My colleague and I was doing a fresh AAD Connect deployment in our test lab. Everything was smooth until the second time of export to on-premise AD operation having “Insufficient access rights to perform the operation” error.
Details of the error as below:
We enabled “Replicate Directory Changes” and “Replicate Directory Changes All” before we start the deployment but we look into the error and find out it is actually cause by msDS-ConistencyGuid.
Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of msDS-ConsistencyGuid as sourceAnchor attribute and it required write permission to the msDS-ConsistencyGuid attribute in on-premises Active Directory.
So how we can delegate the special permission for this operation? Run PowerShell below:
$accountName = "domain\aadc.svc" $ForestDN = "DC=domain,DC=com" $cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'" Invoke-Expression $cmd
Remember to replace the value of accountName and ForestDN for your environment!
Hope this help!