While leading a migration to Office 365 at a large national client I had to resolve hundreds of directory synchronization errors. Almost all of these errors resulted from a few common issues repeated across a complex environment. In this series of posts I will break down the issues as identified in the Directory Synchronization Error Report email and the common root causes.

Our example environment is a single forest, multiple domain Active Directory deployment. The complexities of a geographically dispersed, multiple child domain environment led to some of these issues so I will use this design as a reference:

The domain has a decentralized administrative model with the child domains being nearly autonomous. The Office 365 hybrid deployment infrastructure was deployed at the primary datacenter in the Contoso headquarters and root domain.

Each domain has its own email address policy and primary SMTP suffix. The Midwest.Contoso.com child domain has two primary SMTP suffixes, ContosoMW.com and ContosoOhio.com, because Ohio is not really part of the Midwest. The following email domains are validated in Office 365:

  • Contoso.com
  • ContosoEast.com
  • ContosoMW.com
  • ContosoOhio.com
  • ContosoSouth.com
  • ContosoWest.com

The tenant address of Contoso.OnMicrosoft.com is also configured as the Default domain on the company information page in the Office 365 tenant.

None of the child AD domains, such as South.Contoso.com, are defined as accepted domains in the Office 365 tenant.

The AD Domains are fully routed, although there is the standard replication delay across sites that affects the propagation of settings and account changes.

Each domain had the AD account User Principal Name changed to match the Primary SMTP Address prior to migration. This single configuration change resolved hundreds of the Directory Synchronization errors.

  • Accounts with invalid UPNs, such as spaces or invalid characters in the name, were resolved when the UPN was replaced by a properly formatted email address.
  • Accounts missing UPNs or UPN suffixes – typically a result of automated account provisioning systems or accounts generated by scripts – were corrected with their valid email address.
  • Accounts that get synchronized with duplicate UPNs were fixed when they were configured with their unique SMTP address.
  • Changing the UPN to match the email address did cause errors later in the project if an email address were reassigned to another user.
  • My process for updating the UPN only changes the accounts that have email addresses. Regular user accounts or service accounts are not updates and could still have invalid UPNs.

This Example Environment will be used in upcoming posts to help understand why certain DirSync errors occur. Some of these errors will only occur in a distributed, multiple domain environment. In Part 2 I will cover the most common errors we experienced, which were caused by duplicate account properties.