I'm facing some frustrating challenges with syncing Active Directory between two companies due to an acquisition. We've set up a domain trust and a VPN tunnel, which seems fine, but I'm struggling to sync the on-premises Active Directory from the acquired company to the existing Microsoft 365 environment of the parent company. We initially managed to sync user objects, but password hash sync wasn't functioning as expected, and there were no logs indicating errors. After some issues arose in production, we decided to pull back and set up a lab environment that mirrors the original configuration. However, I ran into a `ms-ds-consistencyguid already in use` error again, and I really need tips on how to handle this to ensure password hash sync works correctly. Any suggestions or insights would be greatly appreciated!
3 Answers
You might want to consider changing your immutable ID using the `Set-MsolUser` cmdlet. It's a common fix for syncing issues like this, but it might require some extra steps to ensure it’s configured correctly.
For your situation to get the AD objects into the parent's Entra ID, it might be better to sync each forest's AD separately to AzureAD rather than trying to mesh them. When I handled a merger, we had to clean up duplicate UPNs among other things. Microsoft has a guide that might be helpful for multiple forests syncing with a single Microsoft tenant, just check it out [here](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies#multiple-forests-single-microsoft-entra-tenant).
It sounds like you're working with two separate forests, which might complicate things. I've seen third-party migration tools that could help keep passwords in sync across different forest domains. The goal should be to merge the domains into the parent domain. Running two domains in production like this isn’t ideal long-term. Check out tools like SecureAuth or IdentityNow; they might have features for just this kind of challenge!
That's a wise approach. Could you recommend any specific tools you've had success with? I'm feeling uncertain about the reliability of solutions in scenarios like this.
I remember encountering that method before! Can you help clarify what exactly should be done? We tried something similar but it didn’t resolve the issue.