|
|
相关文章推荐
小百科
›
One or more objects don't sync when the Azure Active Directory Sync tool is used | Microsoft Learn
|
单身的山羊
9 月前 |
Access to this page requires authorization. You can try
signing in
or
changing directories
.
Access to this page requires authorization. You can try
changing directories
.
You receive an error message that states that an attribute has a duplicate value.
You receive an error message that states that one or more attributes violate formatting requirements such as character set or character length.
You don't receive an error message, and directory synchronization seems to be completed. However, some objects or attributes aren't updated as expected.
(security group or distribution list) proxyAddresses
and
mail Has no "SMTP:" address entry
and
is not present Mail-enabled contacts proxyAddresses
and
mail Has no "SMTP:" address entry
and
is not present iNetOrgPerson sAMAccountName Is not present isCriticalSystemObject Is present mailNickName Starts with "SystemMailbox" mailNickName Starts with "CAS_"
and
contains "}" sAMAccountName Starts with "CAS_"
and
contains "}" sAMAccountName Equals "SUPPORT_388945a0" sAMAccountName Equals "MSOL_AD_Sync" sAMAccountName Is not present isCriticalSystemObject Is set to "True"
If you see "Blank" in the
ERROR
column after you run IdFix, the displayName attribute of the object isn't defined. To resolve this issue, specify a value for the displayName attribute of the object using these steps:
In the UPDATE column for the object, type the name of its displayName attribute.
In the ACTION column, click EDIT, and then click Apply.
Repeat steps 1 and 2 for each object that has a "blank" entry in the ERROR column.
Run IdFix again to look for more object errors.
If you see "Duplicate" in the
ERROR
column after you run IdFix, two or more objects have the same email address. To resolve this problem, specify a unique email address for the object using these steps:
In the UPDATE column for the object, type an email address that isn't already used.
In the ACTION column, click EDIT, and then click Apply.
Run IdFix again to look for more object errors.
1. The number that's displayed in parentheses next to the attribute label indicates the number of proxy address values in the multivalue attribute.
2. Each distinct proxy address value is indicated by a semicolon (;).
3. The primary SMTP proxy address value is indicated by uppercase "SMTP:" userPrincipalName
This article resolves an issue that one or more Active Directory Domain Services (AD DS) object attributes don't sync to Microsoft Entra ID through the Azure Active Directory Sync tool.
Original product version:
Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number:
2643629
Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.
Symptoms
One or more AD DS objects or attributes don't sync to Microsoft Entra ID as expected. When Active Directory synchronization runs, an object doesn't sync, and you experience one of the following symptoms:
Some examples of the error message that you may receive:
A synchronized object with the same proxy address already exists in your Microsoft Online Services directory.
Unable to update this object because the user ID is not found.
Unable to update this object in Microsoft Online Services because the following attributes associated with this object have values that may already be associated with another object in your local directory.
Cause
This issue occurs for one of the following reasons:
The domain value that's used by AD DS attributes hasn't been verified.
One or more object attributes that require a unique value have a duplicate attribute value (such as the proxyAddresses attribute or the U serPrincipalName attribute) in an existing user account.
One or more object attributes violate formatting requirements that restrict the characters and the character length of attribute values.
One or more object attributes match exclusion rules for directory synchronization.
The following table shows the default sync scoping rules:
Object type Attribute name Condition of attribute when synchronization fails Mail-enabled groups(security group or distribution list) proxyAddresses
and
mail Has no "SMTP:" address entry
and
is not present Mail-enabled contacts proxyAddresses
and
mail Has no "SMTP:" address entry
and
is not present iNetOrgPerson sAMAccountName Is not present isCriticalSystemObject Is present mailNickName Starts with "SystemMailbox" mailNickName Starts with "CAS_"
and
contains "}" sAMAccountName Starts with "CAS_"
and
contains "}" sAMAccountName Equals "SUPPORT_388945a0" sAMAccountName Equals "MSOL_AD_Sync" sAMAccountName Is not present isCriticalSystemObject Is set to "True"
The user principal name (UPN) was changed after the initial synchronization and must be updated manually.
Exchange Online Simple Mail Transfer Protocol (SMTP) addresses of synced users aren't populated appropriately in the on-premises Active Directory schema.
