Prepare for directory synchronization by using the Office 365 IdFix tool
Applies to: Office 365
Topic Last Modified: 2014-06-30
Summary: Introduces topics for the IdFix tool, which prepares and cleans up the content in your on-premises directory before synchronization to Office 365.
The Office 365 IdFix tool, or IdFix, searches your directory and identifies most of the errors you will encounter before you synchronize to Office 365. IdFix helps you fix these errors and reduces the time it takes to on-board to Office 365. IdFix is simple enough to use so that you can fix Active Directory errors and synchronize your directory without relying on subject matter experts.
IdFix does not fix all errors, but it does find and allow you to fix the majority of errors; for example, over half of all synchronization errors are the result of duplicate or badly formed
userPrincipalName attributes in Active Directory. By fixing these errors, you will be able to successfully synchronize users, contacts, and groups from your on-premises Active Directory to Office 365.
IdFix may identify errors beyond those that are necessary to successfully complete synchronization to Office 365. For example, compliance with RFC 2822 for SMTP addresses. Directory synchronization allows you to synchronize invalid attribute values to the cloud but the best practice recommendation is that you correct these errors at the source before you synchronize.
The short answer is that using IdFix saves money and time, even if your on-premises directory is running fine. Even a small number of failures can result in a large number of errors that you need to manually correct. This can really delay a deployment and significantly increase the expense of your project.
The IdFix tool checks for values that may cause issues with cloud services in Office 365 that may not cause problems in your on-premises environment. The clean-up effort is focused on directory synchronization errors that IdFix discovers even if your on-premises environment is working smoothly.
In short, when you run IdFix, you connect, or authenticate, to your directory and search for users and groups that won’t synchronize correctly to Office 365. More technically, IdFix queries all domains in the currently authenticated forest. If you don’t know what domain, forest, or authenticate means, that’s OK, you can still use the tool to fix errors.
Once you connect and have your search results, there are a couple of ways that you can fix the errors: by using the graphical user interface (GUI) or by exporting the data to a CSV or LDF file, manually fixing the errors, and then importing the file back into IdFix. For less experienced administrators or for environments with smaller deployments, we recommend using the IdFix GUI. The following topics describe using the GUI in more detail and provide reference information.
Install and run the Office 365 IdFix tool. This topic describes where to download the tool and how to install it. If you read nothing else, read this. If you are an AD DS novice or have a small directory, there is enough information in here to help you clean up your directory for synchronization. For more experienced administrators, read this topic to learn where to get the tool and how to run it.
Prepare directory attributes for synchronization with Office 365 by using the IdFix tool. This topic provides much more detailed instructions for running the tool, common errors you will encounter, suggested fixes, examples, and best practices for what to do when you have a large number of errors.
IdFix is intended for Active Directory Domain Services (AD DS) administrators who are responsible for supporting Office 365 in your business. The administrator using the tool should understand the implications of modifying directory objects and attributes. However, anyone who needs to deploy Office 365 and is responsible for moving users and groups to Office 365 can use the tool and effectively fix errors. There is a set of instructions available for those in a hurry or who don’t have much AD DS experience. If you don’t know what objects and attributes are, that’s OK. You can follow the instructions in Install and run the Office 365 IdFix tool. The other topics in this section provide more detail about the tool than you can probably use and are intended for more advanced AD DS administrators.
In some environments, the directory is not the ultimate source of authority for its own data, for example, you may have an HR system that overwrites the names of your employees in the directory. If your directory is not its own ultimate source of authority, you will need to ensure that any errors identified by IdFix that are coming from somewhere other than the directory are fixed at the source. Otherwise, you might fix the attribute using IdFix only to have the other identity management system overwrite your change in the directory.
We don’t blame you. Touching the directory is always a little scary. IdFix doesn’t modify all directory objects and attributes. It excludes some from its search on purpose since editing some could cause harm to your environment, for example, critical system objects. These objects are excluded from the IdFix GUI. For a list of these exclusions, see Reference: Office 365 IdFix excluded and supported objects and attributes.