Article ID: 2643629 - View products that this article applies to.
Expand all | Collapse all

On This Page

PROBLEM

One or more Active Directory Domain Services (AD DS) objects or attributes don't sync to Microsoft Azure Active Directory (Azure AD) as expected. When Active Directory synchronization runs, an object doesn't sync, and you experience one of the following symptoms:
  • You receive an error message that states that an attribute has a duplicate value.
  • You receive an error message that states that one or more attributes violate formatting requirements such as character set or character length.
  • You don't receive an error message, and directory synchronization seems to be completed. However, some objects or attributes aren't updated as expected.
Some examples of the error message that you may receive include the following:
  • A synchronized object with the same proxy address already exists in your Microsoft Online Services directory.
  • Unable to update this object because the user ID is not found.
  • Unable to update this object in Microsoft Online Services because the following attributes associated with this object have values that may already be associated with another object in your local directory.

CAUSE

This issue occurs for one of the following reasons:
  • The domain value that's used by AD DS attributes hasn't been verified.
  • One or more object attributes that require a unique value have a duplicate attribute value (such as the proxyAddresses attribute or the UserPrincipalName attribute) in an existing user account.
  • One or more object attributes violate formatting requirements that restrict the characters and the character length of attribute values.
  • One or more object attributes match exclusion rules for directory synchronization.

    The following table shows the default sync scoping rules:
    Collapse this tableExpand this table
    Object typeAttribute nameCondition of attribute when synchronization fails
    ContactDisplayNameContains "MSOL"
    msExchHideFromAddressListsIs set to "True"
    Security-enabled groupisCriticalSystemObjectIs set to "True"
    Mail-enabled groups
    (security group or distribution list)
    proxyAddresses

    and

    mail
    Has no "SMTP:" address entry

    and

    is not present
    Mail-enabled contactsproxyAddresses

    and

    mail
    Has no "SMTP:" address entry

    and

    is not present
    iNetOrgPersonsAMAccountNameIs not present
    isCriticalSystemObjectIs present
    UsermailNickNameStarts with "SystemMailbox"
    mailNickNameStarts with "CAS_"

    and

    contains "{"
    sAMAccountNameStarts with "CAS_"

    and

    contains "}"
    sAMAccountNameEquals "SUPPORT_388945a0"
    sAMAccountNameEquals "MSOL_AD_Sync"
    sAMAccountNameIs not present
    isCriticalSystemObjectIs set to "True"
  • The user principal name (UPN) was changed after the initial synchronization and must be updated manually.
  • Exchange Online Simple Mail Transfer Protocol (SMTP) addresses of synced users aren't populated appropriately in the on-premises Active Directory schema.

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Resolution 1: Run IdFix to check for duplicates, missing attributes, and rule violations

Use the IdFix DirSync Error Remediation Tool to find objects and errors that prevent synchronization to Azure AD. 
  • If you see "Blank" in the ERROR column after you run IdFix, see the following Microsoft Knowledge Base article:
    2857349 "Blank" is displayed in the ERROR column for one or more objects after you run the IdFix tool
  • If you see "Format" in the ERROR column after you run IdFix, see the following Microsoft Knowledge Base article:
    2857351 "Format" is displayed in the ERROR column for one or more objects after you run the IdFix tool
  • If you see "Character" in the ERROR column after you run IdFix, see the following Microsoft Knowledge Base article:
    2857352 "Character" is displayed in the ERROR column for one or more objects after you run the IdFix tool
  • If you see "Duplicate" in the ERROR column after you run IdFix, see the following Microsoft Knowledge Base article:
    2857385 "Duplicate" is displayed in the ERROR column for one or more objects after you run the IdFix tool

Resolution 2: Use the Office 365 OnRamp Tool

To obtain information about invalid attributes by using the Office 365 OnRamp Tool, follow these steps:
  1. On a domain-joined computer, go to the following Microsoft website and follow the instructions on the page:
    https://onramp.office365.com/OnRamp/
  2. In the report, locate the users and groups section to view details of the attribute issues that can cause synchronization problems. The following screen shot shows an example of the environmental checks section of the report:

    Collapse this imageExpand this image
    Screen shot of the environmental checks report

