For those admins who have been around the Microsoft Cloud Services, such as BPOS and Office 365 2010, you may remember the issue where DirSync takes a user object, takes it’s objectGUID, double-base-64 encodes it and sends to the cloud as a sourceAnchor. This sourceAnchor is used to flag the user as being synchronized by DirSync and managed by an on-premises Active Directory.
For those admins who are or have moved from one Active Directory Forest to another, the objectGUID changes while the online user maintains this old objectGUID/sourceAnchor. SO, what do you do to reconnect the cloud user with the new AD user? You leverage set-msolUser and set their -ImmutableID, which allows DirSync to hard-match (AD objectGUID == sourceAnchor) and take over management of this cloud object. If the sourceAnchor does not exist in the cloud, then DirSync does a soft-match, based on SMTP address(es) and if there is a match, DirSync takes over management. BUT in this particular scenario the sourceAnchor overrides a soft-match approach, which is why the –ImmutableID option must be used.
Steps to Set -ImmutableID
Allowing DirSync, AAD Sync, AAD Connect to Take Over Management
- Move user to new forest
- Take their ObjectGUID, found in Active Directory Users and Computers –> Advanced View –> Attribute Editor tab in user object Properties location OR use ADSIEdit and use this site to convert the “objectGUID” to a “sourceAnchor”, which will then be set to -ImmutableID.
- Use the Get/Set-MSOLUser –ImmutableID command to the converted GUID, done in the step above. Reference to command variables: https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx
- Set-msoluser –Userprincipalname firstname.lastname@example.org–ImmutableID “xxxxxxxxx”
- Launch DirSync/Sync/Connect and allow it hard match on the user in the cloud and now this Office 365 user is under DirSync/Sync/Connect control.
For those administrators who have multiple workloads/services that require migration into the cloud or Office 365, this article is for you. Special thanks to those who have helped in pulling this list together, to hopefully help those who have the challenge of migrating and moving into the Office 365 environment.
Microsoft Migration Guide for Exchange and Lync workloads here:
Third Party Migration Tools & Services:
Great write up on the new Lotus Notes (MONTI – Microsoft Online Notes Inspector) Tool, providing mailbox migrations from Lotus Notes into Office 365