The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Initial Directory Sync not working as desired RRS feed

  • Question

  • I started with an Office 365 account, then merged my user list with Azure Active Directory.  I have now setup a new (first time) domain controller, as I now wish to have apply some group policies to Office 365/Azure users.

    I have a verified domain in Azure (we'll call it abcd.com), as well as a default abcd.onmicrosoft.com domain.  In my local active directory I have a domain of corp.abcd.com an added an additional domain of abcd.com. I have changed a few users to [username]@abcd.com, and put in their e-mail address in the "Mail" field in the general tab in AD.

    In my Azure AD - all users have the UPN format of [username]@abcd.com.  I am trying to keep existing users and user names in AzureAD, and sync them with my local AD. 

    When I try to run the using AADSync, I get the following error (actual domain replaced with abcd.com below):

    Unable to update this
    object because the following attributes associated with this object have values
    that may already be associated with another object in your local directory
    services: [ProxyAddresses SMTP:ABossio@abcd.com;UserPrincipalName abossio@abcd.com;]. Correct or remove
    the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098
    for more information on identifying objects with duplicate attribute values.

    What is the best and easiest way that I can synchronize my Azure AD users with a local domain - for what it's worth, I have nothing important in my local AD or domain controller.

    Tuesday, May 12, 2015 4:19 PM

Answers

  • Hi Kevin,

    If I understand you correct you've started with an O365 tenant and have now setup an entire new AD Domain that you want to "merge/synchronize" with your O365/AAD Tenant in order to managed the identites on premises?

    In order to "Merge" two accounts, you either need to "Soft match" them using the proxyAddresses attribute (SMTP address), which is considered to be unique, or "hard match" them by constructing what we call an immutableId/SourceAnchor which will be the link between the local AD Account and the cloud identity.

    I suggest you look in to the link below which actually gives you a script that synchronizes/merges the AAD to your Local AD (and even creates the users if you want).

    http://365lab.net/2014/04/18/office-365-migrate-from-cloud-identities-to-dirsync/

    Read more about soft matching/smtp matching here:

    https://support.microsoft.com/en-us/kb/2641663

    Hope the above helps, let us now if you need further assistance!

    /Johan


    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

    • Marked as answer by Kevin Z Tuesday, May 12, 2015 8:48 PM
    Tuesday, May 12, 2015 4:34 PM
  • I tried the following script, and at first it didn't work, I was getting vague errors on the dir matching, but then I deleted the users, recreated them manually, re-ran the script from the site below, and it did the trick!  Thank you Johan!

    In order to "Merge" two accounts, you either need to "Soft match" them using the proxyAddresses attribute (SMTP address), which is considered to be unique, or "hard match" them by constructing what we call an immutableId/SourceAnchor which will be the link between the local AD Account and the cloud identity.

    I suggest you look in to the link below which actually gives you a script that synchronizes/merges the AAD to your Local AD (and even creates the users if you want).

    http://365lab.net/2014/04/18/office-365-migrate-from-cloud-identities-to-dirsync/


    • Marked as answer by Kevin Z Wednesday, May 20, 2015 2:08 AM
    Tuesday, May 12, 2015 8:51 PM

All replies

  • Hi Kevin,

    If I understand you correct you've started with an O365 tenant and have now setup an entire new AD Domain that you want to "merge/synchronize" with your O365/AAD Tenant in order to managed the identites on premises?

    In order to "Merge" two accounts, you either need to "Soft match" them using the proxyAddresses attribute (SMTP address), which is considered to be unique, or "hard match" them by constructing what we call an immutableId/SourceAnchor which will be the link between the local AD Account and the cloud identity.

    I suggest you look in to the link below which actually gives you a script that synchronizes/merges the AAD to your Local AD (and even creates the users if you want).

    http://365lab.net/2014/04/18/office-365-migrate-from-cloud-identities-to-dirsync/

    Read more about soft matching/smtp matching here:

    https://support.microsoft.com/en-us/kb/2641663

    Hope the above helps, let us now if you need further assistance!

    /Johan


    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

    • Marked as answer by Kevin Z Tuesday, May 12, 2015 8:48 PM
    Tuesday, May 12, 2015 4:34 PM
  • Or perhaps to put my desire more concisely.

    I have existing Azure AD/Office 365 users where I want to create them locally to be synchronized.  Other than the problems described above, what's the best way to do this. 

    We're also using Azure AD Premium.

    Tuesday, May 12, 2015 4:45 PM
  • Good kevin - then the above link (regarding "migrating from cloud identites") should give you the needed guidance. If not - let us know.

    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

    Tuesday, May 12, 2015 4:48 PM
  • I have tried the SMTP matching, but it didn't work.

    I had been looking for something like the hard find, thank you, I will give this a try!

    • Edited by Kevin Z Tuesday, May 12, 2015 6:05 PM being more specific
    Tuesday, May 12, 2015 6:01 PM
  • I tried the following script, and at first it didn't work, I was getting vague errors on the dir matching, but then I deleted the users, recreated them manually, re-ran the script from the site below, and it did the trick!  Thank you Johan!

    In order to "Merge" two accounts, you either need to "Soft match" them using the proxyAddresses attribute (SMTP address), which is considered to be unique, or "hard match" them by constructing what we call an immutableId/SourceAnchor which will be the link between the local AD Account and the cloud identity.

    I suggest you look in to the link below which actually gives you a script that synchronizes/merges the AAD to your Local AD (and even creates the users if you want).

    http://365lab.net/2014/04/18/office-365-migrate-from-cloud-identities-to-dirsync/


    • Marked as answer by Kevin Z Wednesday, May 20, 2015 2:08 AM
    Tuesday, May 12, 2015 8:51 PM