Resolution 3: Determine attribute conflicts that are caused by objects that weren't created in Azure AD through directory synchronization

To determine attribute conflicts that are caused by user objects that were created by using management tools (and that weren't created in Azure AD through directory synchronization), follow these steps:
  1. Determine the unique attributes of the on-premises AD DS user account. To do this, on a computer that has Windows Support Tools installed, follow these steps:
    1. Click Start, click Run, type ldp.exe, and then click OK.
    2. Click Connection, click Connect, type the computer name of an AD DS domain controller, and then click OK.
    3. Click Connection, click Bind, and then click OK.
    4. Click View, click Tree View, select the AD DS domain in the BaseDN drop-down list, and then click OK.
    5. In the navigation pane, locate and then double-click the object that isn't syncing correctly. The Details pane on the right side of the window lists all object attributes. The following example shows the object attributes:

      Collapse this imageExpand this image
      Screen shot of the object attributes
    6. Record the values of the userPrincipalName attribute and each SMTP address in the multivalue proxyAddresses attribute. You'll need these values later.
      Collapse this tableExpand this table
      Attribute name Example Notes
      proxyAddresses proxyAddresses (3): x500:/o=Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae75fca0d3a4303802cea9ca50fcd4f-7628376; smtp:7628376@service.contoso.com; SMTP:7628376@contoso.com;
      • The number that's displayed in parentheses next to the attribute label indicates the number of proxy address values in the multivalue attribute.
      • Each distinct proxy address value is indicated by a semicolon (;).
      • The primary SMTP proxy address value is indicated by uppercase "SMTP:"
      userPrincipalName 7628376@contoso.com
      Note Ldp.exe is included in Windows Server 2008 and in the Windows Server 2003 Support Tools. The Windows Server 2003 Support Tools are included in the Windows Server 2003 installation media. Or, to obtain the Support Tools, go to the following Microsoft website:
      Windows Server 2003 Service Pack 2 32-bit Support Tools
  2. Connect to Azure AD by using the Azure Active Directory Module for Windows PowerShell. For more info, go to Manage Azure AD using Windows PowerShell.

    Leave the console window open. You'll need to use it in the next step.
  3. Check for the duplicate userPrincipalName attributes.

    In the console connection that you opened in step 2, type the following commands in the order in which they are presented, and then press Enter after each command:
    • $userUPN = "<search UPN>"
      Note In this command, the placeholder "<search UPN>" represents the UserPrincipalName attribute that you recorded in step 1f.
    • get-MSOLUser –UserPrincipalName $userUPN | where {$_.LastDirSyncTime -eq $null} 
    Leave the console window open. You'll use it again in the next step.
  4. Check for duplicate proxyAddresses attributes. In the console connection that you opened in step 2, type the following commands in the order in which they are presented, and then press Enter after each command:
    • $SessionExO = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic - AllowRedirection
    • Import-PSSession $sessionExO -prefix:Cloud 
  5. For each proxy address entry that you recorded in step 1f, type the following commands in the order in which they are presented, and then press Enter after each command:
    • $proxyAddress = "<search proxyAddress>" 
      Note In this command, the placeholder "<search proxyAddress>" represents the value of a proxyAddresses attribute that you recorded in step 1f.
    • get-cloudmailbox | where {[string] $str = ($_.EmailAddresses); $str.tolower().Contains($proxyAddress.tolower()) -eq $true} | foreach {get-MSOLUser -UserPrincipalName $_.MicrosoftOnlineServicesID | where {($_.LastDirSyncTime -eq $null)}} 
Items that are returned after you run the commands in step 3 and 4 represent user objects that weren't created through directory synchronization and that have attributes that conflict with the object that isn't syncing correctly.

Resolution 4: Update AD DS attributes to remove duplicates, rules violations, and scoping exclusions

Identify the specific attributes that are preventing synchronization based on the following information:
  • Administrative email messages
  • The report from the output of the Office 365 Deployment Readiness Tool
  • Default directory synchronization scoping rules and custom rules
After a specific attribute value is identified, use the Active Directory Users and Computers tool to edit the attribute value. To do this, follow these steps:
  1. Open Active Directory Users and Computers, and then select the root node of the AD DS domain.
  2. Click View, and then make sure that the Advanced Features option is selected.
  3. In the left navigation pane, locate the user object, right-click it, and then click Properties.
  4. On the Object Editor tab, locate the attribute that you want, click Edit, and then edit the attribute value to the value that you want.
  5. Click OK two times.
Or, you can use Active Directory Service Interfaces (ADSI) Edit to update object attributes in AD DS. You can download and install ADSI Edit as a part of the Windows Server Toolkit. To use ADSI Edit to edit attributes, follow these steps.

