Hi, I have inherited a .local domain which I am going to run in hybrid mode with Exchange Online.
Posted by3 years ago
Archived
The MS IDfix tool complains that every mail enabled account has a .local (secondary) email address in proxyaddresses. I have changed all user accounts to have an internet routable UPN instead of a .local one.
Now, Recipient policy in Exchange generates the .local SMTP address.. I've done a lot of reading and there seem to be 2 trains of through on what to do..
What is the correct answer to this / current best practice recommendation and the implications? : )
Thanks.
7 comments
Posted by1 year ago
Archived
Hi. I hope this is a good place to post this.
I am studying for the MS 70-346 exam and have created a test environment to mess around with.
My verified domain with O365 is xxxx.ltd which is a legit internet route-able domain. However, IDFix doesn't seem to think so and neither does AAD Connect. IDFix gives the topleveldomain error and in AAD Connect at the Azure AD Sign-in section only my on premise xxxx.local domain shows. If I temporarily change a user's UPN to end with .com or .co.uk IDFix doesn't report any errors.
Any ideas?
Thanks
16 comments
Rate this post
One of the first steps in preparing for an Office 365 migration is running a tool we provide called IDFix. The goal of this tool is to help minimize identity issues when migrating to the cloud. Most identity issues come down to two issues:
The first issue is pretty easy to deal with–IDFix will identify objects with offending characters and the attributes where they exist, and will even make some recommendations. The second issue, however, is most tricky. Let’s say you have a report that you have two or three objects that have overlapping properties:
The mail-enabled user is a security principal and frequently may be used to grant access to an external vendor while allowing them to appear in the Global Address List (GAL). Or, you may have had a situation where your organization had been in a long-term partnership with another organization and had MEUs or MEC’s representing the partner organization in your directory, and now your organizations are merging. In either case, you need to consolidate objects. In many customers that I’ve encountered, external vendors have been configured with on-premises mailboxes with an address like [email protected] and a contact in the GAL with [email protected], sometimes with duplicate SMTP or UPN values scattered between the two.
The biggest challenge you face is not one of difficulty, but one of repetition and boredom. You may be tempted to just delete the offending contact, but what will happen if you do? More than likely, your users will report that they’re suddenly getting Non-Delivery Reports (NDR’s) for things that used to previously work. Outlook has cached the X500 address of the GAL objects, and now you’re stuck.
You’ll probably have to merge SMTP proxy addresses for these objects.
I developed a script to help my customers deal with these problems. By taking the distinguishedNames of the identified error objects, we can import the proxy addresses of one type of object into another, configure forwarding (if appropriate) and get the directory in tip-top shape. The script has some rules on what to do if it finds a mailbox and either a MEU or MEC (such as whether or not to configure the MEU/MEC’s external address as a forwarding SMTP address for the mailbox) and whether or not you want to force/skip AD replication. AD Replication is important in this instance, since we’re adding proxy addresses back into an object and Exchange will return an error if it thinks the proxy address is already in use.
I originally developed this tool using the Quest ActiveRoles cmdlets and haven’t gotten around to re-writing it with native AD/Exchange cmdlets, so in order to use it, you’ll need to download those. Fortunately, they’re free (as in beer).
From the help file:
To download and experiment with the tool, head on over the TechNet gallery.
Recently I had worked with one of our customer, who was looking for OU level filtering to import selected users from On-Premises active directory to Office365.
Thought of writing the step-by-step process, which might be helpful for some of you.
The site might be trying to scare you into downloading unwanted software. How to stop chrome from opening on startup windows 10. Watch out for things that look too good to be true. If you haven't recently run a virus scanner, be wary of warnings about viruses or infected devices. Only download files or visit sites that you know are secure. Winning a contest or getting expensive copyrighted content for free is sometimes a trick to get you to download malware.
Note: -
a.You can install ADFS and DirSync on the same box, IT IS NOT RECOMMENDED BY MICROSOFT
b.You can’t install DirSync on a Domain Controller.
Installing and activating DirSync for your Office365 Portal.
1.Login to your Office365 Portal with Tenant admin credentials. (The username and password which you provided while provisioned your Office365 Portal)
2.On the Admin page, in the left pane, under Management, click Users, and then click setup next to Active Directory® synchronization.
3.Scroll down to step 3 and 4, as shown below in the screen capture.
i.Activate DirSync for your Office365 Portal from step 3 (This might take a while to get activated)
ii.Download DirSync 64 Bit from step 4
4.Run the downloaded DirSync.exe
5.Click on Next button in welcome screen
6.Accept the License Terms and Click Next
7.Click next on the “Select Installation Folder” if you don’t want change the location.
8.This Installs DirSync in your local machine
9.Click Next to start the DirSync Configuration wizard.
a.Ensure the “Start Configuration Wizard now” is checked.
10.Click Next on the “Welcome Configuration wizard”
11.Enter your Office365 Tenant admin account and password and click next.
12.Enter your local Active Directory account who is part of enterprise admin group.
