Azure AD Connect sync issue
-
I have a client that seemed to create a cloud mailbox while AD sync was off. Now there is a conflict. In the portal I can see the cloud mailbox that actually contains mail, and the AD account. The UPN of the cloud account is the domain.com suffix and in the portal, the AD UPN is the domain.onmicrosoft.com suffix. In the portal the cloud account has both addresses and on prem AD has both addresses. Any idea how to straighten that out?
-
Seems like I have to do this:
Add ImmutableID from AD user to Cloud user:
$guid = (get-Aduser <username>).ObjectGuid
$immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
Connect to AD Azure (Connect-MSOLService when AD Azure Powershell Module is installed)
Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
It’s possible that the clouduserUPN must be changed to the <tenant>.onmicrosoft.com format. It should be changed by DirSync to correspond with the AD UPN.
See also http://www.joseph-streeter.com/?p=423
Then perform a sync as described in the previous section.From:
https://dirteam.com/dave/2014/08/15/fixing-office-365-dirsync-account-matching-issues/ -
The problem was once I moved the user to a test OU in the local AD that was not synced and then forced a sync, I still couldn't set the immutableID and was getting the error:
Set-MsolUser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+This was because when o365 saw the account was no longer coming from AD, it moved it to deleted users. I found the user with:
Get-MsolUser -ReturnDeletedUsers |fl
and sure enough, the immutableID matched the one I was trying to set.
I purged the user with:
Remove-MsolUser -UserPrincipalName [email protected] -RemoveFromRecycleBin
Then the Set-MsolUser -UserPrincipalName [email protected] -ImmutableId $ImmutableID
worked. -
Yeah we've had issues with AD accounts not purging from Exchange online our selves (or they are, but sitting in the recyclebin)
I've had to purge accounts before as we had other people start with the same email ie "[email protected]".
-
Hate to resurrect a dead thread, but thanks so much! This was exactly the issue in my case, although the situation was different.
I am slowly migrating a domain from Windows Server 2012 Essentials to Windows Server 2016. Up until now, AD Sync was being handled by the Office 365 Integration plugin for the Windows Server Essentials dashboard. But when I uninstalled that, it deleted all the records, which I couldn't find because I didn't know how to get a list of deleted users. So I spent the better part of today researching this to no avail, while in the meantime I'm receiving sync error notification emails every 30 minutes.
Once I manually deleted the users from the recycle bin, I forced an initial ADSync cycle and we're back in business.
So thankful to finally have this issue resolved!
-
@njbair said in Azure AD Connect sync issue:
Hate to resurrect a dead thread, but thanks so much! This was exactly the issue in my case, although the situation was different.
I am slowly migrating a domain from Windows Server 2012 Essentials to Windows Server 2016. Up until now, AD Sync was being handled by the Office 365 Integration plugin for the Windows Server Essentials dashboard. But when I uninstalled that, it deleted all the records, which I couldn't find because I didn't know how to get a list of deleted users. So I spent the better part of today researching this to no avail, while in the meantime I'm receiving sync error notification emails every 30 minutes.
Once I manually deleted the users from the recycle bin, I forced an initial ADSync cycle and we're back in business.
So thankful to finally have this issue resolved!
Awesome that these archives are useful in the real world! And welcome to the community.
-
@njbair Thanks for joining the community to share your appreciation. I'm glad I posted the steps I took to resolve the issue because if you would have asked me today how I fixed it I'm not sure I could have remembered.
