Azure AD – Check and clean your on-prem AD with IdFix before migrating

Before you start syncing your On-Premises Active Directory with Azure Active Directory you should check and fix any issue’s there might be with any of the accounts. Microsoft has released a tool for this called: IdFix which you can download directly from Microsoft: IdFix DirSync Error Remediation Tool

This tool will scan your On-Prem AD or parts of your On-prem AD which you can specify. It will then identify problems like formatting issues, duplicates, etc in your On-Premises Active Directory and it will then let you fix these problems from within the tool.

The IdFix tool comes with an guide, Office 365 IdFix – Directory Error Remediation Guide, and I highly recommend that you read this guide before running the tool.

To use the IdFix tool download the tool from the Microsoft site and extract the zip file. Then start the IdFix tool, I am using version 1.09

Upon starting IdFix you will see this screen:

Click on the settings icon and choose the relevant options for your query.
For example in the Search Base you can specify a specific OU to target in your query.

The screenshot below shows the result after the query has run. In the left bottom corner the amount of objects that were scanned is displayed and that in 2 objects with an error were found.

You can specify which action the application should take to resolve these errors. The suggestions can be preceded by one of three values (suggestion flag). In the above screenshot the suggestion flag it the [C], i.e. “[C]Demo”. Please note that the preceding suggestion flag will not be inserted into the object in the Active Directory.

  • [C] – suggested action COMPLETE. The value is probably correct and may not need to be edited.
  • [E] – suggested action EDIT. The value should be changed to avoid conflict with another value in the forest.
  • [R] – suggested action REMOVE. The value is a smtp proxy on a non-mail enabled object and can probably be safely removed.

In the above screenshot the error is a mailnickname duplicate. You should only update one of the two accounts because the suggested update is the same for both accounts and therefore if you would update both they would again create a conflict.

*Below information is extract from the: Office 365 IdFix – Directory Error Remediation Guide
To correct the object attribute values, select one of the following ACTION options from the drop down list:

  • COMPLETE – The original value is acceptable and should not be changed despite being identified as being in an error state. For example, two users may have a proxyAddress identified as duplicate. Only one can use the value for mail delivery. The user with the correct value should be marked as COMPLETE, while the other user is marked as REMOVE.
  • REMOVE – The attribute value will be cleared from the source object. In the case of a multi-valued attribute; e.g. proxyAddresses, only the individual value shown will be cleared.
  • EDIT – The information in the UPDATE column will be used to modify the attribute value for the selected object. In many cases, a valid update value has been predetermined. In these cases, you can mark the ACTION as EDIT and go on to the next error. If the predetermined update value is not desired, you can manually input the new value.
  • UNDO – This value is only shown if the user has loaded a previously saved Update file. The sole operation that can be executed is to restore the original value.
  • FAIL – This value is only shown if an update value has an unknown conflict with the directory rules. In this case, you may attempt to edit the value again. It may be necessary to analyze the values in the object using ADSIEDIT.
    • Note: on empty ACTION – Only errors with a customer selected Action will be considered for update. To reiterate; unless a specific choice is made IdFix will not perform any operation on the error.

Overall this is a great tool to scan and fix your On-Premises Active Directory before you start syncing with the Azure Active Directory. If you have any questions please make sure to read the guide you will find most answers regarding the tool in the guide.

I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

One thought on “Azure AD – Check and clean your on-prem AD with IdFix before migrating

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.