DirSync in one of my O365 test labs started to complain that there were some issues with objects synching to Windows Azure Active Directory (WAAD). EventID 0 was logging into the application event log, and stated: "The Management Agent 'Active Directory Connector' reported errors on execution".
This is a an Exchange 2010 SP3 RU 7 based hybrid solution. Exchange 2013 is not present. DirSync is build 6765. The installed components on the DirSync server are shown below:
Opening up MIISClient.exe application from "C:Program FilesWindows Azure Active Directory SyncSYNCBUSSynchronization ServiceUIShell" showed that there were errors reported from the Active Directory Connector when is was performing an export. As we can see in the below screenshot the object with the issue was Userfirstname.lastname@example.org. This is a hybrid configuration where the user object exists in AD, and the mailbox was moved to Office 365.
The reported error is "cd-error".
Clicking on the error in the bottom right pane, showed some additional information. This has failed 228 times, with the data source error of "The parameter is incorrect". So something is going wrong when we try and update this user object.
Since it is the export portion of the workflow that is reporting the error, let's look at the "Export In Progress" tab. To make it easier to see what is happening, I have clicked onto the changes button to sort the column. This is highlighted in the red box. We can now see that we are trying to add the msExchUserHold attribute to the on-premises user object.
In the above error, we can see that DirSync is trying to write an attribute to the on-premises user object. This is part of the write-back attributes that are listed on the TechNet Wiki.
|msExchArchiveStatus||Online Archive: Enables customers to archive mail.|
|msExchUCVoiceMailSettings||Enable Unified Messaging (UM) – Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.|
|msExchUserHoldPolicies||Litigation Hold: Enables cloud services to determine which users are under Litigation Hold.|
|ProxyAddresses||(LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Offboards an online mailbox back to on-premises Exchange.
|PublicDelegates||Cross-premises Public Delegation: Enables users to specify delegates for their mailbox.|
|Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.|
The msExchUserHoldPolicies attribute was not present in Exchange 2010 or Wave 14 of Office 365, it was added with Exchange 2013.
If we look at how DirSync maps the Office 365 object attributes to the AD object, we can see how the attributes flow. The below screenshot is again from the Active Directory Connector. Note that we are looking at the "Configure Attribute Flow" portion, and the red box at the top highlights the 7 write-back attributes. The focus is placed on the msExchUserHoldPolicies attribute.
Looking at an Exchange 2010 Mailbox in an Exchange 2010 organisation, we can use the attributes editor tab in recent versions of DSA.msc to see the attributes. if the attributes editor tab is missing, then select advanced features on the view menu.
The user object on the left (user-1) is the user object we were looking at above. Note that there is no msExchUserHoldPolicies attribute. The user on the right (2010-2) is an Exchange 2010 mailbox which exists in organisation that has also deployed Exchange 2013. Thus the AD schema was extended for Exchange 2013, and the msExchuserHoldPolicies attribute was added to the schema.
Upgrading the schema so that the Exchange 2013 attributes would make this go away, but do I really have to do that if there are no immediate plans to deploy Exchange 2013?
Note that way back at the start I mentioned that DirSync 6765 was installed. TechNet wiki lists the different DirSync buildsTechNet wiki lists the different builds, and we can see that this is an out-dated version. There are currently 4 newer builds available since 6765 was released on the 18th of April 2014. 7020 was released on the 31st July 2014.
Once DirSync has been updated, let's see what happens…
DirSync Updated To Build 7020
After running a Full Sync
We note that User-1 has been updated.
The Attribute flow is shown here:
Not listed as a prereq to Hybrid Deployment – http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
The following article lists the issues that you might encounter if you disable RichCoexistence: http://support.microsoft.com/kb/2406830
The updated build now reviews the version of Exchange and the tenant to make the appropriate rules as shown below: