AD Connect Multiple Tenants Single AD
Hi, Wonder if this is possible? We have a client that wants to keep his two domains separate and in different tenants and then sync on prem AD to the two tenants. The on prem AD would have both domains UPN suffix's added to their accounts in on prem AD as the users in both tenants would be the same. ThanksExchange Online and Azure AD Connect
Hi everyone, We are planning to implement Azure AD Connect in a Password Hash Synchronization with Seamless Sign On scenario, hosted on Azure B1ms Windows Server 2016 AD DC connect to on-prem AD via S2S VPN. My company of around 100 users have had O365 for several years and the on-prem and AAD environments are totally separate for now. One thing that has come up in my research is with Azure AD Connect in place, on-prem AD must be the source of all objects, attributes, and changes - makes sense. Where there is confusion is Exchange Online attributes. Several older threads on Tech Community and other forums state you cannot change EXO attributes, in an AAD Connect environment, without on-prem Exchange installed or at least its schema changes. On review, the only EXO attributes we would change that aren't in the default AD schema are mailbox delegation (SendAs, AccessRights, etc) and email addresses (multiple SMTP addresses). Other attributes that show in EXO such as Job Title, Address, and Tel Numbers are all available in the default schema via AD Users & Computers, so my presumption is they're not of concern. Can anyone shed some light on this and confirm how we'd manage things like multiple SMTP addresses without the Exchange scheme in our on-prem AD? Does this differ depending on where the object is managed (cloud only vs hybrid) or user mailbox vs shared? Thank you, Ruairidh
Error event logs from ADSync - How to troubleshoot
First we are using the latest ADSync as of this post, 1.4.38.0. As far as we can tell nothing is broken. The only purpose of this tool is to allow Office 365 to be assigned to our domain users and verify licencing / entitlements. We are not doing anything else in the cloud and our Exchange, Skype for business is on prem at this point. We are getting these logs from our server called ADFS1 which had the ADSync tool installed. I'm not sure what to do with them because it seems everything is working fine. I would like to know if there's a way to silence these alerts without filtering them out of our EventSentry log management system. We are just tired of seeing these alerts to our email. Below is a sample of what we wee multiple times a day, about once every hour. Any ideas? EVENT # 5182516 EVENT LOG Application EVENT TYPE Error OPCODE Info SOURCE ADSync CATEGORY Server EVENT ID 6311 DATE / TIME 2/21/2020 10:42:46 AM COMPUTERNAME ADFS1 MESSAGE The server encountered an unexpected error while performing a callback operation. "ERR_: MMS(6640): ..\ma.cpp(4898): Completing apply rules step has failed. Azure AD Sync 1.4.38.0" EVENT # 5182517 EVENT LOG Application EVENT TYPE Error OPCODE Info SOURCE ADSync CATEGORY Server EVENT ID 6401 DATE / TIME 2/21/2020 10:42:46 AM COMPUTERNAME ADFS1 MESSAGE The management agent controller encountered an unexpected error. "ERR_: MMS(6640): ..\crcntrl.cpp(336): Completing synchronization run step has failed. Azure AD Sync 1.4.38.0" EVENT # 5182518 EVENT LOG Application EVENT TYPE Warning OPCODE Info SOURCE ADSync CATEGORY Management Agent Run Profile EVENT ID 6100 DATE / TIME 2/21/2020 10:42:46 AM COMPUTERNAME ADFS1 MESSAGE The management agent "domain.com" step execution completed on run profile "Delta Synchronization" with errors. Additional Information Discovery Errors : "0" Synchronization Errors : "1" Metaverse Retry Errors : "0" Export Errors : "0" Warnings : "0" User Action View the management agent run history for details.
