Resolve “The forest cannot be added because the attribute used to uniquely identify your users and groups in Azure AD (mS-DS-ConsistencyGuid) is already in use”

Sometimes I need to sync an additional forest from Azure AD Connect. For example, when two companies are merging. If you attempt to add a forest to Azure AD Connect that is already being synced via a different Azure AD Connect, you’ll get this message:

“The forest (forest name) cannot be added because the attribute used to uniquely identify your users and groups in Azure AD (mS-DS-ConsistencyGuid) is already in use.”

To resolve this, just start Azure AD Connect with the /SkipLDAPSearch parameter.

The root issue is that Ms-DS-ConsistencyGuid is blank for an AD user initially. It was populated by Azure AD Connect by copying its ObjectGuid to it. Then when trying to add it to the other forest’s Azure AD Connect, it sees that it’s populated and stops since it thinks another application is managing it (which is correct – the other Azure AD Connect is also managing it for the time being). By running it with the /SkipLDAPSearch it skips this check with is fine in this case.

More information is found here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts

Leave a Reply

Your email address will not be published. Required fields are marked *