Azure AD Connect: Error 8344 Permission Issue Insufficient Access Rights to Perform the Operation

If your sync service completed with error and the error code is shown below;

Error 8344: Permission Issue Insufficient Access Rights to Perform the Operation

It means that the service account that you used to add the domain during the wizard setup does not have the correct/necessary permissions.

In the wizard, is this part

Capture

Capture

Note:

Please do take note that this is only for Password Synchronization and Password Writeback, for further extend permission please review the references below.

Step by step;

  1. Provide the necessary permission to the service account
    • Add the service account into the Administrators Group (Built-in OU)
    • At the forest level > Properties > Security > Add > service account
      • Next, select the service account, scroll to the permission and check “Replicate Directory Changes All” and “Replicate Directory Change
      • Due to password writeback will be turn on too, another permission you have to give to this service account is the “Change Password” and “Reset Password” under the Advanced
        • Select the service account > Advanced > Select Add > Select Principal > Service account > Descendent User Objects > Check the box for “Change Password” and “Reset Password”
    • Save your changes
    • Refresh
  2. Head to your AADC server and rerun the synchronization
  3. Check the Sync status whether it is completed without error
  4. The End

 

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
  2. https://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-1/

 

Appendix:

  1. ADUC – Active Directory Users and Computers
  2. ADS – Active Directory Sync
  3. OU – Organization Unit
  4. AADC – Azure Active Directory Connect

OneDrive and Active Directory: Error Code 0x8004de40

First time experience such error and behaviour, so the situation is that this user has problem getting her OneDrive to work on her desktop, it was her first time setting it up and she receive the above error code after she sign in and authenticate her account.

Capture

Well from Azure AD, it will shows that her login activity for OneDrive is successful, but Azure AD doesn’t shows that her setup was failed. At first I suspect it could be network issue, tested another account it went through the setup successfully. Hence, running PowerShell (Msol), to query the user account information and perform comparison and everything was showing in good condition.

Another thing is that she can successfully use the web based on SharePoint Online and OneDrive online.

As I went through to the Exchange Admin center and notice her email addresses missing a type, that is the SPO. This type of email address is generated once the user is assigned with the Office 365 license with Sharepoint Online and OneDrive online features.

The only resolution to this is to recreate the account. 

  1. Backup mailboxes to PST and files to a local drive or external drive
    • There are many ways to backup
  2. Unassign the user license
  3. Go to Active Directory and disable the account and move it to a unsync Organization Unit
  4. Go to Azure AD Connect Server and perform the sync
  5. Go to Office 365 make sure that the account has been move to deleted users, well you could use PowerShell to query -ReturnDeletedUsers.
    • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers
    • Once it is found, then run the remove command, you can use GUI to remove them at the Azure portal “portal.azure.com”
      • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
  6. Go back to your Active Directory and recreate the user account, and make sure it is in the sync OU
  7. Run another sync at your Azure AD Connect Server
  8. Go to Office 365 > Active Users > Search for the user and assign the license

 

There are few reasons why this happen, for my case was the old Azure AD Connect server died or corrupted and had to re-provision a new one. Users are some still on Exchange on-premise and some are in cloud, due to budget. Sometime things happen.

Anyway, hope this helps! 

 

Azure Active Directory: Troubleshoot Immutable ID Matching Error “AttributeMustBeUnique”.

Nowadays there are becoming lots of tools to convert objectGUID to immutable ID. However, one of my friend was facing a problem “AttributeMustBeUnique” in the Azure AD Connect (AADC). Mostly the articles that talk about this error “AttributeMustBeUnique“, is asking people to look at the “Deleted User” or Query the duplicate account from Recycle Bin.

For this case, is slight different.

To understand what is he facing,

  1. A user account was created at cloud first.
  2. A user account status is “in cloud” in Office 365 > Active Users
  3. There is no duplicated account in the Recycle Bin
  4. My friend he empty the Immutable ID and replace it with a new Immutable ID that is covert from objectGUID, to match the account in cloud with its account in on-premise
  5. He used a tool to convert the objectGUID to Immutable ID.
  6. Replace the empty Immutable ID with the converted ones and run a full sync from AADC server. However, he was still getting the error.

After checking upon it was the objectGUID that he copied wrongly. Thus, converted the Immutable ID value wasn’t matching the ones that Azure AD detected.

Azure AD Sync error detection able to detect, identify and provide the suppose correct value of Source Anchor (Immutable ID). Every deployment of Azure AD Connect will match the account via source anchor.

04

What is source anchor? In layman term is the Unique ID from cloud.

References:

  1. http://guid-convert.appspot.com/
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts

Identify Azure Active Directory Connect in the Environment (Sync Service)

Ever encounter in an environment where IT does not have visibility of the previous IT actions? Frustrating and irritating right? They were unsure whether is sync service running or not or exist or not.