Password Expiration notification
I have a number of users who have recently transitioned to Azure joined devices and are authenticating directly through AAD, though their accounts were originated in On-prem AD. When their passwords expire, they aren't getting notification but finding out when certain on-prem services aren't connecting. We are using AD Sync and it's going both ways AAD to OP and OP to AAD . I guess my question is 2 fold: Is it possible that AD is still expiring the password and if not, where can I find where it is expiring? Is there any way to turn on expiration notification for Azure AD users? Thanks,Local Network Share with Azure AD Users
We're a small business of about 15 people, and have just moved to Microsoft 365 for email, and with it has come AAD user management which makes my life simple. We have some simple file shares that are managed with local accounts. I'd like to move to on-prem AD with AAD Connect, and then assign these AAD users ("email accounts") to the various folders to handle permissions. My current understanding is that AAD cant do user write back to on-prem, at all, and doing password and group writeback to on-prem requires the 'premium' tier of AAD, at $8/user/mo? This seems both very convoluted (I am doing up a PS script to pull users back from AAD) and also incredibly expensive to simple have AAD users assigned to on-prem file shares. I'm hoping occam's razor applies here, and I've missed something simple?
Azure AD Connect -- Attribute Value Must Be Unique
-- Updating from my previous message -- I managed to get syncing attempts happening by removing the group filter. As my test group, I made a special OU for the test user and am applying the sync only to this OU. I am now a bit further, but stumped again. Both AD accounts and AAD accounts are pre-existing: AD Account: mailto:j.smith@domain.com (actually a .local account, but UPN added to AD) AAD Account: mailto:john.smith@domain.com When the sync happens, I am getting "Error: Attribute Value Must Be Unique" Looking deeper at the error, it is mentioning the error is in relation to the ProxyAddress. I have already defined the following in AD for the j.smith user: email (General Tab): mailto:john.smith@domain.com Proxy Address (Attribute Editor): SMTP:john.smith@domain.com this does not seem to help though. I have tested also by removing Proxy Address and still no go. any thoughts?Azure AD Connect service critical alert reported: dn-attributes-failure
[I sent an email to askaadconnecthealth@microsoft.com with the below content a few days ago but haven't heard back so decided to start a conversation here] As per the below synchronization errors email I have been receiving, there are three cloud-only Office 365 users with “Sign in blocked” that were previously synched using Azure AD Connect. The accounts were previously moved out of the sync OU and when they appeared as deleted users in Office 365, were restored to keep their data intact. The AD users have since been deleted and cannot be restored. https://aad.portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade/SyncErros There are no further error details other than the type: dn-attributes-failure There are no other sync errors and Azure AD Connect is showing success on all connector operations. I do not want to delete these accounts from Office 365. Could anyone please advise me to know which steps to take to resolve the issue causing these three accounts to be included in the report for synchronization errors? They are cloud-only and do not need to be synched with AD. Is it necessary to re-create the AD users in the sync OU and set their Office 365 account ImmutableID to sync and match their AD account (source anchor is objectGUID) so they do not get reported as sync errors? ----- From: Microsoft Azure [mailto:azure-noreply@microsoft.com] Sent: 02 September 2019 11:10 Subject: We detected synchronization errors in your directory There are synchronization errors in your directory. Azure AD Connect Sync errors detected You’re receiving this email because we have detected a critical alert on your Azure AD Connect service for errors that occurred while data was while synchronizing between your on- premises active directory and your Azure Active Directory. Title: Sync errors detected on your Azure AD Connect service Last export time: August 13, 2019 15:25 UTC Error count: 3 sync errors Service: [tenant].onmicrosoft.com Tenant: John Hanson School Report: To get more details, see Sync Error Report. To learn how to fix sync errors, see https://azure.microsoft.com/email/?destination=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-troubleshoot-sync-errors&p=bT0zMTQ2MjExOS1hZjlmLTQ0NzEtODljOC04YzZjNmJlOTAyN2EmdT1hZW8mbD1kb2NzJTNBdHJvdWJsZXNob290LXN5bmMtZXJyb3Jz. If you have any feedback, please post it to the https://azure.microsoft.com/email/?destination=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D519357&p=bT0zMTQ2MjExOS1hZjlmLTQ0NzEtODljOC04YzZjNmJlOTAyN2EmdT1hZW8mbD1md2xpbms%3D or mailto:askaadconnecthealth@microsoft.com for any questions. https://azure.microsoft.com/email/?destination=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D521839&p=bT0zMTQ2MjExOS1hZjlmLTQ0NzEtODljOC04YzZjNmJlOTAyN2EmdT1hZW8mbD1wcml2YWN5LXN0YXRlbWVudA%3D%3D Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