Resolution
To resolve this issue, use one of the following methods, as appropriate for your situation.
Run IdFix to check for duplicates, missing attributes, and rule violations
Use the IdFix DirSync Error Remediation Tool to find objects and errors that prevent synchronization to Microsoft Entra ID.
Determine attribute conflicts that are caused by objects that weren't created in Microsoft Entra ID through directory synchronization
To determine attribute conflicts caused by user objects that were created by using management tools (and that weren't created in Microsoft Entra ID through directory synchronization), follow these steps:
Determine the unique attributes of the on-premises AD DS user account. To do it, on a computer that has Windows Support Tools installed, follow these steps:
Select Start , select Run , type ldp.exe, and then select OK .
Select Connection , select Connect , type the computer name of an AD DS domain controller, and then select OK .
Select Connection , select Bind , and then select OK .
Select View , select Tree View , select the AD DS domain in the BaseDN drop-down list, and then select OK .
In the navigation pane, locate and then double-click the object that isn't syncing correctly. The Details pane on the right side of the window lists all object attributes. The following example shows the object attributes:
proxyAddresses proxyAddresses (3): x500:/o=Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae75fca0d3a4303802cea9ca50fcd4f-7628376; smtp:
7628376@service.contoso.com
; SMTP:
7628376@contoso.com
;
1. The number that's displayed in parentheses next to the attribute label indicates the number of proxy address values in the multivalue attribute.
2. Each distinct proxy address value is indicated by a semicolon (;).
3. The primary SMTP proxy address value is indicated by uppercase "SMTP:" userPrincipalName
7628376@contoso.com
Ldp.exe is included in Windows Server 2008 and in the Windows Server 2003 Support Tools. The Windows Server 2003 Support Tools are included in the Windows Server 2003 installation media. Or, to obtain the Support Tools, go to the following Microsoft website: Windows Server 2003 Service Pack 2 32-bit Support Tools
Connect to Microsoft Entra ID by using the Azure Active Directory module for Windows PowerShell. For more info, go to Manage Microsoft Entra ID using Windows PowerShell .
Leave the console window open. You'll need to use it in the next step.
Check for the duplicate userPrincipalName attributes.
In the console connection that you opened in step 2, type the following commands in the order in which they are presented. Press Enter after each command:
$userUPN = "<search UPN>"
In this command, the placeholder "<search UPN>" represents the UserPrincipalName attribute that you recorded in step 1f.
Get-MSOLUser -UserPrincipalName $userUPN | where {$_.LastDirSyncTime -eq $null}
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
Leave the console window open. You'll use it again in the next step.
Check for duplicate proxyAddresses attributes. In the console connection that you opened in step 2, run the following command:
Import-Module ExchangeOnlineManagement
For each proxy address entry that you recorded in step 1f, type the following commands in the order in which they are presented. Press Enter after each command:
$proxyAddress = "<search proxyAddress>"
In this command, the placeholder "<search proxyAddress>" represents the value of a proxyAddresses attribute that you recorded in step 1f.
Get-EXOMailbox | where {[string] $str = ($_.EmailAddresses); $str.tolower().Contains($proxyAddress.tolower()) -eq $true} | foreach {get-MSOLUser -UserPrincipalName $_.MicrosoftOnlineServicesID | where {($_.LastDirSyncTime -eq $null)}}
Items that are returned after you run the commands in step 3 and 4 represent user objects that weren't created through directory synchronization and that have attributes that conflict with the object that isn't syncing correctly.
Update AD DS attributes to remove duplicates, rules violations, and scoping exclusions
Identify the specific attributes that are preventing synchronization based on the following information:
Administrative email messages
The report from the output of the Office 365 Deployment Readiness Tool
Default directory synchronization scoping rules and custom rules
After a specific attribute value is identified, edit the attribute value using one of these methods:
Use the Active Directory Users and Computers tool to edit the attribute value.
Open Active Directory Users and Computers, and then select the root node of the AD DS domain.
Select View, and then make sure that the Advanced Features option is selected.
In the left navigation pane, locate the user object, right-click it, and then select Properties.
On the Object Editor tab, locate the attribute that you want. Select Edit, and then edit the attribute value to the value that you want.
Select OK two times.