At first, you will go to portal.office.com to find the DirSync Status, but this is where the funny part, there is a DirSync Management and it has resulted or hint that this Office 365 had Synchronization Service. As you can see below, there is no service account and no last directory sync.

aadc01

Next, I went into their Domain controller > Active Directory Users and Computers > Users OU. I was able to locate 2 Synchronize’s Service accounts, that are not disabled. To locate their location (server), double click on the account to launch the properties. At the description attribute or value, you can identify the location (server name).

  • 1 Service account with no indication of this sync service’s server location in the Description Information
    • Able to locate it, it was inside a Window Server 2008 R2
  • 1 Service account with an indication of its location (inside one of the Domain controller, Windows Server 2012 R2)

I access both of these servers, able to capture

  • Sync tool exist
  • Sync service is running (inside the services.msc)
  • No Operation of sync
  • No connectors in the sync service to be found
  • Windows Server 2008 R2 running Microsoft Online Services Directory Synchronize Service version 2013 year
  • Window Server 2012 R2 running Windows Azure Active Directory Service tool version 2014 year

New version Sync tool naming is “Azure Active Directory Sync Service”.

Another round to proof your findings is to run the PowerShell command to get all attributes of the user list in Active Directory on-premises and Azure Active Directory user list. (If you prefer to filter only a few attributes, then it is up to you.)

For Active Directory

#Run this command in domain controller's windows PowerShell

Get-ADUser -Properties * -Filter * | Export-Csv "filename.csv"

Get one of the oldest (before the year of 2013) and an active employee’s objectGUID.

For Azure Active Directory

Requirements:

  1. .NET Framework installed (latest)
  2. Microsoft  Azure Active Directory Module or PowerShell
  3. Windows PowerShell
#Connect to Azure AD service

Connect-MsolService

#Key in your Global admin credential

#Run this get command to get all user list with its attribute

Get-MsolUser | Export-Csv "filename.csv"

Next, you find the same oldest employee’s immutable id value, if there is value means this environment had sync service running before. You could compare the value that is valid and convert the objectGUID to an immutable ID or the other way around, using this converter.

After locating all this, now you can plan your clean up and recommendations. This may take a longer process, due to you need matching and creation.

 

 

How to know what Azure AD Connect version I’m running?

Control Panel

Just open up the Control Panel > Uninstall Programs and features > Programs and features > Find Microsoft Azure AD Connect. From there you could identify the version.

aadc.png
Control Panel

Locate Azure AD Connect file

You could locate the Azure AD Connect Synchronize file and right click properties to locate the version. (Please refer to reference for further explanation)

Example below;

 

AADConnectVersion
File Location

 

Help Panel

You could even open up your Azure AD Connect Synchronize services Manager console and click on the help button on the taskbar.

 

helppanel.PNG
Help Panel

 

 

References:

  1. http://www.johnliew.net/2016/03/determine-azure-ad-connect-installation.html

In-Place Upgrade: Azure AD Connect stuck at upgrading

inplaceupgrade

*If you have an environment where Java is a common problem then make sure they are enable

*If you have an environment where IE Security Configuration is always on then make sure they are off

*If you are stuck at “Connect to AD” section and where your sign in got block by IE Security then this blog is for you.

If you’re doing an in-place upgrade then there are few requirements that you may need to take precaution before rolling out.

These are the few precautions;

  1. Make sure your IE > Internet option > Security tab > Custom level > Scroll down >  Java applet is turn on and restart your IE
  2. Make sure that your IE Security Configuration from Server Manager is turn off.

server_manager.jpg

If you have run the Azure AD Connect installer and you face the stuck issue then you have to cancel the upgrade progress. Go and check the precaution requirements are met first then try to repair your Azure AD Connect upgrade using the installer.

Error may pop-up when you cancel your half way of your upgrade progress. Rerun the Azure AD Connect installer and select repair will finish up where you last left.

*Note

Impact:

  1. Synchronization is stopped while you are upgrading or repairing
  2. New User creation will not get sync immediately while you are upgrading or repairing
  3. If you have larger amount of users and devices (example 2000 and above) then you will have longer upgrading time. Estimated 10 to 15 minutes

 

References:

  1. https://www.microsoft.com/en-us/download/details.aspx?id=47594
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version

 

 

Office 365: How to handle resign user mailbox with litigation hold enabled?

Litigation hold is a feature that allows you to keep your mailbox with specific period or unlimited period. However, this is only the high level definition of litigation hold. Through out my deep and many research of Microsoft articles, especially technet it only state high level of definition of litigation hold but nothing about notices.

Few weeks ago I’ve encounter one of my user reported to me, saying that they have a user account that is disable (in Active Directory)blocked sign in and unlicensed but the mailbox still in active state and able to send (etc inbox forwarding rules) and receive mails and also able to login if with full access. After few research, I found a Microsoft article (support article “https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7“) , about how to handle inactive mailboxes. However, it still didn’t state why it happens or how this mechanism works.

We call this as deprecated account but active mailbox. I really hope that Microsoft could do something about this as it seems to me it is pretty troublesome to go extra further step to handle this, and also hope that they could elaborate more about litigation hold pro and cons or how this mechanism works.

