Preparing for identity synchronization by using IdFix– Implementing and Managing Identity Synchronization with Azure AD

May 22, 2023

Preparing for identity synchronization by using IdFix– Implementing and Managing Identity Synchronization with Azure AD

IdFix is Microsoft’s tool for detecting common issues with on-premises AD identity data. While it doesn’t fix all errors, it is able to identify and remediate data formatting errors so that objects have valid data to synchronize.
IdFix supports the following features:
• Transaction rollback
• Verbose logging
• Exporting data to the CSV and LDF formats for offline review and editing
To get started with the tool, follow these steps:

1. Navigate to https://aka.ms/idfix.
2. Scroll to the bottom of the page and click Next.
3. Review the prerequisites for the tool. Scroll to the bottom of the page and click Next.
4. Click setup.exe to download the file and start the installation.
5. After the installation wizard starts, click Install.
6. Acknowledge the IdFix privacy statement by clicking OK.
7. IdFix, by default, targets the entire directory. You can select Settings (the gear icon) to change the options for IdFix. You can edit the filter to scope to certain object types. You can also select the search base to specify a starting point for IdFix to begin its query. After modifying any settings, click OK.

Figure 4.1 – The IdFix settings

8. Click Query to connect to AD and begin the analysis.
   SCHEMA WARNING
   If you receive a schema warning, such as the one in Figure 4.2, you can click Yes to proceed or click No to return to the IdFix tool. The schema warning is generally presented when attributes are present in the AD schema but have not been marked for replication (usually because Exchange Server has not been installed or replication hasn’t completed successfully in your organization for an extended period of time). If you receive this error, you should check to ensure that you have at least run the Exchange Server setup with the /PrepareSchema and /PrepareAD switches and have validated that AD replication is working correctly.

Figure 4.2 – The IdFix schema warning
After IdFix has analyzed the environment, results are returned to the data grid, shown in Figure 4.3. The DISTINGUISHEDNAME column shows the full path to the object in question, while the ATTRIBUTE column shows the attribute or property impacted. The ERROR column shows what type of error was encountered (such as an invalid character or duplicate object value). The VALUE column shows the existing value and the UPDATE column shows any suggested value.

Figure 4.3 – The IdFix data grid
After you have investigated an object, you can choose to accept the suggested value in the UPDATE column (if one exists). You can also choose to either enter or edit a new value in the UPDATE column.
Once you’re done investigating or updating an object, you can use the dropdown in the ACTION column to mark an object:
• Selecting EDIT indicates that you want to configure the object attribute with the value in the UPDATE column
• Selecting COMPLETE indicates that you want to leave the object as is
• Selecting REMOVE instructs IdFix to clear the offending attribute
In addition, you can select Accept to accept any suggested values in the UPDATE column. Choosing this option will configure all objects with a value in the UPDATE column to EDIT, indicating that the changes are ready to be processed.
Once you have configured an action for each object, select Apply to instruct IdFix to make the changes.

1. IdFix will process the changes. Transactions are written to a log that can be imported and used to roll back any mistakes.
2. Once you have ensured that your on-premises directory data is ready to synchronize to Azure AD, you can deploy and configure one of the Azure AD Connect synchronization products.