Use Active Directory Service Interfaces (ADSI) Edit to update object attributes in AD DS.
You can download and install ADSI Edit as a part of the Windows Server Toolkit. To use ADSI Edit to edit attributes, follow these steps.
Warning
This procedure requires ADSI Edit. Using ADSI Edit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems that result from the incorrect use of ADSI Edit can be resolved. Use ADSI Edit at your own risk.
Select Start, select Run, type ADSIEdit.msc, and then select OK.
Right-click ADSI Edit in the navigation pane, select Connect to, and then select OK to load the domain partition.
Locate the user object, right-click it, and then select Properties.
In the Attributes list, locate the attribute that you want. Select Edit, and then edit the attribute value to the value that you want.
Select OK two times, and then exit ADSI Edit.
Create a new group and add it to the built-in group that's not being synced
To resolve the issue in the scenario that some built-in groups (such as the Domain Users group) aren't synced, create a new group that contains all the applicable members and appropriate permissions of the built-in group. Then, add that group as a member to the built-in group that's not synced. Use the new group instead of the built-in group to manage members. By using this method, you still manage only one group.
You don't want to change the attributes of the built-in group or change the scoping rules of the identity sync appliance to allow critical system objects to be synced. It may trigger other unexpected behavior.
Use SMTP matching to cause an on-premises user object to sync to an existing user object
For more information, see How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization.
Manually update a user account UPN
To update a user account UPN that was licensed after initial directory synchronization has occurred, follow these steps:
Install Azure Active Directory v2 PowerShell Module. For more information, see Azure Active Directory v2 PowerShell Module.
Run the following cmdlets at the Azure Active Directory v2 PowerShell prompt:
$cred = get-credential
When you're prompted, enter your admin credentials.
Connect-AzureAD
Set-AzureADUser -ObjectId [CurrentUPN] -UserPrincipalName [NewUPN]
Update user SMTP addresses by using on-premises Active Directory attributes
When SMTP attributes aren't synced to Exchange Online in an expected way, you may have to update the on-premises Active Directory attributes. To update on-premises Active Directory attributes so that the correct email address displays in Exchange Online, use Resolution 2 to manipulate the attributes in the following table.
On-premises Active Directory attribute name
Example On-premises Active Directory attribute value
Example Exchange Online email addresses
proxyAddresses
SMTP:user1@contoso.com
Primary SMTP: user1@contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
proxyAddresses
smtp:user1@contoso.com
Primary SMTP: user1@contoso.onmicrosoft.com Secondary SMTP: user1@contoso.com
proxyAddresses
SMTP:user1@contoso.com
smtp:user1@sub.contoso.com
Primary SMTP: user1@contoso.com
Secondary SMTP: user1@sub.contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
User1@contoso.com
Primary SMTP: user1@contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
UserPrincipalName
User1@contoso.com
Primary SMTP: user1@contoso.com
Secondary SMTP: user1@contoso.onmicrosoft.com
The Microsoft Online Email Routing Address (MOERA) entry that's associated with the default domain (such as user1@contoso.onmicrosoft.com) is an interpreted value that's based on a user account's alias. This specialty email address is inextricably linked to each Exchange Online recipient. You can't manage, delete, or create additional MOERA addresses for any recipient. However, the MOERA address can be over-ridden as the primary SMTP address by using the attributes in the on-premises Active Directory user object.
The presence of data in the proxyAddresses attribute completely masks data in the mail attribute for Exchange Online email address population.
The presence of data in the proxyAddresses attribute, the mail attribute, or both attributes completely mask UserPrincipalName data for Exchange Online email address population. The UPN can be used to manage email addresses. However, an admin can decide to manage the email address and UPN separately by populating proxyAddresses or mail attributes.
We highly recommend that one of these attributes is used consistently to manage Exchange Online email addresses for synced users.
More information
The Windows PowerShell commands that are mentioned in this article require the Azure Active Directory module for Windows PowerShell. For more information about the Azure Active Directory module for Windows PowerShell, see the following article:
Manage Microsoft Entra ID using Windows PowerShell.
For more information about filtering directory synchronization by attributes, see the following Microsoft TechNet wiki article:
List of Attributes that are Synced by the Azure Active Directory Sync Tool
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
推荐文章