13.If you have Exchange Server on-Premise and planning to implement a hybrid configuration, then select “Enable rich coexistence” and click next.
i.Nothing to worry if it is greyed out for you, which means you don’t have on Exchange On-Premises deployed.
14.Uncheck the Synchronize directories now from the DirSync Finish window and click Next.
Configure OU level filtering for Office365 directory synchronization.
1.Logged in to your Domain controller
2.Created an OU (Organisational Unit) from your AD (Active Directory)
a.In my case I named it “DirSync”
3.Move all those users you want to sync, to that DirSync OU.
4.From your DirSync Server navigate to <Drive>Program FilesMicrosoft Online Directory SyncSYNCBUSSynchronization ServiceUIShell
6.This opens a console something similar to the below screen capture
7.In Identity Manager, click Management Agents, and then double-click SourceAD.
8.Click Configure Directory Partitions, and then click Containers, as shown in the below screen capture.
9.When prompted, enter your domain credentials for the on-premises Active Directory forest.
10.In the Select Containers dialog box, clear the OUs that you want skip from syncing to Office365, and then click OK. Something similar to below screen capture.
11.Click OK on the SourceAD Properties page.
12.Perform a full sync: on the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync, and then click OK.
If you would like to know more about DirSync filtering refer the TechNet article here
13.You can also force run DirSync using the following PowerShell command.
i.From your dirsync server open PowerShell console as Administrator
ii.Navigate to “C:Program FilesMicrosoft Online Directory Sync”
iii.Run .DirSyncConfigShell.psc1
iv.Now execute Start-OnlineCoexistenceSync commendlet.
14.To confirm the sync job, open your event log and look for Event ID’s 1 & 2.
v.Event ID 1 says If configuration Import started
vi.Event ID 2 says if configuration Import has completed.
15.To verify from Office365 Portal
vii.Login to your Office365 Portal with Tenant admin credentials. (The username and password which you provided while provisioned your Office365 Portal)
viii.On the Admin page, in the left pane, navigate to Users.
ix.And you can verify the Last Synced status next to Active Directory® synchronization as shown below
16.Verify only the Filtered users are populated to Office365 from office365 user management.
Note:-
Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.
Technical Level : BasicSummary
Ps3 emulator requirements. You've followed part #1 of this article series, or simply decided to clean your on-premise AD- now it's time to use the IdFix tool.
IdFix scans your local AD environment for possible issues:
Using this tool you can get an accurate overview of your AD, and even get suggestions for remediation.
Details How To Run Idfix
Downloading and running Idfix.
IdFix does not require installation, and can be downloaded directly from the readiness wizard (see part #1 of this series) - shown in figure #1, or downloaded directly here.
You can run the tool on domain joined Windows 7 Server 2008r2 machines and up, as long as they have .net 4 and LDAP access in order to run queries.
To run IdFix simply extract the files and start IdFix.exe
How To Use Ifixit Opener
Figure #1 - Downloading IdFix from the readiness wizard.
IdFix Interface and operation
Running a query
IdFix is pretty simple and straight forward, with an easy to understand and use interface.
In the upper navigation pane you will find your operational buttons, with 'Query' and 'Apply' being the most important ones.
To the lower left you will see the sum of queries and errors found after you run a query. (See figure #2)
Once you run a query, a list of issues interfering with directory synchronizations will show. It can be anything from missing or corrupted attributes, duplicates (two objects with same unique identifier) and more.
In our case - you can see that the user 'Patrik.Samuelsson' is showing an error for 'top level domain', and in the value we can see why- his UPN suffix is 'Knowit.local', which cannot be synced to cloud platforms.
The other two errors are two different users with a duplicated 'Mailnickname' (Exchange alias) of 'Sales'.
(See figure #2)
Figure #2 - IdFix interface, running a query and error overview
How To Use Idfix
Error Remediation
To fix these issues we can either manually adjust our attributes using Users and Computers MMC or ADSI edit for more advanced attributes.
However, IdFix offers us a quick-fix solution directly from the tool's interface.
Notice the two columns 'Value' - represents the current value, 'Update' - represents the new value.
In Patrik's case the issue is top level domain, so I opted to change his UPN to an acceptable domain (Knowit.local to 'o365lab.Knowit.se') .
To save the changes - use the drop down menu and select 'Edit' > then click apply (see figure #3) .
The other two are users with a duplicate mailnickname (Exchange alias) of 'Sales'. In this case we should decide which gets to keep 'Sales' as alias, and which gets a new alias.
Repeat this step for all errors until your IdFix dashboard is clean.
Figure #3 - Remediating errors
Wrapping up
Once your IdFix dashboard is clean, you will have to complete the readiness wizard (click here to read chapter #1 in this series) in order to allow synchronization.
After completing the readiness wizard, or in case you already enabled synchronization, you can continue to installing a DirSync AD-Connect client (see chapter #3 of this article series - Installing AD-Connect and running a first sync cycle)
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |