If you have Entra Connect (which is the new name for AD Connect) and you notice objects that are synced with OU filtering enabled are not in Entra then the question is why?
I started going down many rabbit holes, and in the end it did not require any of these rabbit holes being explored, but it is very simple to "tunnel" you though in the wrong location, I fell into this trap:
- Enabling TLS 1.2 on Server 2012 R2
- Checking Cipher compatibility
- Installing Workplace Join on Server 2012 R2 (which is not required when in a domain at all if you have ADFS, which is this case we do)
- Checking Network access was all OK
- Checking Firewall was not blocking traffic
- Adding sites to the "trusted" or "intranet" zone in IE/Edge
Note : This view is filtered for the OS being "6.3" which is Server 2012 R2
This means that the issue must be something to do with Entra connect, so lets open that and do a Metaverse search on the database to see if the object is in the Metaverse, to open the GUI tool you need to run this executable:
"C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"
When that executable opens click on Metaverse search, change the scope to "device" and the choose "DisplayName" then the operator "equals" then type in the name of the missing server, you should see an entry in the "search results" you need to double click that entry as below:
When you open the details click on the connector tab and you will notice a problem here, there is only one entry in this view, there should ideally be 2 entries here, one for the AD account and then one for the Entra account......
We have the import from AD to Metaverse but we do not have the export from Metaverse to Entra which is why we have no computer object either, this is the cause of the issue.
- Import AD into Metaverse
- Import Entra in Metaverse
- Metaverse compares data from AD and Entra
- Export AD to Entra
- Export Entra data to AD (if you have write back enabled)
Start-ADSyncSyncCycle -PolicyType Delta
If you wish to check the status of the sync cycle you can use the command:
When is value is set to "true" it will successfully import into Metaverse but it will not write the object to Entra - this will therefore mean you will only have one connector that goes from Active Directory into Metaverse.
This role is an Active Directory based rule so it will be in the Inbound connectors, so with the direction change that to inbound and scrolled to the bottom of all the rules and you should notice this one:
If you click on this rule and then click edit and click on the transform option on the right and scroll down to the bottom, you will notice that you will have this code in that rule:
The code in the Source box will say this:
- If user certificate is not present, which, obviously for a server that would not be bound to a primary user or have a user certificate so that will always be true
- If operating system starts with the version “6.2” Which will include server the 2012 R2
That will then show you all data in a notepad style window like this, which means you can copy and paste the data where it cannot all the data from the images above:
Then you need to click on "transformations" and add all the transformation from the screenshots for earlier, notice they will be blank with a new rule as below:
Once completed ensure that the last entry which is CloudFiltered is now set to this, which is the same as before exluding the "false" as below:
Then save the rule and that is the new rule done for now.
Good question, if you look at the rules there already you notice they will start at 100 and go up from there as you can see form below 100 is the lowest: