When you implement a hybrid setup of your on-premises infrastructure with Office 365, you also enable the Active Directory synchronization to Azure Active Directory via Azure AD Connect.
In this scenario, your Active Directory objects are synchronized to Azure AD for a single sign-on or unified login experience.
In some cases, directory synchronization errors happen when the source objects are in a bad state. Consequently, those objects can’t properly synchronize and can cause all sorts of problems for the affected users.
When you encounter those synchronization errors, identifying the exact reason may be challenging if done manually. But don’t worry because the IdFix tool can help identify and resolve these errors.
What Errors Can the IdFix Tool Identify?
The first thing to be made clear is that the IdFix will not magically fix all your synchronization issues. It can identify the issues and suggest a resolution, but you still have to decide on the fix.
So what issues can IdFix identify that cause a bad state on objects? In a gist, here is the high-level list.
- Invalid characters, like leading space characters in the mailNickName.
- Objects with duplicate values for unique attributes, like the SMTP email address in the proxyAddresses attribute.
- Non-routable domains, like @domain.local.
- Invalid email address parts, like “some firstname.lastname@example.org” or “email@example.com”.
- A required attribute is empty, such as if a remote mailbox user has a blank alias.
Now that you’re acquainted with the Microsoft IdFix tool, let’s see it in action.
Install the Microsoft IdFix Tool
First, download the Microsoft IdFix tool installer on your server at https://go.microsoft.com/fwlink/p/?linkid=2138471. This link downloads a file called setup.exe.
Run the setup.exe file after downloading. This installer is a ClickOnce installation format and may warn you that the publisher cannot be verified. You can safely ignore this warning and click Install.
Wait for the Microsoft IdFix tool to finish installing.
Read and acknowledge the IdFix privacy statement by clicking OK.
Identify and Fix Attribute Errors with the IdFix Tool
Once the IdFix tool is open, you’ll see a similar window, as shown below. Click the Query button to start identifying the attribute errors that may exist on your local AD objects.
As you can see, this example shows several issues that may prevent successful object synchronization.
The result shows the affected object and class (user, group), the erring attribute, and the cause. It also includes the column showing the value containing the error and the suggested update.
At this point, you need to analyze the issues and decide the actions to take.
Apply Individual Fix to Objects
For example, the first error shows that the proxy address for Aten Stig has an error because the SMTP address has a space character. The IdFix tool recommended fix in the update column is to remove the space. You can also directly edit the new value in the cell.
In the ACTION column, select EDIT. In this example, let’s choose to fix the first error and click Apply.
Note. Clicking Apply will change only the objects with a selected ACTION.
You’ll get a confirmation prompt. If you’re confident of the selected actions, click Yes to confirm.
Once the fix is applied, the ACTION changes to COMPLETE.
Accept All Suggested Updates
You can also let the IdFix tool apply the suggested updates to all objects. But you must only choose this option if you’ve carefully reviewed and assessed that the proposed updates are suitable and accurate.
Re-run the Query to refresh the objects with the errors list, review the errors and suggested fixes, and click Accept.
The IdFix tool then asks you to confirm to accept all updates. Click Yes.
The ACTION column will automatically fill with the suggested actions, as shown below. Lastly, click Apply to apply these changes.
Confirm by clicking Yes.
Sometimes you need to undo the changes you made to objects. And if you made those changes using the IdFix tool, you have one level of undo because the latest changes are stored in a transaction log.
Because you can only retract your changes in one step back, it is recommended to keep them small, review the results afterward, and run the undo if needed.
To undo the latest changes done by the IdFix tool, click Undo, choose the LDF file, and click Open.
Once the record is loaded, click Accept and Apply to undo the last changes.
If everything goes well, the directory sync errors should disappear from your tenant in the following Azure AD Connect sync cycle.
The Microsoft IdFix tool is an excellent aid for identifying the source of directory object sync errors. But it is not magic. As the administrator, you are responsible for ensuring that any fixes and updates are applicable and accurate.