There are a few gaps in the official documentation (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts#using-msds-consistencyguid-as-sourceanchor) and some blog posts out there:
- The correct attribute is mS-DS-ConsistencyGuid. Microsoft's official documentation is consistently having the typo "mSDS-ConsistencyGuid" - with the missing dash,
- You will need to delegate your custom service account to READ + WRITE to mS-DS-ConsistencyGuid. May documentation mentions WRITE but that is not sufficient,
- You may not be able to use AD Users and Computers to make the permission changes, depending on the operating system version of your domain controller.
The script that worked for me is:
$accountName = "domain\aad_account" #[this is the account that will be used by Azure AD Connect Sync to manage objects in the directory, this is an account in the form of AAD_number].
$ForestDN = "DC=domain,DC=com"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":RPWP;ms-ds-consistencyGuid;user'"
Fix: Note the "RPWP" permissions. RP means read permission, and WP means write permission. Both are required for this feature to work, or else you will be met with the dreaded sync error messages in AAD Connect.