Azure AD Multi Forest Metaverse - New Users Appear Twice RRS feed

  • Question

  • I have an issue with the following scenario:

    forest 1 - user forest with routable UPN used for authentication in Azure

    forest 2  -resource forest with exchange linked mailboxes, accounts linked by Master SID attribute

    When AAD connect runs first time with the "accounts are in multiple forests" option AAD synchronises both forests and each user appears once in the Metaverse with attributes from both objects i.e. SMTP address from forest 2 and UPN from Forest 1.

    Perfect! - for all existing accounts anyway...

    However, the environment uses Quest to migrate user object from one forest to another. So the process is...a new account is created in Forest 2 (resource forest as legacy user creation apps live here) Azure AD Connect will add this object into the metaverse before anything else has happened, ok thats fine for now.

    Quest then replicates the object from Forest 2 to Forest 1 disabling the object in forest 2 and enabling the account in Forest 1.

    AAD Connect creates another entry in the metaverse for the object in Forest 1 so we have 2 entries,

    However we don't want 2 entries we want 1 entry as all of the other objects have,

    my question is, how do I get Sync Service Manager to re-evaluate these accounts, which are linked as all of the existing objects are but both persist in the metaverse? I need one entry for this account not 2...


    Friday, December 22, 2017 10:05 AM

All replies

  • Mitchell-

    I think you have two things in play here:

    1. You need to figure out why the new Forest 1 accounts are not joining to the existing Metaverse entries in AAD Connect. Off the top of my head, I believe AAD Connect may be trying to join on msExchMasterAccountSid by default. If you can't rely on that, you may need a custom sync rule to make the joins work.

    2. You will need to filter out the duplicates to trigger the MV object deletes, and then put them back in scope so that your join logic kicks in. A couple ways you could do this are:

    a) create a new OU and filter that OU out in AAD Connect. Move your duplicates to the OU and run AAD Connect, then move them back to their permanent OU and run AAD Connect again

    b) tag the accounts somehow in AD (e.g. set an extension attribute or other unusued attribute temporarily to some value). Create a custom sync rule that sets the cloudFiltered MV attribute to 'True' if your tag is set. Run AAD Connect once with the tag set, and then run it again with the tag cleared to bring them back in


    Consulting | Blog | AD Book

    Friday, December 22, 2017 8:55 PM