Cannot Recreate Azure AD ‘Local’ AD Connector

KB ID 0001659

Problem

While trying to fix another Azure AD Replication problem today I managed to delete one of the connectors (the one for the local ‘on-prem’ Active Directory). In an effort to ‘recreate’ it, I ran the ‘Microsoft Azure Active Directory Connect’ and went to ‘Customise the Synchronisation Options’.  Unfortunately I got this error;

The forest {forest-name} cannot be added because the attribute used to uniquely identify your users in Azure AD (mS-DS-ConsistencyGuid) is already in use.

Thats not good! I was starting to get concerned.

Solution

There was, (on the old DirSync,) an install flag that would skip this step, would it still work? Yes it does, this time the wizard will complete, recreate the connector correctly and everything will work without any carnage! So what’s the command? See Below;

[box]

cd "C:\Program Files\Microsoft Azure Active Directory Connect"
AzureADConnect.exe /SkipLdapSearch 

[/box]

By the time I checked the Synchronisation service, everything has burst back into life, and all was well.

Related Articles, References, Credits, or External Links

NA

Unable to Connect to the Synchronisation Service

KB ID 0001649

Problem

I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager;

Unable to connect to the Synchronisation Service

Some possible reasons are:
1) The service is not started.
2) Your account is not a member of the requires security group.

See the Synchronisation Service documentation for details.

Solution

Well it was the second option in my case. Open Server Manager > Tools > Computer Management > System tools > Local Users and groups > Groups > ADSyncAdmins > Add your user in here.

Related Articles, References, Credits, or External Links

NA

AAD Contains Another Object With The Same DN

KB ID 0001638

Problem

I’ve seen this a few times now, I’ve had users that will not sync from Active Directory to Azure Active Directory (Office 365). When you look to see why, you will see something like;

The Connector {Your-Domain}.onmicrosoft.com – AAD contains another object with the same DN which is already connected to the MV.

Note: For the uninitiated, DN is Distinguished Name, and MV is MetaVerse.

If you attempt to troubleshoot the sync, you may also see something like this;

Object {Distinguished-Name} is not found in AAD Connector Space.

Solution

First we need to temporarily halt the sync;

[box]

Set-ADSyncScheduler -SyncCycleEnabled $False

[/box]

Then launch Sycronization Service Manager > Connectors > Select your AAD Connector > Delete > Delete connector space only > Yes.

Note: Whoa! it says I’m going to lose data, what are we doing? 

Well we are essentially removing all the ‘cached objects associated with this connector, I think about it like ‘flushing the cache’. I’ve never seen this operation break anything, and I’ve certainly never ‘lost’ anything.

While it’s still running, do the same with your local AD connector.

Start the sync scheduler again.

[box]

Set-ADSyncScheduler -SyncCycleEnabled $True

[/box]

Perform a Full Import on your AAD connector..

With the above still running you can repeat a Full Import on your AD Connector 

Providing the full import has finished (i.e the connector says ‘idle’) perform an Export on the AAD Connector.

Providing the full import has finished (i.e, the connector says ‘idle’) perform an Export on the Local AD Connector.

You can then force an AAD sync, and go have a coffee.

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values