IdFix TopLevelDomain Error

IdFix Tool topleveldomain error

In order to make a successful migration to Office 365 you need to resolve any issues with your Active Directory data. Microsoft has created the tool IdFix to help you identify issues. You can download it here.

This post will look specifically at the TopLevelDomain Error as reported by the IdFix tool. What is it and how do we fix it?

If you’re looking for information on the Duplicate error refer to this post. 

Identifying the IdFix TopLevelDomain Error

After running the IdFix tool for the first time you may see a lot of errors in your environment. The best approach is to fix one error type at a time.

If you have any TopLevelDomain Errors in IdFix it will look like this:

IdFix Tool topleveldomain error

The TopLevelDomain error indicates a problem with the top level domain in your mail objects email address. In other words the domain part of the email address is not Internet routable.

in 99% of all cases this is caused by email address policies generating mail alias’es based on your local/internal domain name. Email addresses need to be Internet routable and yourdomain.local ain’t gonna make it 😉

Fixing the IdFix TopLevelDomain Error

To fix the issue you should remove the non-routable mail alias from your mail objects. you can do this manually using the IdFix tool. But since this is quite often a generic issue affecting many if not all mail recipients, you may want to look to PowerShell:

Start by identifying all mail objects (not just users) that have your internal domain name assigned as proxyAddresses mail alias:

Import-Module ActiveDirectory
$Objects = Get-ADObject -LDAPFilter "(proxyAddresses=*@mydomain.local)" -Properties proxyAddresses

(of course you need to replace “mydomain.local” with your actual internal domain name)

Once objects have been identified we can look at the multi valued attribute proxyAddresses on each of the objects. If we find the internal domain name we remove it:

ForEach ($Object In $Objects){
    $proxyAddresses = $Object.proxyAddresses
    ForEach ($proxyAddress In $proxyAddresses){
        If ($proxyAddress -Like '*@mydomain.local'){
            Write-Host $Object.DistinguishedName `t $proxyAddress # Export for fallback
            Set-ADObject $Object -Remove @{ProxyAddresses = "$($proxyAddress)"}

The above script makes critical changes to a potentially large number of mail enabled objects. Make sure to test it on a limited number of users that you can repair manually in case of issues before you fire off the script on the entire population of your Active Directory!

For extra safety follow this advice:

  • Comment out line 06 and review the output from line 05 before making the actual change
  • Save the output from line 05 in order to easily restore any of the changes 

Fixing Other Types of Errors

The TopLevelDomain error is just one out of several error types reported by the IdFix tool. Other types of IdFix errors are seen in the below table:

IdFix Errors

Error NameError Description
characterUse of invalid characters in attribute
duplicateDuplicate values used on attribute on two or more objects
formatUse of invalid format in attribute
topleveldomainUse of non-routable top level domain in mail address (usually domain.local)
domainpartUse of invalid domain part – right hand side of email address is not RFC 2822 compliant (e.g.
domainpart_localpartUse of invalid local part – left hand side of email address if not RFC 2822 compliant (e.g. user”
lengthAttribute value exceeds allowed length
blankAttribute is empty when it should have a value
mailmatchAttribute does not match the mail value (Office 365 Dedicated only)

Make sure to fix them all before you start your Active Directory to Azure AD migration.

Managing Office 365 After the Migration

Office 365 administration can be a nightmare as it involves a very fragmented administrative experience:

  • Local user accounts are managed in Active Directory Users & Computers
  • Office 365 licenses are managed in the Azure portal
  • Office 365 mailboxes are managed in Azure Exchange Admin Center
  • On-prem Exchange properties are managed on the (otherwise useless) on-prem Exchange server
  • Certain Office 365 mailbox configurations are only available via PowerShell
  • Azure AD Connect synchronizations are managed in the Azure AD Connect server

Do yourself a big favor and try out Easy365Manager, an Office 365 admin tool used by a large number of IT professionals all over the world.

Easy365Manager allows you to configure all off the above inside Active Directory Users & Computers. Easy365Manager ads two new tabs with intuitive Office 365 user, mailbox and license settings that covers all your daily admin needs.

Easy365Manager will save you a lot of time – and on top of that you can remove your on-prem Exchange server making it an easy business case.

A fully functional 30 day trial is available here.