Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / IdFix: Preparing On-Prem Active Directory Sync with Azure

November 15, 2021 Active DirectoryAzureMicrosoft 365

IdFix: Preparing On-Prem Active Directory Sync with Azure

If you are going to configure synchronization of your local (on-premises) Active Directory with Microsoft 365/Azure AD using Azure AD Connector (AADConnect), you must first check the object attributes in your on-premises ADDS for compatibility with Azure AD.

Microsoft has released a special Microsoft Office 365 IdFix tool (Directory Synchronization Error Remediation) for checking on-premises Active Directory instance. The IdFix tool allows you to scan your ADDS and find users, contacts, or groups that cannot be synced with Azure AD for some reason.

IdFix detects the most common errors in Active Directory object attributes:

  • Invalid symbols in AD object names (including leading and trailing spaces);
  • Duplicates;
  • Invalid SMTP addresses, MailNickNames;
  • Objects with attribute values that exceed acceptable limits;
  • Correct routable UPN suffixes (userPrincipalName).
Microsoft notes: more than half of issues customers report when processing AAD sync errors related to incorrect proxyAddresses, userPrincipalName attributes, and duplicates.

You can find IdFix on GitHub (https://github.com/microsoft/idfix) and download its setup.exe using the direct link. IdFix is a ClickOnce app, so internet access is required to install it. Otherwise, you will see this error:

An error occurred attempting to install IdFix
Error: An error occurred trying to download 'https://raw.githubusercontent.com/Microsoft/idfix/master/publish/IdFix.application'

idfix online install error

The same error also appears if you try to install IdFix on Windows Server 2016/2019. To fix it, you have to temporary enable SSL caching in the registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"DisableCachingOfSSLPages"=dword:00000000

Use the command below:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisableCachingOfSSLPages /t reg_dword /d 00000000 /f
After that, the IDFix installation will start normally.

installing idfix on windows server 2019

After you have finished working with IdFix, set the DisableCachingOfSSLPages value to 1.

You can install IdFix on any domain-joined computer. Run the tool and click Query.

To run IdFix you will need Microsoft .NET Framework version 4.5.2 or newer.

The IdFix will connect to your on-prem Active Directory domain and display a list of you need to fix before syncing with Azure.

In our example, IdFix found several objects AD objects with three types of errors:

  • Empty displayName attribute of a user account (displayName = Blank)
  • The same values of the mail attribute for several users (mail=Duplicate)
  • Three users had non-routable userPrincipalName from .loc domain (userPrincipalName=TopLevelDomain)

idfix - check active directory user attributes before sync azure

You may also see the following errors:

  1. Character – invalid symbols in an attribute
  2. Format – incorrect format of attribute values (for example, the invalid format of SMTP addresses)
  3. Length – the attribute length is exceeded

If you are going to sync discovered users with Azure AD, you need to fix these errors. Select the ACTION you want to apply to the AD object attributes you have found (Edit, Remove, Complete). If you selected Edit, you can specify a new attribute value in the Update box.

To apply the changes, click Accept -> Apply. The changes will be applied only to the entries that have values set in the Action field.

You can also export the list of found objects and errors to a CSV file. You can analyze the found issues in Excel, and then make changes to AD using PowerShell cmdlets for managing Active Directory objects: Set-ADUser, Set-ADGroup, Set-ADComputer, etc.

If you are going to sync only a part of your Active Directory with Azure, you can specify the criteria to select AD objects for analysis in the Settings (using an LDAP filter). Using Search Base, you can select the OU for analysis.

Using IdFix to analyze AD OU for directory synchronization to Microsoft 365

IdFix allows you to find and fix a lot of problems that may prevent user, contact, or group synchronization from on-premises Active Directory to Azure AD. Make sure you check your on-premises Active Directory when preparing for directory synchronization to Microsoft 365 via Azure AD Connect.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Checking Hard Drive Health (SMART) in Windows
next post
Windows Doesn’t Automatically Assign Drive Letters

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

Fix: The Requested Certificate Template is Not Supported...

January 9, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top