Friday, December 30, 2016

Dirsync export job in Synchronization Service Manager displays “InvalidSoftMatch” in the Export Errors

Problem

You’ve noticed that a newly created user account in your on premise Active Directory is not showing up in your Office 365 Admin center so you review the Operations menu in the Synchronization Service Manager and notice that the export job displays the error InvalidSoftMatch in the Export Errors window pane:

image

Opening the InvalidSoftMatch entry brings up the following Connector Space Object Properties Pending Export tab with information confirming that this is the missing user account:

image

Continuing to click on the Export Error tab displays the following information with a Detail button:

image

Clicking on the Detail button will display the following Error Information:

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:crussell@Contoso.com,smtp:crussell@ContosoReAG.mail.onmicrosoft.com,Mail crussell@Contoso.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 466344fe-a7c5-403e-8b0a-8621752ac178

image

You attempt to use the following PowerShell cmdlets via the WAAD (Windows Azure Active Directory) console to determine whether there is another account with the same smtp address:

Connect-MsolService

Get-MsolUser -all | Select DisplayName,ProxyAddresses | where-object {$_.ProxyAddresses -like "*crussell*"} | Format-Table -Wrap -Autosize

image

… but no results are returned.

Going through the steps outlined the in the KB:

Duplicate or invalid attributes prevent directory synchronization in Office 365
https://support.microsoft.com/en-us/kb/2647098

… and using the IdFix DirSync Error Remediation Tool (https://www.microsoft.com/en-ca/download/details.aspx?id=36832) does not list any references to the problematic account.

Solution

After trying all of the above without having any luck, I reread the contents in the following KB:

Duplicate or invalid attributes prevent directory synchronization in Office 365
https://support.microsoft.com/en-us/kb/2647098

… and noticed this:

All alias values in Office 365 must be unique for a given organization. Even if you have multiple unique suffixes after the at sign (@) in the Simple Mail Transfer Protocol (SMTP) address, all alias values must be unique.

Knowing that the user of the user account in question also had a pre-existing contact with an external SMTP email address, I began reviewing the properties of the existing contact in the Admin center:

image

Proceeded to click on the Edit Exchange settings link:

image

Which brought me to the Office 365 Exchange console of the contact object and it immediately became obvious that the problem was caused by the Alias of the exist contact (also configured as crussell):

image

Attempting to change the Alias would fail with:

image

error

The action ‘Set-MailContact’, ‘Alias,EmailAddresses’, can’t be performed on the object ‘Craig Russell’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

image

Attempting to delete the mail contact would throw the following error:

error

The action ‘Remove-MailContact’, ‘Identity’, can’t be performed on the object ‘Craig Russell’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

image

Having no luck with the GUI, I proceeded to review the Remove-MsolContact cmdlet:

https://docs.microsoft.com/en-us/powershell/msonline/v1/remove-msolcontact

Used the following Get-MsolContact cmdlet to export contact objects and their respective properties.  Used the find feature to locate the Craig Russell contact’s ObjectID:

image

Then proceeded to use the Remove-MsolContact cmdlet to delete the contact from the directory:

image

With the contact deleted, re-running the export job in the Synchronization Service Manager no longer displayed the InvalidSoftMatch in the Export Errors window pane:

image

Logging back onto the Office 365 Admin center console now displayed the user object.

No comments: