DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2647098 - Last Review: July 9, 2014 - Revision: 33.0

PROBLEM

In Microsoft Office 365, an administrator receives the following email message warning when directory synchronization finishes:
From: MSOnlineServicesTeam@MicrosoftOnline.com (mailto:MSOnlineServicesTeam@MicrosoftOnline.com)
Subject: Directory Synchronization Error Report
The error report in the email message may contain one or more of the following error messages:
  • A synchronized object with the same proxy address already exists in your Microsoft Online Services directory.
  • Unable to update this object because the user ID is not found.
  • Unable to update this object in Microsoft Online Services because the following attributes associated with this object have values that may already be associated with another object in your local directory.

CAUSE

This issue may occur if user objects in the on-premises Active Directory Domain Services (AD DS) schema have duplicate or invalid alias values, and if these user objects are not synced from the AD DS schema to Office 365 correctly during directory synchronization.

All alias values in Office 365 must be unique for a given organization. Even if you have multiple unique suffixes after the at sign (@) in the Simple Mail Transfer Protocol (SMTP) address, all alias values must be unique.

In an on-premises environment, you can have alias values that are the same as long as they are unique based on the suffixes after the at sign (@) in the SMTP address.

If you create objects that have duplicate alias values in the cloud for Office 365, to make the aliases unique, one alias has a unique number appended to it. (For example, if the duplicate alias values are "Albert," one of them becomes "Albert2" automatically. If "Albert2" is already being used, the alias becomes "Albert3," and so on.) However, if objects that have duplicate alias values are created in your on-premises AD DS, an object collision occurs when directory synchronization runs, and object synchronization fails.

SOLUTION

To resolve this issue, determine duplicate values and values that conflict with other AD DS objects. To do this, you can use the IdFix DirSync Error Remediation Tool or the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit.

Method 1: Use the IdFix DirSync Error Remediation Tool

Use the IdFix DirSync Error Remediation Tool to identify duplicate or invalid attributes. To resolve duplicate attributes by using the IdFix Tool, see the following Microsoft Knowledge Base article:
2857385  (http://support.microsoft.com/kb/2857385/ ) "Duplicate" is displayed in the ERROR column for two or more objects after you run the IdFix tool
For more information about the IdFix tool, go to IdFix DirSync Error Remediation Tool (http://www.microsoft.com/en-ca/download/details.aspx?id=36832) .

Method 2: Use the MOSDAL Support Toolkit

To obtain information about invalid attributes by using the MOSDAL Support Toolkit, follow these steps:
  1. Download and install the MOSDAL Support Toolkit from the following Microsoft website:
    http://www.microsoft.com/download/en/details.aspx?id=626 (http://www.microsoft.com/download/en/details.aspx?id=626)
  2. Run the MOSDAL Support Toolkit, select Single Sign On (SSO) from the list of Office 365 services, and then click Next.
  3. When you're prompted to enter your credentials, enter your user ID, and then click Next. Your password isn't saved and is used only to simulate an authentication attempt and log the results.
  4. On the Reproduce Problem screen, click Next.
  5. When the report is finished, locate the MOSDALREPORT.zip file in the Documents\MOSDAL library. The report files that contain information about invalid attributes are located in the MOSDALREPORT\Admin_Applications\Directory_Synchronization_Tool\DirSyncObjects.xml file.

Determine attribute conflicts that are caused by objects that weren't created in Microsoft Azure AD through directory synchronization

To determine attribute conflicts that are caused by user objects that were created by using Office 365 management tools (and that weren't created in Azure AD through directory synchronization), follow these steps:
  1. Determine the unique attributes of the on-premises AD DS user account. To do this, on a computer that has Windows Support Tools installed, follow these steps:
    1. Click Start, click Run, type ldp.exe, and then click OK.
    2. Click Connection, click Connect, type the computer name of an AD DS domain controller, and then click OK.
    3. Click Connection, click Bind, and then click OK.
    4. Click View, click Tree View, select the AD DS domain in the BaseDN drop-down list, and then click OK.
    5. In the navigation pane, locate and then double-click the object that isn't syncing correctly. The Details pane on the right side of the window lists all object attributes. The following example shows the object attributes:

