I recently worked through an issue with encryption and the synchronization from active directory.  I was getting errors in the MEE connector logs: "...change attribute older than current users: Ignoring other changes"

Seems some user attribute(s) were no replicating via connector.  Troubleshooting revealed that after our recent AD upgrade the issue began, I had previously pointed the AD Connector to our new DC...

Thank to this forum, I looked at "uSNChanged” value, which wasn't replicated between old and new DCs.  The “uSNChanged” value being higher in MEE than in AD would cause the connector job to ignore changes as was indicated in the connector logs.  To verify, I manually edited the MEE User attributes “SbAdCon0.changes” to “0” for an individual account, the connector log (and MEE DB) indicate updated user attributes... yay.

So it seems that my issue was due to attributes in MEE being interpreted by MEE connector query (sBAdCon0.changes) as newer than that which is in AD within the “uSNChanged” field, therefore not updating… 

Worked out a fix which seems to be working in test… scripting a two part fix to the MEE database using sbadmcl.exe

Step1: (The following will change the connector reference)

     sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname -group:* -OldBind:SbAdCon0.changes -NewBind:SbAdCon9.changes

Step2: Manually run the AD connector which will generate new SbAdCon0.changes

Step3: (The following will remove the previously renamed entries and corresponding (incorrect) values...cleanup:)

     sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname –group:* -OldBind:SbAdCon9.changes -NewBind:

Thought I'd share my experience, since this forum has helped me in the past... and that the documentation (scripting tool guide) lists the -command:ChangeBindingname incorrectly as -command:changebinding which threw me for a loop.