Skill 4.1: Prepare on-premises Active Directory for Azure AD Connect

  • 11/7/2017

Cleaning up existing Active Directory objects

Before you deploy Azure AD Connect, it is prudent to ensure that your on-premises Active Directory environment is healthy. You should also have an excellent understanding of the current state of the Active Directory environment. This should include performing an audit to determine the following:

  • Do any Active Directory objects use invalid characters?

  • Do any Active Directory objects have incorrect Universal Principal Names (UPNs)?

  • What are the current domain and forest functional levels?

  • Are any schema extensions or custom attributes in use?

Prior to deploying Azure AD Connect, you should ensure that you have performed the following tasks:

  • Remove any duplicate proxyAddress attributes

  • Remove any duplicate userPrincipalName attributes

  • Ensure that blank or invalid userPrincipalName attribute settings have been altered so that the setting contains only a valid UPN

  • Ensure that for user accounts that the cn and samAccountName attributes have been assigned values

  • Ensure that for group accounts, the member, alias, and displayName (for groups with a valid mail or proxyAddress attribute) are populated

  • Ensure that the following attributes do not contain invalid characters:

    • givenName

    • sn

    • samAccountName

    • givenName

    • displayName

    • mail

    • proxyAddress

    • mailNickName

UPNs that are used with Office 365 can only contain the following characters:

  • Letters

  • Numbers

  • Periods

  • Dashes

  • Underscores

Rather than having to perform this operation manually, Microsoft provides some tools that allow you to automatically remediate problems that might exist with attributes prior to deploying Azure AD Connect.


The IdFix tool, which you can download from Microsoft’s website, allows you to scan an Active Directory instance to determine if any user accounts, group accounts, or contacts have problems that will cause them not to synchronize between the on-premises instance of Active Directory and the Office 365 instance of Azure Active Directory. IdFix can also perform repairs on objects that would otherwise be unable to sync. IdFix runs with the security context of the currently signed on user. This means that if you want to use IdFix to repair objects in the forest that have problems, the security account you use to run IdFix must have permissions to modify those objects. The IdFix tool is shown in Figure 4-2 displaying an account detected with an incorrectly configured userPrincipalName.


FIGURE 4-2 IdFix finds user with a problematic UPN.


ADmodify.NET is a tool that allows you to make changes to specific attributes for multiple objects. If you are using ADSIEdit or the Advanced mode of the Active Directory Users and Computers console, you are only able to modify the attribute of one object at a time. For example, Figure 4-3 shows ADModify.NET used to modify the format of the userPrincipalName attribute for a number of user accounts so that it conforms to a specific format.



You can also use ADModify.NET to perform other systems administration tasks, such as configuring a large number of accounts, so that the users have to change their password at next logon or to disable multiple accounts.