsPresent([mS-DS-ConsistencyGuid]),ConvertToBase64([mS-DS-ConsistencyGuid]),ConvertToBase64([objectGUID]))

Change sourceAnchorBinary from Direct

 [objectGUID]

To an Expression

 IIF(IsPresent([mS-DS-ConsistencyGuid]),[mS-DS-ConsistencyGuid],[objectGUID])

clip_image012

Click Save

Repeat for additional In from AD -Group Common rules, this time setting the precedence to one more than last time (99 in this example)

Create Rules to Write mS-DS-ConsistencyGuid back to AD On-Premises

Change rule editor to show outbound rules and take note of the highest precedence rule (170 in this example) –

clip_image014

Click Add new rule

On the Description page, set the Name to Out to AD - mS-DS-ConsistencyGuid

On the Description page, set Connected System to the <Forest you're currently configuring the rule for>

On the Description page, set Connected System Object Type to group

On the Description page, set Metaverse Object Type to group

On the Description page, set the Precedence to a value higher than the precedence noted above (171 in this example) –

clip_image016

Click Next

On the Scoping filter page, click Add group and then Add clause and set the filter to cloudSourceAnchor ISNOTNULL

clip_image018

Click Next

On the Join rules page, click Add group

Set the Source attribute to sourceAnchorBinary and the Target attribute to mS-DS-ConsistencyGuid

Click Add group again

In the second group, set Source attribute to sourceAnchorBinary and Target attribute to objectGUID

clip_image020

Click Next

On the Transformations page, click Add transformation. Set the Flow type to Expression, the Target attribute to mS-DS-ConsistencyGuid and the Expression to

 IIF(IsPresent([sourceAnchorBinary]),[sourceAnchorBinary],IgnoreThisFlow)

clip_image022

Click Add

Back at the outbound rules editor, click Add Rule and repeat for each additional Forest, setting the precedence to the next number (172 in this example)

Re-establish Sync

Resume the sync service by opening a PowerShell prompt and executing

Set-ADSyncScheduler -SchedulerSuspended $false

Trigger a full sync by executing

Start-ADSyncSyncCycle -PolicyType Initial

Conclusion

This blog post steps through the configuration of sync rules in AAD Connect that use mS-DS-ConsistencyGuid as the sourceAnchor for groups when they are synchronised from on-premises Forests to an Azure Active Directory tenant.

This approach, aligns with the built-in sync rules used for user objects.