The IdFix tool from Microsoft is a free tool that helps you identify and fix problems with User, Contact and Group objects in your Active Directory.
But what’s the problem? My Active Directory is running just fine!?
If you’re planning to implement Office 365, e.g. to give users Exchange Online mailboxes and get rid of your local Exchange setup, chances are you’re going for a unified login. A unified login ensures that users can authenticate against local resources (e.g. file shares) and Office 365 resources (e.g. Exchange Online mailboxes) using the same set of username and password credentials.
In order to give your users a unified login you must implement a hybrid setup by synchronizing your local AD with the Office 365 AD using the Azure AD Connect synchronization tool. And this is what the fuzz is all about: Azure AD Connect has certain requirements towards the state of your local Active Directory objects. Objects in a “bad state” will simply not be synchronized with Office 365. IdFix will help you identify any issues and solve them.
What specific issues will IdFix solve?
The following is a list of the problems that IdFix will look for:
IdFix Error List
ERROR | Error Type Description | Example |
---|---|---|
character | An attribute holds invalid characters | Email address with trailing space e.g. “jane.doe@company.com “ |
duplicate | Two or more objects holds the same value in attribute expected to be unique | A user and a group both have “smtp:marketing@company.com” in the proxyAddresses attribute |
format | An attribute holds a value that’s non-compliant with e.g. the SMTP address format | A user has a trailing period e.g.”jane.doe.” in the mailNickname attribute |
topleveldomain | A user has a mail alias that’s non-routable | A user is using the local non-routable AD domain name in a mail alias e.g. “jane.doe@company.local” |
domainpart | Domain part (@ right-hand side) of mail address is invalid | A user has “smtp:jane.doe@company” in the proxyAddresses attribute |
domainpart_localpart | Local part (@ left-hand side) of mail address is invalid | A user has “smtp:jane doe@company.com” in the proxyAddresses attribute |
length | An attribute violates the length constraint of the attribute value | A user has a very long mail address value |
blank | An attribute with a not-null requirement is empty | A user has a blank mailNickname |
mailmatch | Mail attribute mis-match (only applicable to Office 365 Dedicated) | A user has an smtp alias with no valid match |
The find more information about the two most common issues visit the articles on the errors duplicate and topleveldomain.
Do I Need the IdFix Tool for Office 365 Integration?
No. There’s no magic in the IdFix tool. It simply queries your Active Directory data and looks for the issues listed in the above table. You can generate your own scripts if you want to have full control of error finding and fixing. In some rare cases that would make sense, but for most small and mid-sized organizations the IdFix tool is the easiest way to prepare your domain for Azure AD Connect synchronization.
In any case you should be aware of the risk inherent in making bulk changes to mail alias’es and other attributes. It’s our strong recommendation that you backup the proxyAddresses attribute for all objects before starting out with IdFix. By having old values documented you can always roll your changes back when suddenly users are calling you complaining mail is no longer received due to a broken mail alias. Use the following script to create your proxyAddresses backup:
Import-Module ActiveDirectory
"DN;proxyAddress" | Out-File ".\proxyAddressesBackup.txt"
$Objects = Get-ADObject -LDAPFilter "(proxyAddresses=*)" -Properties proxyAddresses
ForEach ($Object In $Objects) {
ForEach ($proxyAddress in $Object.proxyAddresses) {
$Output = $Object.distinguishedName + ";" + $proxyAddress
Write-Host $Output
$Output | Out-File ".\proxyAddressesBackup.txt" -Append
}
}