Microsoft has introduced an impressive array of technologies and an awesome vision on Hybrid Identity:
Their vision entails seamless access to corporate resources, services and applications for people, no matter where these resources, services and apps are located (either on-premises or in the cloud) while in the mean time allowing for strong authentication and granular authorization.
While Microsofts Azure Active Directory Hybrid Identity Design Considerations document details a lot of pitfalls you might want to avoid while implementing Microsofts Hybrid Identity technologies in the areas of process and architecture, my projects, on the other hand, have shown technical customer configurations beyond belief.
In this series I’ll detail these configurations, how they ruin Hybrid Identity dreams and, of course, how to fix them.
So let’s start with the most obvious tool you should perform when implementing Hybrid Identity:
The IdFix DirSync Error Remediation Tool
While its name refers to the long gone DirSync era for synchronizing objects and attributes between on-premises Windows Server Active Directory Domain Services environments and Azure Active Directory, the IdFix DirSync Error Remediation Tool, or IdFix for short, should be one of the first tools to use in your Hybrid Identity implementation process.
No matter what synchronization tool you use, whether it’s DirSync, Azure AD Connect, Forefront Identity Manager, Microsoft Identity Manager, Novell IdM or any other 3rd party to synchronize objects and/or attributes between on-premises Windows Server Active Directory Domain Services environments and Azure Active Directory, run the IdFix DirSync Error Remediation Tool.
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory Domain Services environment in preparation for implementing Hybrid Identity and migration to Office 365. IdFix is intended for the Active Directory administrators responsible for the synchronization between on-premises Windows Server Active Directory Domain Services environments and Azure Active Directory.
Using the IdFix DirSync Error Remediation Tool
The IdFix DirSync Error Remediation Tool can be downloaded here.
I recommend using the latest release of IdFix for any environment, since people like Bill Ashcraft update the tool with new features every now and then.
The download contains IdFix.exe and Office 365 IdFix Guide version 1.09.docx.
After extraction, you can run IdFix.exe directly on any domain-joined Windows installation, running at least Windows 7 or Windows Server 2008 R2 and equipped with .NET Framework 4.0 or up.
When run in the context of an Active Directory account with at least read rights in the Active Directory domain you’re inspecting, It will crawl through the Active Directory domain of your choice (when there is more than one Active Directory domain in the Active Directory Forest) when you use Query from the top ribbon.
Note:
IdFix comes with default exclusions that already influence the Query scope.
Errors
As you can see in the screenshot above, the IdFix DirSync Error Remediation Tool reports on the following errors per object and per attribute:
Character
This error is displayed when one or more of the attributes checked contain one or more values that are invalid. An example of this kind of error would be a space in the UserPrincipleName attribute for a user or a group object. Left unadressed, these kinds of values would result in an error “Invalid user name” as described in KB2439357. For your convenience, the error is always combined with the part of the value that is invalid (domainpart, localpart, topleveldomain).
Format
This error is displayed when the mail attribute of an object is blank and the UserPrincipleName is non-publicly routable. The error is also displayed when the SMTP addresses don’t comply with RFC 2822 or when the mailNickName attribute starts or ends with a period. This error, too, is always combined with the part of the value that is invalid (domainpart, localpart, topleveldomain).
TopLevelDomain
If the top level domain is not internet routable then this will be identified as an error. For example, an SMTP address ending in .local is not internet-routable and would cause this error.
DomainPart
This error applies to values subject to rfc2822 formatting. If the domain portion of the value is invalid beyond the top level domain routing error above this will be generated.
LocalPart
This, too, applies to values subject to rfc2822 formatting. If the local portion of the value is invalid this will be generated.
Length
This error is displayed when one or more of the attributes checked contain one or more values that are too long. This is most commonly encountered when the schema has been altered.
Duplicate
This error is displayed when one or more of the attributes checked contain one or more values has a duplicate within the scope of the query. All duplicate values will be displayed as errors.
Blank
This error is displayed when one or more of the attributes checked contain one or more values that violate the null restriction for these attributes. Only a few values must contain a value.
MailMatch
This error applies to Dedicated only. This error is displayed when one or more of the attributes checked contain a value that does not match the mail attribute. The suggested Update will be the mail attribute value prefixed by “SMTP:”.
Updates and Actions
The IdFix DirSync Error Remediation Tool is quite a remarkable tool, that for every object queried with errors, shows a best-effort action to remediate the solution.
For instance, for objects with Character errors, the Update column in IdFix would show an attribute with the invalid character removed. For objects with Length errors, the Update column in IdFix would have a truncated value for the invalid attribute. Duplicate attributes can be chosen to be edited or removed in the Action column and for Blank errors, you’d find a value that is generated based on other attributes that might be of your liking in the Update column.
By default, all Actions for objects are empty. Only when you select an Action for an object, press Apply in the upper ribbon, and run IdFix with an account that has privileges to make the changes, will any changes be made.
Export
I use the Export function in IdFix extensively. While the DistinguishedName column requires some attention when converting the .csv data to columns in Excel, it is my favorite part of IdFix.
Using these export files in Microsoft Excel, allows me to quickly and precisely assess the work (and thus time) needed to remediate the Active Directory Domain Services environment from this tool:
Concluding
I use the IdFix DirSync Error Remediation Tool as a first step in each and every Hybrid Identity implementation.
Generally, using the Exported file, I’m able to write a concise first advice to my customer on the changes required for a successful implementation of Hybrid Identity in a way that both project managers and systems administrators appreciate.
I’m also performing other checks, but more on that in the second part of this series. 
Related blogposts
Exporting from the IdFix Eror Remediation Tool like a pro
Ten things you should know about Azure AD Connect and Azure AD Sync
Further reading
Install and run the Office 365 IdFix tool
Prepare directory attributes for synchronization with Office 365 by using the IdFix tool
Office 365 – IdFix DirSync Error Remediation Tool
Office 365 – Clean up your AD with IdFix before Migrating
IdFix DirSync Error Remediation Tool v1.08
IdFix – discovery and remediation of Active Directory objects
I am preparing our AD for directory synchronization using Azure AD Connect. I am using idfix to check for errors, which I have corrected. However, we have four customer contacts in our directory that have *.team email addresses. This is a valid domain but idfix throws an error. Am I safe to ignore this and will Azure AD Connect handle it. Thanks in advance.
Hi Andy,
If you can verify the DNS domain name as a custom domain name in Azure AD, than it'll work.