Skip to main content

When you are planning to synchronize your local Active Directory with Azure AD, then it’s important to first run the IdFix tool from Microsoft. This tool will help you to find and resolve problems in your Active Directory.

The IdFix Tool will identify any potential issues that will prevent the synchronization of your local Active Directory with Azure AD, like:

  • Duplicate objects
  • Invalid symbols in object names
  • Invalid SMTP addresses (proxyAddresses)
  • Attribute values that are to long or contain invalid values

In this article, we are going to take a look at how to install and use the IdFix tool.

Install IdFix Tool

The first step is to install the IdFix tool. You can install the tool on any domain joined computer or server. But to use the tool your will need ofcourse to have read and write access to the Active Directory.

You can download IdFix here from Microsoft’s GitHub Repostory. You will find the download link under ClickOnce. You can also use this direct link to the download the file.

Click Install to start the installation and click Ok to accept the Privacy Statement

Fix IdFix Setup Error

When you try to install the IdFix tool on Windows server 2016 or 2022, you might get an error when you start the installation:

We get this error because SSL caching is disabled on the server. With a small PowerShell script we can temporary enable it for the installation:

1.  Set-ItemProperty -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "DisableCachingOfSSLPages" -Value 0

After you have completed the installation you can change the settings back with:

1.  Set-ItemProperty -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "DisableCachingOfSSLPages" -Value 1

Using the IdFix Tool

When you open the IdFix tool you will see a blank screen without any information on it. To check if your Active Directory objects contain any errors we will need to query the AD.

Click on Query into blue toolbar to start the IdFix tool:

Start IdFix Tool

You might get a warning that some attributes are not marked for replication, just click Yes to continue.

Depending on the size of your Active Directory it can take a couple of minutes until IdFix is completed. You can see the status in the lower-left corner of the tool. Once the query is completed any errors are listed in the tool

In this case, IdFix has found three errors:

  • An error in the local part of the userprincipalname
  • An error in the domain part of the userprincipalname
  • A blank display name

Resolved any errors

The tool will suggest a fix for the issue in the Update column. The suggestion is on best effort, so make sure you check the suggested value in the update field.

For each error you can choose an action:

  • Edit – The value in the update field will be used to update the object. You can change the contents of the update field if you want.
  • Complete – This one is mostly used with duplicate items. Mark the record that you want as Complete and set the action on the other record to Remove
  • Remove – The value of the field will be removed (not the complete object!)

If all the suggested values in the update field look good you can click on Accept. This will set the action on all rows to Edit automatically. Otherwise, select the appropriate action for each row.

When done click on Apply to update the object in your Active Directory. If no errors occurred then the action of each row will change to Complete:

It’s always a good idea to run the query once more to make sure that all errors are now really resolved. You should see a clear grid with the status “Cleared Grid” in the lower-left corner.

Undo Changes made with IdFix

All changes that you make with the IdFix tool are logged in a transaction log. This way you can always undo the changes that are made with the tool. Good to know is that you can only go back one step. So make your changes in small steps and make sure that they don’t have any unwanted impact.

To undo changes:

  1. Click on Undo in the menubar
  2. Select the .ldf file and click Open
  3. The records that were changed in the last update are listed. Click on Accept and Apply to revert the change

Change Search Scope of IdFix

If you have a lot of objects in your Active Directory or when you are only going to sync a part of your AD users to Azure AD. Then you probably want to query a portion of your Active Directory. This is possible with IdFix.

  1. Click on the grey gear icon in the top-right corner
  2. Enable Search Base
  3. Enter the distinguishedName of the OU
IdFix Search Base

Click Ok and press query to start the search.

Run IdFix with alternative credentials

You can install and run IdFix on your own computer, you don’t need to install it on the Domain Controller for example. But by default, the tool will run under the account that you are logged in with. To read and change Active Directory objects you will need to have the appropriate permissions.

It’s possible to change the user account that IdFix users for the connection with AD:

  1. Click on the grey gear icon in the top-right corner to open the settings
  2. Under Credentials, select Other
  3. Enter the global administrator credentials (or another appropriate account)
  4. Click Ok to save the settings

You can now query the AD for any errors.

Wrapping Up

IdFix is a great tool to easily find any Active Directory object errors before you start the synchronization to Azure AD. If you are only going to sync a part of your Active Directory then make sure that you apply the Search Base filter.

If you have fixed all the errors you can start with installing and configuring Azure AD connect. If you have any questions, just drop a comment below.