If you have Entra Connect (which is the new name for AD Connect) and you notice objects that are synced with OU filtering enabled are not in Entra then the question is why?
I started going down many rabbit holes, and in the end it did not require any of these rabbit holes being explored, but it is very simple to "tunnel" you though in the wrong location, I fell into this trap:
- Enabling TLS 1.2 on Server 2012 R2
- Checking Cipher compatibility
- Installing Workplace Join on Server 2012 R2 (which is not required when in a domain at all if you have ADFS, which is this case we do)
- Checking Network access was all OK
- Checking Firewall was not blocking traffic
- Adding sites to the "trusted" or "intranet" zone in IE/Edge
What I noticed was that other Server 2012 R2 devices were in the Entra view but not all of them, this could therefore not be a "down-level" device issue but more something else and I do not want to change my configuration for a couple of servers that is obviously working well:
Note : This view is filtered for the OS being "6.3" which is Server 2012 R2
Note : This view is filtered for the OS being "6.3" which is Server 2012 R2
This means that the issue must be something to do with Entra connect, so lets open that and do a Metaverse search on the database to see if the object is in the Metaverse, to open the GUI tool you need to run this executable:
"C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"
WARNING : Do not run the Azure AD Connect or Entra AD Connect icon on the desktop, when you run this the synchronisations will be halted for the duration this utility is open!
When you open the details click on the connector tab and you will notice a problem here, there is only one entry in this view, there should ideally be 2 entries here, one for the AD account and then one for the Entra account......
We have the import from AD to Metaverse but we do not have the export from Metaverse to Entra which is why we have no computer object either, this is the cause of the issue.
When that executable opens click on Metaverse search, change the scope to "device" and the choose "DisplayName" then the operator "equals" then type in the name of the missing server, you should see an entry in the "search results" you need to double click that entry as below:
When you open the details click on the connector tab and you will notice a problem here, there is only one entry in this view, there should ideally be 2 entries here, one for the AD account and then one for the Entra account......
We have the import from AD to Metaverse but we do not have the export from Metaverse to Entra which is why we have no computer object either, this is the cause of the issue.
Metaverse is the database that control the syncs from AD < > Entra and it works like this:
- Import AD into Metaverse
- Import Entra in Metaverse
- Metaverse compares data from AD and Entra
- Export AD to Entra
- Export Entra data to AD (if you have write back enabled)
This means Metaverse is a comparison database for "changes" between AD and Entra, by default you get Delta synchronisations run every 30 minutes you can see this here:
When is value is set to "true" it will successfully import into Metaverse but it will not write the object to Entra - this will therefore mean you will only have one connector that goes from Active Directory into Metaverse.
If you click on this rule and then click edit and click on the transform option on the right and scroll down to the bottom, you will notice that you will have this code in that rule:
The code in the Source box will say this:
This is the command that is run every 30 minutes:
Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle -PolicyType Delta
However it is recommended to run a full import after you update OU filtering if you add new OU's to the list to sync to Entra, really you should sync all your AD, but we have corporate requirements that means we cannot sync everything.
What we therefore need is a "full synchronisation which is also know as the "initial" that is this command from Powershell:
Start-ADSyncSyncCycle -PolicyType Initial
This will the start a "full" synchronisation as you can see below, this will take considerably longer than the "delta" sync but will be more through, in fact here the synchronisation is still in process:
If you wish to check the status of the sync cycle you can use the command:
If you wish to check the status of the sync cycle you can use the command:
Get-ADSyncScheduler
We are interested in the "SyncCycleInProgress" this need to be false if that sync cycle has completed, here you can see its true (which means its running)
AllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval : 00:15:00
NextSyncCyclePolicyType : Delta
NextSyncCycleStartTimeInUTC : 19/08/2024 08:44:17
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : True
MaintenanceEnabled : True
StagingModeEnabled : False
SchedulerSuspended : False
SyncCycleInProgress : True
You need to wait for this process to complete and that will depend on many factors including the size of your AD, when it complete it will look like this:
Now if we head back to Metaverse search and search for the same as before and then view the connectors we should now notice that the device has two entries, one from AD and one from Entra as below:
This will now mean the device will appear in Entra where before it was missing, however, this may not fix your issue, depending on the cause of the problem.
What else could be going on?
Well, I’m glad you’ve asked, when you open the connector, you will there is an attribute called CloudFiltered ss you will also observe that this your particular server is set to "true"
When is value is set to "true" it will successfully import into Metaverse but it will not write the object to Entra - this will therefore mean you will only have one connector that goes from Active Directory into Metaverse.
Is you Join type blank?
If you look at the server if it appears in Entra you will notice when this correct synchronization does not occur to join type will be blank:
This should say Entra Hybrid Join - the fact that it black is a tell-tale side this problem is occurring, But don’t worry it can be fixed that’s later in this post.
Some servers do appear, but many do not?
