Sep 25 2018
- last edited on
Jul 27 2020
We set up AAD a few weeks back and created an OU called ActiveSyncUsers. We set it up such that if we add a user to that group, they will be sync'd. So far so good. We created some new users, and they sync fine. Some of our existing users also worked fine.
However, today we started running into some of our OLDER existing users that are getting the following:
Hello firstname.lastname@example.org, You can troubleshoot this issue by running the Directory Synchronization troubleshooter on the server that has Azure Active Directory identity synchronization tools installed.
The Identity synchronization tool batch run was completed on Tuesday, 25 September 2018 20:30:20 GMT for directory IMS [.onmicrosoft.com]. The following errors occurred during synchronization:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [UserPrincipalName email@example.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
I am a little perplexed as to what this is actually telling me. So the user does exist in the AD, and he does have a cloud account. It APPEARS that dirsync sees this as a collision, and isn't MERGING the accounts?
Sep 26 2018 02:06 AM
Have you identified which object has the duplicate value? It can be someone having the same value in email address or proxyAddresses attributes.
Sep 26 2018 04:10 AM
Sep 26 2018 09:26 AM
Also, if I run IDFIX, nothing comes up as erroneous. I expected to see DUPLICATE show up in light of this warning, but nothing comes up.
Sep 28 2018 05:18 PM
The steps here will depend on few factors, such as the status of the Duplicate Attribute Resiliency feature. In other words, follow the instructions in this article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-...
Sep 29 2018 05:40 AM
In addition to the article Duplicate or invalid attributes prevent directory synchronization in Office 365
You need to review your AD Sync configuration and make sure that you've don't have any other object that using for this user, for example, it can be object that is using ObjectGUID as the anchor attribute an and not email address.
Also, make sure that you don't have secondary value for another object such as a deleted object, disable object or even smtp for a secondary object.