*Note:

Please take note if you have mailboxes with unlimited litigation hold enabled, and user account in Active Directory is disable but in a sync Organization Unit, please move them to a unsync organization unit IMMEDIATELY or else it will full up the mailbox storage. 

To check whether which Organization unit is unsync;

  1. Just go to your Azure Active Directory Server
  2. Windows Start button
  3. open MIISCLIENT or Synchronize Services
  4. On top select “Connection”
  5. double on your local domain
  6. select Configure Directory Partition
  7. at the bottom right button
  8. select “Containers”
  9. enter Azure Active Directory credential
  10. you will able to view unchecked boxes means they are the unsync organization unit.

 

References:

  1. https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7
  2. https://technet.microsoft.com/en-us/library/ff637980(v=exchg.160).aspx#lithold
  3. https://technet.microsoft.com/library/dn743673(v=exchg.150).aspx
  4. https://technet.microsoft.com/en-us/library/dn790612.aspx

 

Office 365 & AD & Exchange Hybrid: How to create remote mailbox in Exchange Hybrid for existing user, in Active Directory and Office 365?

When you have existing user active directory record and you’ve accidentally had provision the mailbox at Office 365. Thus, result you unable to add the user into any distribution group and etc. because it doesn’t have record in Exchange Hybrid. Besides, user’s primary email address wasn’t correct, such as “xxxx@domain.onmicrosoft.com” instead of “xxxx@domain.com”.

Here are the steps to resolve your problems;

Implication: None (for me)

*Note: You have to be familiar with PowerShell. Best to try it on a test user account first.

  1. Go to Exchange Hybrid server
  2. Open Exchange Powershell Management
  3. Type the following commands;

    Enable-remotemailbox “userDisplayName” -RemoteRoutingAddress “xxxx@domain.mail.onmicrosoft.com”

  4. Go to Azure AD Server
  5. Open Windows Powershell

    Start-ADSyncSyncCycle -PolicyType Delta

  6. You will than review that particular user’s the mailbox in Office 365, has more email addresses shown in the email address category itself. And also the Primary email address has change to the right one.

 

*Note: This may take half an hour for the overall settings to be propagated at the user side. Because at the user side they will still view their primary smtp as the incorrect one, even though the modification has done.

Azure AD Connect (AADC): How to resolve Stopped-extension-dll-exception?

Usually this error will not have any effect to Office 365 Dirsync, but it is indeed annoying to see error in our Azure AD Connect Sync Client Interface. Is best to resolve this error.

There are only 4 possible causes;

  1. AADC is OUTDATED ()
    • Check for AADC version
    • If it is outdated than update it, run the sync again
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version
  2. AADC’s schema crashes
    • Run the AADC application and restart the schema
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-installation-wizard
  3. Azure AD account Sync password is not set to “Password Never Expired”
    • *Note: By default, when you setup AADC this is already turn on
    • If you had turn this feature off,you have to update the password and enable the feature back on.
    • Run Azure PowerShell Module command
      • Connect-MsolService
      • #Set new password
        Set-MsolUserPassword
        -UserPrincipalName “XXXXXXX” -NewPassword “pa$$word
      • Set-MsolUser -UserPrincipalName "XXXXXXXXX" -PasswordNeverExpires $true
      • Restart the AADC service
      • #After restart runs finish, type this command
        Start-ADSyncSyncCycle -PolicyType Initial
  4. Server itself is having problem
    • Restart the server
  5. Permission missing
    • If you enable single sign-on, remember its minimum requirement of the permission rights for service account is domain admin
  6. DNS routing issue
    • If you notice that you are having trouble resolving “login.windows.net” this is due to your DNS settings in your DNS server/AADC server network settings
    • Most likely is DNS server settings, is configure wrongly
    • Try to run nslookup to identify the return result
    • If there is a forwarder in place, remove it.

The above causes are also the steps-by-steps investigation, and to resolve this error it is best to follow the above category and resolving them.

*Note: This error may occurs after few hours and it is best to monitor for 24 hours or 48 hours.

AD & Office 365: Soft-matching Distribution List from AD to Office 365

Want to manage your cloud Distribution List with on-premise? You could do soft-matching to get Distribution list match and synchronized back  to Office 365.

Yes, to perform this you could either manually or powershell. Manually means that you will configure using the GUI of AD. For powershell is for a large amount of Distribution List.

The 3 major attributes needed to fulfill in AD for having a successful soft-matching are;

  1. displayName
  2. mail
  3. proxyAddresses

*Note: 3 of these attributes above must have the same value with the Distribution list in Office 365.

softmatch.PNG

Next, after finishing fulfilling the values of these 3 attributes, you can go ahead to your Azure AD server (AADC) and run the sync.

  1. Open Windows Powershell or open Microsoft Azure Powershell Module
  2. Type this command
    1. Start-ADSyncSyncCycle -PolicyType Delta

      • *Note: This only sync changes
    2. Check your Azure Sync Client Interface for sync progress
  3. Once sync progress is finish, go to your Office 365 portal
  4. At the admin center > Groups > Search for your Distribution list

References:

  1. https://gallery.technet.microsoft.com/Soft-Match-Cloud-b2652fee