AD Connect User Syncing Error

Question

We installed AD Connect and connected to our Office365 tenant, but users will not sync. I see all of them have duplicate attribute errors. I added the appropriate UPNs to my users so they are using a routable domain (.com instead of .local). I tried added proxy addresses for a couple of users, but they error out with UPN and proxy addresses. I try to use the troubleshooter in AD Connect Health, but the fixes fail to apply. Do I need to change the mS-DS-ConsistencyGuid attribute on my local users before syncing, and if so, to which value should I set it?

Answer 1

I think I have found the issue... AD Connect is trying to use ObjectGUID instead of mS-DS-ConsistencyGuid. It says I cannot change the source anchor because attribute mS-DS-ConsistencyGuid is already being using in my active directory. So, I am uninstalling and re-installing AD Connect to set the source anchor as mS-DS-ConsistencyGuid.

Answer 2

Hi @BBR IT ,
Have you tried using the IdFix Directory Synchronization Error Remediation Tool from Microsoft?

https://www.microsoft.com/en-us/download/details.aspx?id=36832

Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

Answer 3

Hi! I have tried it, but when I click query, no results show up. I tried adding in my .com domain, but it fails because the domain can't be found (probably because only .local exists and .com is an added UPN).

Answer 4

I see 2 different errors when running the troubleshooter. (email addresses have been changed to a generic email for privacy)

This example comes from a user whose account is trying to sync via proxy address:
Unable to update this object because the ProxyAddresses value SMTP:user1@Company portal .com associated with this object may already be associated with another object in your local directory services. To resolve this conflict, first determine which object should be using the conflicting value. Then, update or remove the conflicting value from the other object(s).

This example comes from a user whose account is trying to sync via UPN:
We detected that an object with UserPrincipalName “user2@Company portal .onmicrosoft.com” cannot be synchronized because another object already has the same value of “user2@Company portal .com” as its UserPrincipalName. To resolve the conflict you need to determine which of these two objects should be using this UserPrincipalName. The next step is to update the other object to change or remove the conflicting value.

In either case, I get the errors above when running the troubleshooter in AD Connect Health page and try to run the fix. It asks me "are both of these accounts for the same user" and I select "yes", then it suggests the fix, which fails.

My AD DS is not being used for anything yet, so I can remove/recreate those users as needed. I created each user in a synced OU, added their email address in the email field (which is same as UPN), made to to select .com for UPN instead of .local, and for a couple users (to test it out), I also added their email to the attribute "proxy address" and told AD Connect to include that attribute.

I feel like I am so close, but am missing something.