Yes, I have also noticed that some servers on Server 2012 R2 have appeared in Entra and the key here is the newly creative ones have not, so I can only imagine in previous Versions of AD-Connect did not include this additional clause in the rule that was not present in previous versions.
It must’ve worked previously because as you can see above, I’ve taken a screenshot of it, however this particular server has been synchronizing for over 10 months whereas the servers I’m having problems with I’ve only been in the last couple of months.
Why is this happening to these servers?
This will actually only be a certain type of server. This problem will affect, But it was absolutely the problem I was experiencing, and it seemed to affect any version of windows that started with a “6.” Operating system up till Server 2012 R2.
If you look at the attributes of the device object you will notice that when the CloudFiltered is set to “true” you will also be given the name of the connector that has made that decision to set the attribute to false.
I noticed that the name of the rule is : In from AD - Computer Join
We now need to investigate what’s going on in that rule, first, you need to open the Synchronisation Rule Editor rule editor, which will be present on your Entra connect server and then find this rule.
This role is an Active Directory based rule so it will be in the Inbound connectors, so with the direction change that to inbound and scrolled to the bottom of all the rules and you should notice this one:
This role is an Active Directory based rule so it will be in the Inbound connectors, so with the direction change that to inbound and scrolled to the bottom of all the rules and you should notice this one:
If you click on this rule and then click edit and click on the transform option on the right and scroll down to the bottom, you will notice that you will have this code in that rule:
The code in the Source box will say this:
IIF(
IsNullOrEmpty([userCertificate])
|| (
(InStr(UCase([operatingSystem]),"WINDOWS") > 0)
&& (Left([operatingSystemVersion],2) = "6.")
),
True,
NULL)
This rule essentially tells the synchronization service if two variables are true, set a value these variables are:
- If user certificate is not present, which, obviously for a server that would not be bound to a primary user or have a user certificate so that will always be true
- If operating system starts with the version “6.2” Which will include server the 2012 R2
Those two variables for this particular example will both make the value “true” - Which means the account account will NOT export the object into Entra.
This rule is the reason why your servers no longer appear in Entra, unfortunately, this is a default rule so you won’t be able to edit the values.
Disparity between supportive and synchronizing?
Yes, absolutely, Microsoft to say they do not support Server 2012 R2 which is one thing, that means you won’t get any support the operating system but in this example, I’m not concerned about that, I need the object to be created in Entra so I can assign a Defender policy to it.
I do not want support for the server because based on my recommendations and advice that will not be supported, ironically, Microsoft, do you say if you move the server to Azure with Azure migrate you will get extended support because it’s in Azure.
My problem here is this so that is already in Azure - So I don’t need to migrate it I just need it to appear in Entra so I can assign it damn policy to it.
🚀 Operation Rules editor addition
Note : If you follow the rest of this tutorial, you will be creating a new rule that will disable the official rule, but it will have a precedence that’s lower so the other rule will not apply,
Note : You also had the option of disabling the default rule, if you are worried about support, Microsoft do support custom rules, but just remember if the problem you’re having is caused by your custom rule they may ask you to disable it, this does not mean your custom rule is unsupported whatsoever.
We now need to create a new rule which will need to be done manually, While Microsoft have excluded and export button for the rules that are predefined, there is no option to import, this means the export button must only be used for back up purposes and safekeeping.
Manual mode it is, don’t worry, it’s not complicated. The only heavy lifting is re-creating all the transform rules, however, the window in the rules of editor does not actually let you expand it, thanks, Microsoft.
This is what the transform rules look like, this is what you’ll be copying into the new rule:
If you wish to copy and paste then chose the rule and with it clicked choose the export button as below:
That will then show you all data in a notepad style window like this, which means you can copy and paste the data where it cannot all the data from the images above:
That will then show you all data in a notepad style window like this, which means you can copy and paste the data where it cannot all the data from the images above:
Once you have familiarize yourself with all the options, you can then click on new rule in the upper right as shown below:
Then you need to click on "transformations" and add all the transformation from the screenshots for earlier, notice they will be blank with a new rule as below:
IIF(
IsNullOrEmpty([userCertificate])
|| (
(InStr(UCase([operatingSystem]),"WINDOWS") > 0)
&& (Left([operatingSystemVersion],2) = "6.")
),
false,
NULL)
Then save the rule and that is the new rule done for now.
Why precedence of 50?
Good question, if you look at the rules there already you notice they will start at 100 and go up from there as you can see form below 100 is the lowest:
Good question, if you look at the rules there already you notice they will start at 100 and go up from there as you can see form below 100 is the lowest:
I cannot disable the default rule?
The rule that is applying, the cloudFiltered value to true Is a rule you cannot edit or disable, If you could edit this, I would’ve just recommended you to change the code to report back “false”
Unfortunately, all default rules are red so they can’t be changed which is why we have to create new rule and set the precedent lower than the default rule.
However, do not worry once it finds your custom rule it will apply that and it will not reapply the one that’s got a higher value.