Sync Issues Caused by Multiple AD Accounts and One Mailbox

For most of my projects, I use CSVDE to gather information all objects found in AD to create a spreadsheet.

csvde.exe -m -f %userdomain%_all-objects.csv

To gather only user objects via CSVDE, run this command…

csvde.exe -r objectClass=user -f %userdomain%_user-objects.csv

 

While preparing for a hybrid configuration, I found an interesting conflict with a user logon name and SMTP address. In sifting through the user objects this is the conflict…

User Object #1
  • Display Name: Joe Smith
  • User logon name: joesmith@domain.com
  • User logon name (Pre-Windows 2000): DOMAIN\joe
  • Proxy Address: None
User Object #2
  • Display Name: Joe Smith
  • User logon name: <blank>
  • User logon name (Pre-Windows 2000): DOMAIN\joesmith
  • Proxy Address: joesmith@domain.com

 

Unfortunately, the client did not know which “Joe Smith” AD account the employee was using to login to the workstation. Therefore, I spent some time with the client to identify and resolve the conflict. More about that in a minute.

However, before I addressed the conflict it was important to show the client what would happen if the conflict wasn’t resolved. After implementing and running directory synchronization, an error was received basically stating there are conflicting attributes (Error: AttributeValueMustBeUnique).

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [UserPrincipalName joesmith@domain.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

 

It was determined that the user was logging into their workstation with the account information related to “User Object #2”. To resolve the conflicting attributes we made the following changes to both AD objects…

User Object #1
  • Display Name: Joe Smith
  • User logon name: joe@domain.com
  • User logon name (Pre-Windows 2000): DOMAIN\joe
  • Proxy Address: None
User Object #2
  • Display Name: Joe Smith
  • User logon name: joesmith@domain.com
  • User logon name (Pre-Windows 2000): DOMAIN\joesmith
  • Proxy Address: joesmith@domain.com

 

After the changes were made, directory synchronization completed without error and both accounts showed in O365. User Object #1 was found not to be in use and was disabled and removed from the filtered OUs so it wouldn’t show in O365.

 

Additional Steps to Troubleshoot Sync Issues

This may not be what your specific issue is but so here are a couple other troubleshooting methods to attempt resolving.

IdFix is a great tool to quickly locate and address potential AD object issues on premise prior to syncing to O365. By default, IdFix runs configured with a rule set for a multi-tenant O365 implementation. Which is fine, however, you may want to make sure to change the setting to “Dedicated” as well as I’ve seen cases where not all of the results display. Note here that the filter in IdFix are different for multi-tenant versus dedicated…

Multi-Tenant Filter: (|(objectCategory=Person)(objectCategory=Group))
Dedicated Tenant Filter: (&(mail=*)(|(objectCategory=Person)(objectCategory=Group)))

 

We can also check in Active Directory to look for conflicting proxy addresses…
  1. Open Active Directory Users and Computers.
  2. Right-click the domain object (i.e. domain.local) and click Find from the context menu.
  3. In the Find drop-down list, select Custom Search.
  4. Click the Advanced tab.
  5. In the Enter LDAP query field, enter the following text (modify for your issue): proxyaddresses=smtp:alias@domain.com
  6. Click Find Now.
  7. Resolve the conflict.

 

Additional synching conflicts may arise when users create a Microsoft Live account that matches their company email address. Delete the conflicting Microsoft Live account.

I have also seen issues when a company was using FOPE or EOP prior to their O365 migration. Work with the Office 365 EOP support team to resolve.

Lastly, don’t forget to look at those mail-enabled public folders too.

 

Related Articles in this Blog:

 

Reference(s):

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s