Before Contoso’s IT team deploys Microsoft Entra Connect, it is essential that they check the on-premises Active Directory (AD DS) and related technologies for potential issues, and that any identified problems are corrected. This is particularly important if directory synchronization is implemented as an identity service for Microsoft 365.

Pre-Deployment Checks

The pre-deployment checks should include:

• Scanning the on-premises environment for invalid characters in AD DS object attributes, as well as incorrect user principal names (UPNs).
• Discovering domain email addresses and counting users.
• Identifying domain functional levels, schema extensions, and custom attributes in use.
• Identifying proxy servers used for Microsoft Exchange or Skype for Business, if Microsoft Entra Connect is deployed as part of a Microsoft 365 deployment.
• Identifying Microsoft SharePoint domains, if Microsoft Entra Connect is deployed as part of a Microsoft 365 deployment.
• Assessing client readiness for single sign-on (SSO).
• Recording the use of network ports and DNS records related to Office 365, if Microsoft Entra Connect is deployed in this context.

Key Remediation Tasks After Checks

• Removing duplicate proxyAddress and userPrincipalName attributes.
• Updating empty or invalid userPrincipalName attributes by replacing them with valid values.
• Removing invalid characters from the following attributes:
  givenName, surname (sn), sAMAccountName, displayName, mail, proxyAddresses, mailNickname, and userPrincipalName.

UPNs used for SSO can contain letters, numbers, periods, hyphens, and underscores; no other character types are allowed.

If you are deploying Microsoft 365 and your deployment includes SSO, you must ensure that UPNs meet this requirement before deploying SSO. Domains used for SSO and directory synchronization must be routable, which means you cannot use local domain names such as Contoso.local.

Active Directory Health Check Tools

For directory synchronization to work properly, you must ensure that the on-premises Active Directory is well-prepared and error-free. You can use the following tools to identify and fix issues:

IdFix Tool

The Microsoft 365 IdFix tool helps identify and correct most object synchronization errors in Active Directory, including common issues such as duplicate or malformed proxyAddresses or userPrincipalName attributes.

You can select the organizational units (OUs) you want IdFix to check and correct common errors directly in the tool. Frequent errors include invalid characters introduced during automated imports into attributes like proxyAddresses and mailNickname.

For distinguished names (DNs) containing format errors or duplicates, IdFix cannot always suggest an automatic fix. These errors can be corrected manually in IdFix or outside the tool.

ADModify.NET Tool

For format errors, you can modify object attributes one by one using ADSIEdit or Advanced Mode in Active Directory Users and Computers. However, to modify attributes for multiple objects, ADModify.NET is more suitable. Its batch mode is useful for changing attributes such as UPNs across multiple OUs or domains.

📘 Further Reading

For more information, see the following document:
Prerequisites for Microsoft Entra Connect

📍 Next Unit: Install and Configure Directory Synchronization with Microsoft Entra Connect