As I help companies connect their on-premises Active Directory Domain Services (AD DS) to Azure AD in order to use Microsoft services like Office 365, I’ve found that a critical step is often overlooked. Skipping this step can potentially set your deployment back by weeks! Fortunately, Microsoft has provided a tool to help speed your way through this perquisite to a hybrid identity strategy.
Don’t forget the data
What is this critical step? You can summarize it as “Azure AD and Office 365 is ready for your company. But is your company ready for Azure AD and Office 365?” I’m talking about the shape your directory data is in.
When an Office 365 project comes along it falls to them to set up the plumbing: AD Connect to synchronize identities between AD DS and Azure AD and perhaps AD FS or another federation service to provide single sign on. This is the identity service; it’s not the identity data. Most AD DS administrators are focused on keeping the service itself healthy. They either don’t dwell on the quality of the data, or it’s explicitly not part of their job.
An important point that often gets missed in these projects is that directory data must meet certain standards, or the data that is synced to Azure AD will cause problems in Office 365 – if it makes it up there at all. If you don’t tackle the “clean data” issue early on, it can potentially derail your deployment as it can be a complicated project. Even though they may have the rights, the AD DS admin may not have authority to clean up the data. Further, AD DS may have its attributes sourced from other identity systems so the data must be cleaned up in other places.
But the first step in this process is determining what state your data is in. This is where the Microsoft IdFix tool comes in.
Introducing the IdFix tool
IdFix was created to help you quickly look at your directory data and highlight issues that will give you heartburn during an AD Connect deployment or in Office 365 later.
IdFix analyzes your directory data for a number of common issues, such as
- Illegal characters such as leading or trailing spaces
- Duplicate entries
- Invalid formatting (if the attribute has requirements, such as SMTP addresses)
- Non-routable domain names (e.g. contoso.local)
- Length errors
Figure 1 shows a example IdFix run. In its simplest form, you run a query against your Active Directory domain by selecting the Query menu item. IdFix returns a list of error that it finds. There are three possible actions you can take against an error: COMPLETE, EDIT, or REMOVE. COMPLETE means the suggested update that IdFix recommends is accurate, and you will let it execute this change. In this example, IdFix recommends removing the leading space from User3’s mail attribute.
The EDIT action allows you to make direct edits to the data to fix the error (in this example, fixing User2’s non-routable UPN suffix). Finally, REMOVE will delete the data from the directory (if IdFix detects duplicate data, for example). Choosing the Apply menu item will then write the updates to the directory, and write all transactions to a transaction log.
To run IdFix, the computer it’s running on (it doesn’t have to be a server) must be joined to the domain that will be synchronized with AD Connect. It needs to have at least 2 GB of free disk space; it also must have .NET 4.0 or greater installed (available in Programs and Features > Turn Windows Features On and Off).
IdFix has options to accommodate many different directory configurations, query scopes, directory types (it supports LDAP), multiple forests, etc. You can export the list of errors and recommended actions to review with a team offline; however, the tool is designed to fix the errors from the interface. Fixes can be done from an import file, but the IdFix developer has found that this actually introduces a greater chance of error than from the UI.
Somewhat unnervingly, IdFix requires write access to your directory even though it makes no changes until you specifically choose an action for an error. (You can also undo all changes made by this tool.) This write requirement is understandable when you’re prepared to make changes, but I’d prefer it to default to read-only mode. If this tool defaulted to a read-only mode, AD administrators would run it without hesitation so they could quickly evaluate how clean their data is. Defaulting to write mode means that a cautious AD administrator will want to try it out in their lab environment first – and given the short attention span of busy IT people today, in many cases the tool will simply not get run.
What it doesn’t do
IdFix isn’t a miracle cure. It can’t fix everything; it merely points out errors and makes best guesses based on data standards, what AD Connect and Azure AD will accept, and related data in your directory. It’s up to you to review the errors and make the final decisions.
If your AD DS isn’t authoritative for all of its attributes – in other words, it gets some of its data from other sources – IdFix will be of limited help. For example, it can’t reach upstream to your HR database to correct phone number formatting errors that are fed downstream into your AD. It will, however, point out errors that may have escaped notice so you can bring attention to them and get them fixed by the data owners.
It’s essential that you have clean directory data before you attempt to extend your on-premises identity store into Azure AD. IdFix is designed to make this very tedious but very important first step towards Azure Active Directory much, much easier.
You can download IdFix from the Microsoft Download Center.