Warning This procedure requires ADSI Edit. Using ADSI Edit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems that result from the incorrect use of ADSI Edit can be resolved. Use ADSI Edit at your own risk.
  1. Click Start, click Run, type ADSIEdit.msc, and then click OK.
  2. Right-click ADSI Edit in the navigation pane, click Connect to, and then click OK to load the domain partition.
  3. Locate the user object, right-click it, and then click Properties.
  4. In the Attributes list, locate the attribute that you want, click Edit, and then edit the attribute value to the value that you want.
  5. Click OK two times, and then exit ADSI Edit.

Resolution 5: Use SMTP matching to cause an on-premises user object to sync to an existing user object

To do this, see the following Microsoft Knowledge article:
2641663 How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization

Resolution 6: Manually update a user account UPN

To update a user account UPN that was licensed after initial directory synchronization has occurred, follow these steps:
  1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
  2. Run the following cmdlets at the Windows PowerShell prompt:
    1. $cred = get-credential
      Note When you're prompted, enter your admin credentials.
    2. Connect-MSOLService
    3. Set-MsolUserPrincipalName -UserPrincipalName [CurrentUPN] -NewUserPrincipalName [NewUPN]

Resolution 7: Update user SMTP addresses by using on-premises Active Directory attributes

When SMTP attributes aren't synced to Exchange Online in an expected way, you may have to update the on-premises Active Directory attributes. To update on-premises Active Directory attributes so that the correct email address displays in Exchange Online, use Resolution 2 to manipulate the attributes that are listed in the following table.
Collapse this tableExpand this table
On-premises Active Directory attribute nameExample On-premises Active Directory attribute valueExample Exchange Online email addresses
proxyAddressesSMTP:user1@contoso.comPrimary SMTP: user1@contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
proxyAddressessmtp:user1@contoso.comPrimary SMTP: user1@contoso.onmicrosoft.com Secondary SMTP: user1@contoso.com
proxyAddressesSMTP:user1@contoso.com
smtp:user1@sub.contoso.com
Primary SMTP: user1@contoso.com
Secondary SMTP: user1@sub.contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
mailUser1@contoso.comPrimary SMTP: user1@contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
UserPrincipalNameUser1@contoso.comPrimary SMTP: user1@contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
The Microsoft Online Email Routing Address (MOERA) entry that's associated with the default domain (such as user1@contoso.onmicrosoft.com) is an interpreted value that's based on a user account’s alias. This specialty email address is inextricably linked to each Exchange Online recipient, and you can't manage, delete, or create additional MOERA addresses for any recipient. However, the MOERA address can be over-ridden as the primary SMTP address by using the attributes in the on-premises Active Directory user object.

Note The presence of data in the proxyAddresses attribute completely masks data in the mail attribute for Exchange Online email address population.

Note The presence of data in the proxyAddresses attribute, the mail attribute, or both attributes completely mask UserPrincipalName data for Exchange Online email address population. The UPN can be used to manage email addresses. However, an admin can decide to manage the email address and UPN separately by populating proxyAddresses or mail attributes.

We highly recommend that one of these attributes be used consistently to manage Exchange Online email addresses for synced users.

MORE INFORMATION

The Windows PowerShell commands that are mentioned in this article require the Azure Active Directory Module for Windows PowerShell. For more information about the Azure Active Directory Module for Windows PowerShell, go to Manage Azure AD using Windows PowerShell.

For more information about filtering directory synchronization by attributes, see the following Microsoft TechNet wiki article:
List of Attributes that are Synced by the Azure Active Directory Sync Tool
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2643629 - Last Review: September 24, 2014 - Revision: 31.0
Applies to
  • Microsoft Azure Active Directory
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a o365022013 o365e o365m kbgraphxlink kbgraphic KB2643629

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com