[Samba] Partition replication causes Azure AD Connect to remove group members

[Jake Black]

After performing a drs replicate, the next Azure AD Connect delta sync sees no members in our distribution groups and so removes them from our Azure AD.

This happened about a month ago as we have been working with Microsoft as this certainly seems like an issue in their program. However, they have now gotten their Active Directory team involved as they think it's an issue in AD partition replication.



We had a couple user account discrepancies reported from ldapcmp that persisted for a couple days, and so I manually forced a partition replication to get all controllers to match. Shortly after that, the periodic Azure AD Connect delta sync ran and all members from our distribution groups were removed. Performing a full sync restored the membership however.

We keep our distribution groups in OU=Lists,OU=Groups,DC=samdom,DC=com and Azure AD Connect only syncs that OU. Our security groups are kept in OU=Groups,DC=samdom,DC=com and since we don't want all of them synced to Azure AD we have a separate script that manually syncs those memberships via ldapsearch and Azure AD's API.

Our samba DC's are on 4.15



What does drs replicate do, that another program could see a group as empty? Is there anything we could look at on the samba side to determine if this issue resides with Microsoft or samba?

Thanks,
Jake Black