Insights Troubleshooting Directory Synchronization Errors Caused by Duplicate Proxy Addresses or User Principal Names in Office 365

Troubleshooting Directory Synchronization Errors Caused by Duplicate Proxy Addresses or User Principal Names in Office 365

The Office 365 Directory Synchronization tool is typically very simple to install and configure, and in most environments once it is up and running you rarely need to touch it again.  However, if there is an issue with incorrectly configured AD objects in your environment you will find yourself receiving an email every few hours when the Directory Synchronization tool runs.  Typical errors are related to objects with duplicate userPrincipalName or duplicate proxyAddresses values in Active Directory.  These objects won’t be synced because Office 365 requires that each synchronized object be unique for these two values.  The error email typically looks like this:

 1.  Duplicate User Principal Names When two objects share a UserPrincipalName Active Directory value then synchronization will fail.  Unfortunately the error report email generated by Office 365 doesn’t give any details on what two AD objects have the offending UPN, it only reports what the UPN value actually is.  So, we will have to use PowerShell to find out which objects are sharing values.  In order to use the following steps you must have a domain controller running Windows Server 2008 R2 or Windows Server 2012.  Log into your domain controller and open PowerShell.  Enter these commands in order:

Change to whatever the duplicate UPN in your environment is.  The output will look like this: 

Obviously the UPN of the second account in the output of this example should be changed.  I will show you how to use ADSIEdit to change userPrincipalName values in step 3 below.   2.  Duplicate Proxy Addresses (Email Addresses) Finding which AD objects have duplicate Proxy Addresses is quite a bit more difficult than finding duplicate User Principal Names.  The Get-ADUser cmdlet doesn’t give us access to every AD attribute of a User, just the ones visible in the screenshot above.  The proxyAddresses value is not among those exposed in the ActiveDirectory PowerShell module.  Luckily, we can create a PowerShell script that can do the job for us using a different method:

# Find all users with email addresses.

$Searcher = [adsisearcher]”(&(objectCategory=person)(objectClass=user)(proxyAddresses=*))”

Please note that I am not the author of this script.  This script was written by Richard Mueller in the TechNet forums ( Save the script as whatever you choose; I saved mine as Get-DuplicateProxies.  Copy the script to your domain controller, open a PowerShell window, and run it.  The output will give you a list of all the AD objects in your environment that share the same proxyAddress value.

3.  Fix Duplicate AD Values The easiest way to fix duplicate values in AD is probably to use ADSIEdit.  ADSIEdit is a low level editor for Active Directory, so be EXTREMELY careful when using it.  Do not delete or change anything without being very certain about what you are doing.  Follow these steps to make changes to userPrincipalName and proxyAddresses values:

  • Open ADSIEdit.  ADSIEdit is installed on any machine with remote management tools, including all Domain Controllers
  • If you haven’t used ADSIEdit before you need to right click on ADSI Edit in the left pane and choose Connect to.

Choose Default Naming Context and click OK

Use the left pane to navigate to the OU in Active Directory where your offending User objects are.  In the middle pane right click the User object and choose properties

In the Properties window locate the value that needs to be changed.  If the proxyAddresses value is the one with a duplicate then highlight it and click Edit

Click Remove to delete the duplicate value.  You can type in a new, unique value in the Value to add box and then click the Add button

When creating proxyAddresses values be aware of using a capitalized or lowercase SMTP.  A capitalized SMTP is the primary SMTP address for a user.  There should only be one capitalized address.  All other smtp addresses should have the smtp part in lowercase letters, like smtp:whatever2@concurrency-com:

User Principal Name values are a little more simple since there can only be one UPN at a time.  Locate the userPrincipalName value for each object with matching values, click Edit, and then make sure the value is changed to be unique for each.

After making these changes your AD objects should successfully synchronize with Office 365 and you will no longer receive error emails from Windows Azure Active Directory.