Adopting Microsoft 365 comes with a price for some companies. This price is the Active Directory (AD) corruption. A company might experience minor, hidden corruption. It’ll go completely unnoticed until an administrator attempts to synchronize the on-premises Active Directory with Azure AD with AD Connect. When this happens, the synchronization process can fail due to corruption.
In this article, I’ll show you how to use a free tool called IDFix to detect and resolve corruption within your Active Directory.
How to Install the IDFix Tool
It’s simple to use the ClickOnce installer to install IDFix. Simply follow these 3 steps:
- Open the ClickOnce link.
- Click Run when prompted.
- Click Install.
Once you install IDFix, you can start using it to check your Active Directory for corruption. Let’s see how.
Checking the Active Directory for Corruption
The next step in the process is to use IDFix to scan the Active Directory for corruption. Select the IDFix from the Windows Start menu to launch it. If nothing happens then, you may need to install it again.
Occasionally, I’ve noticed you have to install IDFix twice before it works. When you launch IDFix, you should see a screen like the one shown in the figure below.
To analyze the Active Directory, you only need to click on the word Query. You’ll find it on the blue bar shown above. After that, the IDFix tool will analyze your on–premises Active Directory environment for any existing errors. If you have a small company with only a handful of users, the query process tends to be very quick. In larger companies though, the process can take some time to complete.
In all, it depends on the IDFix machine’s performance, the number of Active Directory objects, and proximity to a global catalog server.
When IDFix finishes analyzing your Active Directory, it’ll show you a list of the errors it may find. In the figure below, IDFix only detected a single error on the machine. In larger environments, though, the tool finds many more errors.
Now comes the next step in the process. It’s time to resolve any detected errors.
Now that IDFix has queried the Active Directory, you should have a list of errors. Then, you need to resolve them.
As you look at the previous figure, you’ll notice each error has 8 columns of information displayed. These columns include:
- Distinguished Name: The name of the object for which an error was returned.
- Common Name: The object’s common name or display name.
- Object Class: The object’s type (user, computer, etc.)
- Attribute: The attributes that produced the error.
- Error: The issue with the attribute
- Value: The problematic value currently assigned to the attribute.
- Update: The fix that IDFix proposes using for the error.
- Action: The drop down that lets you choose the action you want to perform (edit, delete, or complete)
In the previous figure, the error was attributed to a user account (as designated by Object Class). This account is DefaultAccount (the Common Name). What caused the error was an attribute named DisplayName (listed in the Attribute column). Specifically, this attribute had a blank value (the Error column shows Blank as the error type). The Value column confirms that the attribute is indeed empty.
Even though this error is specific to my particular environment, the process I just described to understand the error works the same way regardless of the error type. Incidentally, you can find a summary of the errors that the tool checks for here.
Once you’ve identified the Active Directory errors present, you have 4 main options to address those errors. Let’s see how.
1. Edit the Value
The first option is to choose the Edit option from the Action update. This will apply the value shown in the Update column to the Value column. That also overwrites anything present there before. It’s worth noting though, that in some situations, the Update column will be empty. This is especially true for situations where IDFix finds duplicate items.
2. Remove the Value
A second option is to choose the Remove option from the Action drop down. This will clear the attribute’s value. Depending on which attribute is in an error state, clearing the value may make the error go away. It could also produce a different error, like the one shown in the previous screen capture, because the value is now blank.
3. Mark the Value as Complete
The third way you can remediate an error is to mark the value as complete. This tells IDFix that the existing value is OK and isn’t actually an error. Normally, you’d only do this if duplicate values were detected. For example, if two users have the same email address, then the address might be correct for one of those accounts. In this case, you’d want to mark the correct account as complete. Then, you’ll modify the value for the second account.
4. Manual Intervention
A fourth way of resolving errors is to manually modify objects and attributes. That is using native Active Directory management tools, like the Active Directory Users and Computers console. Once done, you can rerun the IDFix tool to ensure the errors are no longer present.
When you finish resolving all the errors that the IDFix tool reported, it’s extremely important to go back and rerun the tool. This is important for two reasons:
- If an Active Directory object contains multiple errors, the IDFix tool only lists the first encountered error . Resolving that error doesn’t cause the other errors to go away. Rerunning the tool can also surface remaining errors.
- Resolving an error can occasionally trigger a new one. For example, this can happen when you set certain attributes to a null value.
As a best practice, you should keep running the IDFix tool until errors are no longer being reported.
Do you have more questions about IDFix correcting Active Directory? Check out the FAQ and Resources sections below.
What causes Active Directory objects to become corrupt?
The Active Directory itself is reliable and not susceptible to corruption. That said, hardware problems related to storage and memory can lead to Active Directory corruption. The best thing that companies can do to prevent corruption is to use server-grade hardware and error correcting RAM.
Does my location matter when I run IDFix?
While you can technically run IDFix from anywhere, it’s a good idea to ensure you’ve got a global catalog server on your network. IDFix queries the global catalog. If the nearest global catalog server is across a WAN link, it could result in poor performance.
What are the minimum hardware requirements to run IDFix?
IDFix requires at least 4 GB of RAM and 2 GB of hard disk space. Although it’s not technically a requirement, it’s also a good idea to use a machine with an SSD. IDFix is IO intensive, and an SSD can greatly improve the tool’s performance. See more about the requirements here.
What versions of Windows can I run IDFix on?
IDFix runs on both Windows Server and on desktop versions of Windows. Windows Server 2008 R2 and higher are supported, as are Windows 7 and higher systems. The operating system should run a 64-bit architecture and .NET 4.0 or higher is required.
What are the most common errors reported by IDFix?
One of the most commonly reported errors are Character errors. These occur when a value contains an invalid character. Another common error is a Format error. It happens when an attribute is in the wrong format.
TechGenix: Article on IDFix Correcting Azure AD
TechGenix: Article on Basics of IDFix
Read more on the basics of using IDFix.
TechGenix: Article on IDFix Use-cases
Find out why you may sometimes need to use the IDFix tool, even if you aren’t aware of any problems.
Microsoft: Documentation for IDFix
GitHub: Article on IDFix Tool
Find the IDFix tool on GitHub.
Microsoft: Article on IDFix Errors
Learn about errors you may face when running the IDFix tool.