- Windows doesn’t start: Recover partitions, copy files, and reset password with SystemRescue - Tue, Mar 28 2023
- ManageEngine OpManager: Comprehensive monitoring for on-prem, cloud, and containers - Thu, Mar 23 2023
- Install K3s, a lightweight, production-grade Kubernetes distro - Mon, Mar 20 2023
Synchronizing on-premises AD DS environments is accomplished using Microsoft Azure Active Directory Connect. It allows quickly onboarding on-premises AD DS objects into Azure Active Directory, so you have a common identity for accessing both cloud and on-premises directory resources.
Purpose of the IdFix utility
Over years of Active Directory use, administration, and configuration in production environments, attributes may be changed or altered in ways that may cause issues when synchronizing users to Azure Active Directory.
The Microsoft IdFix utility is designed to identify and "fix" these AD DS objects so that they can be successfully synchronized with Azure Active Directory.
Installing the Microsoft IdFix utility
You can download the Microsoft IdFix utility from the official Microsoft GitHub page. The installer is an MSI file that allows you to quickly and easily install the tool in a "next, next, finish" wizard.
Launching and running Microsoft IdFix
When you launch IdFix, you will see the IdFix Privacy Statement displayed. This dialog box states that IdFix collects and stores information from Active Directory and may extract information into a CSV or LDF file, depending on the options chosen by the administrator.
The app is very basic and simplistic in its operation. Note you will need to run it from a domain-joined workstation so it can query Active Directory, or you can import users from CSV.
IdFix utility launches and is ready to query Active Directory Domain Services
IdFix will warn about attributes that are not replicated in Active Directory, as these are not scanned for errors.
IdFix warning about nonreplicated attributes
IdFix will display the errors it finds in Active Directory. For a detailed explanation of the errors supported by the IdFix utility, see the official documentation here.
Viewing errors found by IdFix
There is a variety of options to remediate the errors, including:
- Edit—The Update field contains the value that you want to apply to the object. Admins can change the contents of the Update field.
- Complete—With duplicate items, you can use this action. You can mark the record as Complete and set the action to Remove for the duplicated object.
- Remove—Remove means you are removing the value of the field, not the object itself.
If you agree with all the changes proposed by the IdFix utility, click the Accept button. This automatically marks the Action column with the Edit directive. Then, click the Apply button to apply your changes under the Action column.
Viewing actions for correcting issues in the Active Directory environment
You will receive a warning if you click Accept to accept all changes proposed by the IdFix utility. Once you click the Accept button, you will then need to Apply the changes. You will receive another warning regarding applying the changes.
Apply pending changes warning
Undoing changes made to Active Directory with IdFix
What if you apply changes only to realize that you have mistakenly changed values incorrectly? IdFix has an Undo function. Using the IdFix Undo function, we can load the automatically saved LDF backup to roll back any changes.
Note: IdFix only keeps one level of change. If you update Active Directory using IdFix multiple times, you will have only the last rollback file to revert. Make single calculated sets of changes and test the results to ensure no undesirable outcomes.
Undo changes to Active Directory
When you click the Undo button, IdFix opens the file browser pointed to c:\windows\system32 (the default location where LDF backups are saved). Next, choose the LDF backup file, and click Open. Once the Undo file is loaded, click Accept, verify the Undo operation, and click Apply.
Accept and apply the Undo operation
Wrapping up
IdFix allows admins to resolve issues with attributes in on-premises Active Directory Domain Services before these objects are synchronized with Azure Active Directory using Azure AD Connect.
The utility is straightforward to use. The Undo feature is also great if breaking changes are introduced using the tool.
Subscribe to 4sysops newsletter!
Overall, IdFix helps make synchronizing your on-premises Active Directory with Azure Active Directory much smoother, as it helps to find issues beforehand and correct them ahead of time.
