Deploying an Exchange 2013 Hybrid Lab Environment in Windows Azure (Part 23)

If you would like to read the other parts in this article series please go to:


In part 22 of this article series revolving around what the Windows Azure service is all about as well as how you deploy an Exchange hybrid deployment in Windows Azure, we deployed the virtual machine that was to be used as the directory synchronization server, activated directory synchronization on our Azure Active Directory tenant as well as installed the Microsoft Azure Active Directory Sync Services tool.

Let’s get going…

Discovery and Remediation of Invalid Active Directory Objects

Prior to synchronizing our Active Directory forest user objects to our Azure Active Directory tenant, we will run the IdFix tool in our Active Directory forest. The purpose of IdFix is to reduce the time involved in remediating the Active Directory errors reported by the directory synchronization appliance in use.

The 365 IdFix tool provides us with the ability to identify and remediate object errors in our Active Directory forest in preparation for synchronizing them to our Azure Active Directory forest.

The IdFix tool is a free tool from Microsoft (created by my buddy Bill Ashcraft from the Microsoft US Office 365 CXP team). It can be download here. When you unzip it the exe file and documentation will be placed under “C:\Deployment Tools IdFix”. When you launch it (remember to do so in administrator mode), you will first get the privacy statement shown in Figure 1.

Click “OK”.

Figure 1: IdFix Privacy Statement

We are presented with an empty IdFix console. Let us click “Query”, which will traverse the Active Directory and list any Active Directory user objects with errors or non-accepted attribute values.

Figure 2: IdFix console

Since my Active Directory is a lab environment with script-based bulk created user objects, not a lot of errors are to be found. But IdFix did find three user objects with errors or attribute values not accepted by an Azure Active Directory tenant.

First one has a UPN with a .local domain suffix, the second a .local proxyAddress and the last an invalid character in the mailnickname attribute. With only three objects needed to be updated, I will go ahead and do so manually. However, in case you had hundreds or even thousands of errors, you have the option to export the users to a .csv file, fix the respective attribute values and then import them to Active Directory, which will update the Active Directory objects with the new values. Yes this is a pretty powerful tool.

Figure 3: Active Directory User objects with identified errors

So in my case where the objects will be updated manually, I will correct the value under the “UPDATE” column. IdFix will try to update this value to the correct one automatically, but for the UPN and proxyAddress, I will need to do so manually.

Figure 4:
Correcting the relevant attribute values

We get a warning about the actions that are taken. Click “Yes”.

Figure 5: Apply pending warning

After the updates have been applied, the “Action” column is changed to “Completed” for each user object.

Figure 6: Status set to completed

So as you can see a really good remediation tool to run prior to starting the directory synchronization.

Enabling the Azure Active Directory Sync Services Scheduled Task

So back in the previous article where we configured the Azure Active Directory Sync Services tool, we chose not to run it yet since we were first going to remediate any objects with errors in one or more attribute using the IdFix tool. Although it was not started, a scheduled task was prepared for the tool. As can be seen in Figure 7, it has been configured to run every third hour. We just need to enable the task.

To enable the task, click ”Enable” in the “action pane”.

Figure 7: Azure AD Sync Scheduler in the Task Scheduler console

Forcing a Directory Synchronization

So with the “old” DirSync appliance, we did/do manual/forced syncs as explained in this blog post. With the new AADSync tool, the method has changed. To perform a manual/forced sync in the AADSync tool, you now use the “DirectorySyncClientCmd.exe” application.

Figure 8:
DirectorySyncClientCmd.exe application

More specifically, we launch Windows PowerShell and navigate to “C:\Program Files\Microsoft Azure AD Sync\Bin” and execute the “DirectorySyncClientCmd.exe” application. Depending on whether you want to do an initial sync or a delta sync, you append “initial” or “delta” to the command.

In our case, we wish to do an initial run as the tool has not run yet, so we will type:

.\DirectorySyncClientCmd.exe initial

This will take some minutes since the objects in scope need to be projected (imported from the Active Directory forest) into the metaverse of the AADSync tool and then be exported to the Azure Active Directory tenant.

Figure 9: Initial Directory Synchronization

As you can see the tool will go through all the import and export operations for each connector. This is of course also reflected in the “miisclient.exe” application, which can be found under “C:\Program Files\Microsoft Azure AD Sync\UIShell

Figure 10: Launching the miisclient.exe application

Every import and export with detailed information about each can be retrieved under the “Operations” tab.

Figure 11: Connector operations in the miisclient.exe application

Under the “Connectors” tab, we can see the two connectors that handle object and attribute synchronization between the Active Directory forest and the Azure Active Directory tenant.

Figure 12: Connectors in the miisclient.exe application

Taking a Look at Synchronization Information in the AAD Tenant

Opening the Office 365 Portal and clicking ”Active Users” should now reveal a list of all the user objects that we configured for synchronization. Also, in the top of the page, we can see that the last synchronization ran less than an hour ago.

Figure 13: Synchronized Users in the Office 365 Portal

If you want more precise information about the last synchronization run, connect to the Azure Active Directory tenant using Windows PowerShell and then type the following command:

Get-MsolCompanyInformation | fl LastDirSyncTime

Figure 14: Last synchronization date and time in PowerShell

List of Attributes Synchronized to the Azure Active Directory Tenant

When it comes to object attributes that can be synchronized from the on-premises Active Directory to the Azure Active Directory tenant, the AADSync tool can sync approximately 140 different object attributes (for a complete list, see this MSDN article).

Directory Synchronization Filtering

Some (mostly large enterprise organizations) often wish to configure filtering so that the AADSync tool does not synchronize each and every valid object in the on-premises Active Directory to the tenant. Fortunately, directory synchronization filtering is supported as long as one or a combination of the following methods are used:

  • Organizational-unit (OU)–based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud.
  • Domain-based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud.
  • User-attribute–based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud.

For information about how you configure the above three directory synchronization methods, see this piece of MSDN documentation.

Directory Synchronization Limitations

There is a default limitation to how many objects that can be synchronized to the tenant. This has changed over time starting at 20.000 objects. Today the default limitation is 300.000 objects. If you have a need to synchronize more than 300.000 objects into the tenant, then you need to open a service ticket with Office 365 support.

When you do a default installation of the AADSync tool, it will be configured to use a local SQL Express 2012 instance on the directory synchronization server, which has a database size limit of 10 GB. If you have more than 50.000 objects that need to be synchronized to the tenant, it is recommended to configure the AADSync tool to use a dedicated SQL instance on an SQL server.

This concludes part 23 of this multi-part article in which I provide you with an explanation of what Windows Azure is and how you configure an Exchange 2013 hybrid lab environment in Windows Azure.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top