      Collapse this imageExpand this image
      Screen shot of the object that isn't syncing correctly, showing all object attributes
    6. Record the values of the userPrincipalName attribute and each SMTP address in the multivalue proxyAddresses attribute. You will need these values later.
      Collapse this tableExpand this table
      Attribute nameExampleNotes
      proxyAddressesproxyAddresses (3): x500:/o=Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae75fca0d3a4303802cea9ca50fcd4f-7628376; smtp:7628376@service.contoso.com; SMTP:7628376@contoso.com;
      • The number that's displayed in parentheses next to the attribute label indicates the number of proxy address values in the multivalue attribute.
      • Each distinct proxy address value is indicated by a semicolon (;).
      • The primary SMTP proxy address value is indicated by uppercase "SMTP:"
      userPrincipalName7628376@contoso.com
      Note Ldp.exe is included in Windows Server 2008 and in the Windows Server 2003 Support Tools. The Windows Server 2003 Support Tools are included in the Windows Server 2003 installation media. Or, to obtain the tool, go to the following Microsoft website:
      http://go.microsoft.com/fwlink/?LinkId=100114 (http://go.microsoft.com/fwlink/?LinkId=100114)
  2. Connect to Office 365 by using the Azure Active Directory Module for Windows PowerShell. To do this, follow these steps: 
    1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
    2. Type the following commands in the order in which they are presented, and press Enter after each command:
      • $cred = get-credential
        Note When you are prompted, enter your Office 365 administrator credentials.
      • Connect-MSOLService –credential $cred
      Leave the console window open. You will need to use it in the next step.
  3. Check for the duplicate userPrincipalName attributes in Office 365.

    In the console connection that you opened in step 2, type the following commands in the order in which they are presented, and press Enter after each command:
    • $userUPN = "<search UPN>"
      Note In this command, the placeholder"<search UPN>" represents the UserPrincipalName attribute that you recorded in step 1f.
    • get-MSOLUser –UserPrincipalName $userUPN | where {$_.LastDirSyncTime -eq $null}
    Leave the console window open. You will use it again in the next step.
  4. Check for duplicate proxyAddresses attributes. In the console connection that you opened in step 2, type the following commands in the order in which they are presented, and press Enter after each command:
    • $SessionExO = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic - AllowRedirection
    • Import-PSSession $sessionExO -prefix:Cloud
  5. For each proxy address entry that you recorded in step 1f, type the following commands in the order in which they are presented, and press Enter after each command:
    • $proxyAddress = "<search proxyAddress>"

      Note In this command, the placeholder"<search proxyAddress>" represents the value of a proxyAddresses attribute that you recorded in step 1f.
    • get-mailbox | where {[string] $str = ($_.EmailAddresses); $str.tolower().Contains($proxyAddress.tolower()) 
      -eq $true} | foreach {get-MSOLUser -UserPrincipalName $_.MicrosoftOnlineServicesID | 
      where {($_.LastDirSyncTime -eq $null)}}
Items that are returned after you run the commands in step 3 and 4 represent user objects that weren't created through directory synchronization and that have attributes that conflict with the object that is not syncing correctly.

After you determine conflicting or invalid attribute values, troubleshoot the issue by following the steps in the following Microsoft Knowledge Base article:
2643629  (http://support.microsoft.com/kb/2643629/ )   One or more objects don't sync when using the Azure Active Directory Sync tool

MORE INFORMATION

The Windows PowerShell commands in this article require the Azure Active Directory Module for Windows PowerShell. For more information about Azure Active Directory Module for Windows PowerShell, go to the following Microsoft website:
Still need help? Go to the Office 365 Community (http://community.office365.com/) website.

Applies to
  • Office 365 Identity Management
Keywords: 
o365 mosdal4.5 o365a o365022013 o365e kbgraphxlink o365m kbgraphic KB2647098
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support