The most common type of DirSync errors generated by the organization in Part 1 were objects with duplicate values. Using some of the error messages sent in the Directory Synchronization error report email, I will examine why these errors occurred and how we fixed them.

Duplicate Proxy Addresses

There was an EHernandez in East.Contoso.com and West.Contoso.com. Each domain has separate email address policies, all based on alias, that were updated with the tenant routing address of %[email protected] during the hybrid configuration. Normally, Exchange and AD will not allow duplicate SMTP addresses. One user will be [email protected] and the other will be [email protected]. However, this organization is geographically distributed and normal AD replication lag allows 2 accounts to be created with the same email address before the updates are replicated across the forest.

Resolution:

1. Remove [email protected] from [email protected]
2. Re-apply email address policy to user
3. A new tenant routing address of [email protected] is applied to the account
4. Dirsync will update the objects at the next synchronization cycle
5. For accounts that are common across all domains, like Helpdesk, you will have to repeat this process for each account. You will have to wait for or force AD replication before updating the next account or it will try to use [email protected] and generate a new error.

Duplicate User Principal Names

User accounts in each domain had their User Principal Name changed to match their Primary SMTP address. This was done just before migration of that domain to Office 365, so there was a transition phase where some domains were changed and others were not. In this case we had MSmith accounts in West.Contoso.com and South.Contoso.com. These UPN suffixes were not defined as accepted domains in Office 365 so both MSmith accounts were assigned the default domain of @contoso.onmicrosoft.com when the accounts were synchronized by Dirsync from the on-premise environment.

Resolution:

1. Change one or both MSmith account UPNs to match their primary SMTP address
2. Dirsync will update the objects at the next synchronization cycle

Duplicate On-Premise and Office 365 Accounts

This issue was a conflict between two synchronized users and a user created in Office 365.

David Banner was created directly in Office 365 even though a David Banner existed on-prem and would be synchronized. David, however, had not had his UPN changed to his email address so Office 365 was trying to assign him the [email protected] UPN during directory synchronization, which conflicted with the primary email address of the cloud account. The Don and David Banner on-premise accounts both had DBanner aliases so both were also given the [email protected] proxy address.

Resolution:

1. Delete DBanner Cloud user. The user was not licensed so it had no mailbox.
2. On-premise DBanner user will sync later and update the cloud Global Address List
3. Change UPN of the on-premise DBanner to match his email address
4. Remove tenant routing address and reapply Email Address Policy to update routing address as [email protected]
5. Dirsync will update the objects at the next synchronization cycle

User Principal Name and Email Address Conflict

Both SMTP Addresses and UPN must be unique. This domain had a policy where a departed employee’s email address would be given to their replacement or supervisor as an extra proxy address. The departed users were already migrated to Office 365 so their UPNs had been changed to match their email address. In this case, the UPN of one account was conflicting with an SMTP address of another account.

Resolution:

1. OldGuy had his primary SMTP address changed to [email protected]
2. Change OldGuy’s UPN to match his new GONE email address
3. Dirsync will update the objects at the next synchronization cycle

In Part 3, I will examine the next class of DirSync errors, Invalid User Principal Names.