Many organizations are migrating their on-premises email to Microsoft 365. One of the necessary steps is synchronizing your local directory with Azure Active Directory. The IdFix tool from Microsoft is meant to help correct issues before synchronizing your directory.

Synchronizing on-premises AD DS environments is accomplished using Microsoft Azure Active Directory Connect. It allows quickly onboarding on-premises AD DS objects into Azure Active Directory, so you have a common identity for accessing both cloud and on-premises directory resources.

Purpose of the IdFix utility

Over years of Active Directory use, administration, and configuration in production environments, attributes may be changed or altered in ways that may cause issues when synchronizing users to Azure Active Directory.

The Microsoft IdFix utility is designed to identify and "fix" these AD DS objects so that they can be successfully synchronized with Azure Active Directory.

Installing the Microsoft IdFix utility

You can download the Microsoft IdFix utility from the official Microsoft GitHub page. The installer is an MSI file that allows you to quickly and easily install the tool in a "next, next, finish" wizard.

Launching and running Microsoft IdFix

When you launch IdFix, you will see the IdFix Privacy Statement displayed. This dialog box states that IdFix collects and stores information from Active Directory and may extract information into a CSV or LDF file, depending on the options chosen by the administrator.

The app is very basic and simplistic in its operation. Note you will need to run it from a domain-joined workstation so it can query Active Directory, or you can import users from CSV.

IdFix utility launches and is ready to query Active Directory Domain Services

IdFix utility launches and is ready to query Active Directory Domain Services

IdFix will warn about attributes that are not replicated in Active Directory, as these are not scanned for errors.

IdFix warning about nonreplicated attributes

IdFix warning about nonreplicated attributes

IdFix will display the errors it finds in Active Directory. For a detailed explanation of the errors supported by the IdFix utility, see the official documentation here.

Viewing errors found by IdFix

Viewing errors found by IdFix

There is a variety of options to remediate the errors, including:

  • Edit—The Update field contains the value that you want to apply to the object. Admins can change the contents of the Update field.
  • Complete—With duplicate items, you can use this action. You can mark the record as Complete and set the action to Remove for the duplicated object.
  • Remove—Remove means you are removing the value of the field, not the object itself.

If you agree with all the changes proposed by the IdFix utility, click the Accept button. This automatically marks the Action column with the Edit directive. Then, click the Apply button to apply your changes under the Action column.

Viewing actions for correcting issues in the Active Directory environment

Viewing actions for correcting issues in the Active Directory environment

You will receive a warning if you click Accept to accept all changes proposed by the IdFix utility. Once you click the Accept button, you will then need to Apply the changes. You will receive another warning regarding applying the changes.

Apply pending changes warning

Apply pending changes warning

Undoing changes made to Active Directory with IdFix

What if you apply changes only to realize that you have mistakenly changed values incorrectly? IdFix has an Undo function. Using the IdFix Undo function, we can load the automatically saved LDF backup to roll back any changes.

Note: IdFix only keeps one level of change. If you update Active Directory using IdFix multiple times, you will have only the last rollback file to revert. Make single calculated sets of changes and test the results to ensure no undesirable outcomes.

Undo changes to Active Directory

Undo changes to Active Directory

When you click the Undo button, IdFix opens the file browser pointed to c:\windows\system32 (the default location where LDF backups are saved). Next, choose the LDF backup file, and click Open. Once the Undo file is loaded, click Accept, verify the Undo operation, and click Apply.

Accept and apply the Undo operation

Accept and apply the Undo operation

Wrapping up

IdFix allows admins to resolve issues with attributes in on-premises Active Directory Domain Services before these objects are synchronized with Azure Active Directory using Azure AD Connect.

The utility is straightforward to use. The Undo feature is also great if breaking changes are introduced using the tool.

Subscribe to 4sysops newsletter!

Overall, IdFix helps make synchronizing your on-premises Active Directory with Azure Active Directory much smoother, as it helps to find issues beforehand and correct them ahead of time.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account