Recently we had a very frustrating, yet somewhat easy to fix issue involving Office 365 and Azure Active Directory Connect. Essentially, the synchronization was happening but none of the Active Directory objects were syncing. As a matter of fact, all previous synced users stopped syncing and ended up existing in the cloud only.
When looking at the Office 365 admin portal, there were no synchronization errors shown. Rather, it was showing the synchronization as happening every 30 minutes as usual. When looking at the synchronization service itself, there were no errors shown there either.
Yet distribution groups no longer contained users. New users existed only in Active Directory and not in Office 365.
Many hours were spent talking to Microsoft support over this issue. Installing Azure AD Connect on different servers and different domain controllers gave the same behavior. PowerShell commands did nothing. It was only when I was looking at our other clients AD Connect settings that I discovered that the Source Anchor was wrong.
See, we had been installing Azure AD Connect with express settings. Yet rather than defaulting to ms-ds-consistencyguid for the Source Anchor, express settings set the Source Anchor as domain.onmicrosoft.com – aad. Anyone who knows Azure AD Connect should immediately recognize that this will not work. Even Microsoft says that if the Source Anchor is wrong, there will be no synchronization errors while nothing synchronizes.
So why did the Source Anchor default to something so wrong? Why did it default wrong on different servers? This part remains a mystery.
The fix used to be simple. Even Microsoft’s current documentation explains to use the Azure AD Connect Wizard to change the Source Anchor. However, that is no longer an option with the newer versions of Azure AD Connect.
In the end, we had to uninstall Azure AD Connect and reinstall it manually (versus the express settings). Once there, we were able to select the correct Source Anchor (ms-ds-consistencyguid) and proceed with the install. Within minutes, all items synchronized properly and as expected.
This did not randomly break. Sync had broken two months prior and Microsoft instructed us to reinstall Azure AD Connect using express settings. They had even looked at the installed settings and said it was correct. It was then that we figure the Source Anchor changed its default from the default to domain.onmicrosoft.com -aad instead. After that, it took weeks for anyone to realize anything was wrong (again, as the sync service showed as operating normally and Active Directory changes are few and far between). When we did finally discover this, Microsoft spent many hours troubleshooting on the phone with us and within remote sessions and still didn’t catch that the Source Anchor was wrong.
So, there you have it, if your synchronization is ‘working’ but nothing is synching, make sure your Source Anchor did not default to something else other than ms-ds-consistencyguid.