Posey's Tips & Tricks
Preparing Your Active Directory for Office 365
Microsoft's free tool lets IT keep an eye on the overall health of an on-premises Active Directory environment through Office 365.
Organizations that choose to adopt Office 365 very often have an on-premises environment that is already in place. In such cases, Office 365 acts as an extension to the organization's on-premises environment. From a logistical standpoint, this means extending an existing Active Directory environment to the Office 365 cloud through directory synchronization. Although this tends to be a relatively straightforward process, directory synchronization can go horribly wrong if the existing Active Directory environment is not in a healthy state. Fortunately, Microsoft provides a free tool that can be used to assess the health of your Active Directory environment, and if necessary, fix problems that may exist.
The tool is called the IdFix DirSync Error Remediation Tool. If you think that Microsoft has given this tool an excessively long name, then you aren't alone. Most of the people that I have talked with about this particular tool simply refer to it as IdFix. You can download IdFix from Microsoft here.
It is worth noting that IdFix is an older tool. Officially, it is only supported to work with Windows 7 and Windows Server 2008 R2. The tool can also work with Exchange Server, but Exchange Server is not required. The only supported version of Exchange Server is Exchange Server 2003.
In spite of the IdFix tool's lack of support for modern software, the tool is designed in such a way as to allow it to work with modern systems. Active Directory queries are performed using native LDAP, which should be universally compatible with Windows domain controllers. Likewise, the Exchange Server messaging attributes that are examined by the tool should be version independent. I can't guarantee that the IdFix tool will work with software that is not officially supported. I can tell you however, that while writing this blog post, I ran the IdFix tool on a Windows Server 2012 R2 domain controller.
Using the IdFix tool is relatively easy. Just download the tool, extract the executable file from the ZIP file that you downloaded, and then run the executable file. There are no setup wizards to work through, and there isn't any prep wok required beyond making sure that you have the appropriate Active Directory permissions, and verifying that the computer from which IdFix will run has version 4.0 of the .Net Framework installed. Upon executing IdFix, you will see the screen shown in Figure 1.
Before you test your Active Directory environment's health, I recommend checking out the tool's Settings screen, which you can see in Figure 2. Depending on how your organization is set up, most of the default settings will probably be OK, but there are a couple of settings that are worth reviewing.
The first thing that you should pay attention to is the Rules section. The rules seem to default to a multi-tenant environment, so if you have a dedicated Active Directory, then you will definitely want to select the Dedicated option.
It's also a good idea to make sure that the Directory section lists the correct domain. If necessary, you can use the Add button to add more domains to the list. Also, if you are using an emulated Active Directory environment, then you will want to change the directory type to LDAP.
Finally, check out the Credentials section. The tool defaults to using the current credentials, but depending on how you are logged in, you may end up needing to supply an alternate set of credentials.
Once the settings are in place, using the tool couldn't be easier. Just click the Query button, and let IdFix do its thing. The bottom left corner of the window shows you the query count and the number of errors that have been detected. Hopefully, your error count will be 0, like the environment shown in Figure 3, but if not, then you can use the tool's other controls to fix any errors that might have been reported.
Microsoft does not actually require you to run IdFix prior to performing a directory synchronization, but doing so is a good idea. Cleaning up any Active Directory health issues up front can help the synchronization process to go more smoothly later on.
Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.