Skip to content

IdFix – Directory synchronization error remediation tool

In the previous article, we did change Users UPN with PowerShell. Before installing Azure AD Connect and syncing the on-premises AD objects to Azure AD, it’s essential to use Microsoft Office 365 IdFix. The tool will show you which AD objects have errors and fix them. If there are no errors, you are good to go. In this article, we will look at how to use the Microsoft IdFix tool.

What is IdFix?

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.

The Microsoft Office 365 IdFix tool allows you to identify and remediate object errors in the Active Directory in preparation for deployment to Azure Active Directory or Office 365. You can then successfully synchronize users, contacts, and groups from the on-premises Active Directory into Azure Active Directory.

Install IdFix

1. Download IdFix (GitHub) or here (direct).

The setup will install the following prerequisites if they are not already present on your machine:

  • Microsoft .NET Framework 4.5.2 (x86 and x64)
  • Windows Installer 3.1

2. Run the setup.exe. It will ask you to install IdFix. Click Install.

IdFix - Directory synchronization error remediation tool install

3. Accept the Privacy Statement. Click OK.

IdFix - Directory synchronization error remediation tool privacy statement

How to use IdFix

In IdFix, click on Query.

Note: You can get the Schema Warning message: The following attributes are present in the schema but are not marked for replication to the Global Catalog and will not be analyzed for errors. Ignore the message and click on Yes.

If there are errors, it will show the AD object with the error. Go to the AD object with the error and adjust the value.

In this example, there are three errors.

IdFix - Directory synchronization error remediation tool errors

After fixing the errors, click on Query. Verify that list is empty.

IdFix - Directory synchronization error remediation tool no errors

IdFix errors

See the list of errors that you might see in IdFix.

ErrorDescription
CharacterThe Value contains an invalid character. The suggested Update will show the value with the character removed.
FormatThe Value violates the format requirements for the attribute usage. The suggested Update will show the Value with any invalid characters removed. If there are no invalid characters, the Update and Value will appear the same. It is up to the user to determine what they really want in the Update. For example, SMTP addresses must comply with RFC 2822, and mailNickName cannot start or end with a period.
TopLevelDomainThis applies to values subject to RFC 2822 formatting. If the top level domain is not internet routable, then this will be identified as an error. For example, an SMTP address ending in .local is not internet routable and would cause this error.
DomainPartThis applies to values subject to RFC 2822 formatting. If the domain portion of the value is invalid beyond the top level domain routing, this will be generated.
LocalPartThis applies to values subject to RFC 2822 formatting. If the local portion of the value is invalid, this will be generated.
LengthThe Value violates the length limit for the attribute. This is most commonly encountered when the schema has been altered. The suggested Update will truncate the value to the attribute standard length.
DuplicateThe Value has a duplicate within the scope of the query. All duplicate values will be displayed as errors. The user can Edit or Remove values to eliminate duplication.
BlankThe Value violates the null restriction for attributes to be synchronized. Only a few values must contain a value. The suggested Update will leverage other attribute values in order to generate a likely substitute.
MailMatchThis applies to Dedicated only. The Value does not match the mail attribute. The suggested Update will be the mail attribute value prefixed by “SMTP:”.

We did fix the synchronization errors on the AD objects with IdFix, and we are good to go.

In the next step, we will install and configure Azure AD Connect.

Conclusion

You learned how to use IdFix – Directory synchronization error remediation tool. Use the IdFix tool before installing Azure AD Connect and make sure that there are no errors. The list of errors and the given description will let you understand why the error appears.

Did you enjoy this article? You may also like Exchange Server health check with PowerShell script. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 6 Comments

  1. Thank you Ali for the Exchange Hybrid article and associated links. Your website is extraordinary. Wonderfully put together with meticulous detail and a generous offering to the world at large. Quick observation on this page, Windows 2008 R2 and above the IDFix should not be run on the domain controller, could be helpful. Best.

  2. I run query using Idfix on AD. All my users come up with “TopLevelDomain” error. However the value column is showing their user accounts with internet routable domains and the recommended update is populated with the same user account names with their internet routable domains. When I click “Accept” and then “Apply” I get a fail. I am suspecting it might be due to the fact that the domain is in the format “username@xxx.group”. Any ideas?

  3. Great article, thanks!

    I had an installation error on server 2019 which can be solved like this:

    This issue occurs when SSL caching is disabled. The following registry change fixes the issue, it can be changed back immediately after installation:
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    “DisableCachingOfSSLPages”=dword:00000000

  4. Hi Ali,

    Getting this error message when loading idfix. Please help.

    When trying to do a query it throwing error “The following attributes are present in the schema but are not marked for replication to the globalcalalog and will not be analyzed for errors. Do you want to continue? IscritialSystemobject

    I click yes nothing happens.

    Do we need to make any changes in AD schema and replicate the iscriticalsystemobject attribute?

  5. Do you know what filter to use to list only accounts belonging to a specific group?
    LDAP filters work in PS but not in the idfix.

Leave a Reply

Your email address will not be published. Required fields are marked *