One of the first steps in preparing for an Office 365 migration is running a tool we provide called IDFix. The goal of this tool is to help minimize identity issues when migrating to the cloud. Most identity issues come down to two issues:
- Invalid characters in key attributes
- User objects with duplicate values in indexed attributes (duplicate objects)
The first issue is pretty easy to deal with–IDFix will identify objects with offending characters and the attributes where they exist, and will even make some recommendations. The second issue, however, is most tricky. Let’s say you have a report that you have two or three objects that have overlapping properties:
- Mail-enabled Contact (MEC) with an SMTP address of email@example.com
- Mail-enabled User (MEU) with a UPN of firstname.lastname@example.org
- Mailbox-enabled User
The mail-enabled user is a security principal and frequently may be used to grant access to an external vendor while allowing them to appear in the Global Address List (GAL). Or, you may have had a situation where your organization had been in a long-term partnership with another organization and had MEUs or MEC’s representing the partner organization in your directory, and now your organizations are merging. In either case, you need to consolidate objects. In many customers that I’ve encountered, external vendors have been configured with on-premises mailboxes with an address like email@example.com and a contact in the GAL with firstname.lastname@example.org, sometimes with duplicate SMTP or UPN values scattered between the two.
The biggest challenge you face is not one of difficulty, but one of repetition and boredom. You may be tempted to just delete the offending contact, but what will happen if you do? More than likely, your users will report that they’re suddenly getting Non-Delivery Reports (NDR’s) for things that used to previously work. Outlook has cached the X500 address of the GAL objects, and now you’re stuck.
You’ll probably have to merge SMTP proxy addresses for these objects.
I developed a script to help my customers deal with these problems. By taking the distinguishedNames of the identified error objects, we can import the proxy addresses of one type of object into another, configure forwarding (if appropriate) and get the directory in tip-top shape. The script has some rules on what to do if it finds a mailbox and either a MEU or MEC (such as whether or not to configure the MEU/MEC’s external address as a forwarding SMTP address for the mailbox) and whether or not you want to force/skip AD replication. AD Replication is important in this instance, since we’re adding proxy addresses back into an object and Exchange will return an error if it thinks the proxy address is already in use.
I originally developed this tool using the Quest ActiveRoles cmdlets and haven’t gotten around to re-writing it with native AD/Exchange cmdlets, so in order to use it, you’ll need to download those. Fortunately, they’re free (as in beer).
From the help file:
.DESCRIPTION During Active Directory cleanup activities (such as migration to Office 365), it may be discovered that there are multiple objects containing certain duplicate attriutes (such as mail or proxy addresses). This script's pupose is to merge mail and proxy addresses and group membership of contact objects with the corresponding user object. If the user object is not currently mail-enabled or mailbox-enabled, it will be mail-enabled and set with the external address in the contact object. This will help alleviate errors discovered by a tool such as IDFix. This tool does require access to a server running Exchange, an identity that has been granted the Recipient Management role, and can execute Remote PowerShell against a domain controllers in the current site (to force AD replication) .PARAMETER Dn1 distinguishedName of the first object. .PARAMETER Dn2 distinguishedName of the second object. .PARAMETER ExchangeServer On-Premises Exchange Server. .PARAMETER SkipMailboxUserForwarding If one of the objects detected is a mailbox user, the default behavior of the script is to configure the external email address of the contact as a forwarding address for the mailbox, effectively making a user mailbox function as a mailuser. Use this switch to disable forwarding the mailbox to the external address of the contact. .PARAMETER SkipReplication Skip Active Directory replication for all servers in site. Depending on the Active Directory and Exchange topologies, other Exchange Servers or domain controllers may not be aware of the changes after disabling the contact object. Only enable this switch if you do not have access to run Invoke-Command against domain controllers or the domain controllers are not enabled for PSRemoting. This switch is not recommended.
To download and experiment with the tool, head on over the TechNet gallery.