Often when we have directory synchronization setup between the on premise AD and the Office 365 we find that at times some objects do not get replicated or synced no matter how many times we resync and we find them listed under filtered connectors. This article is about the troubleshooting such situations and especially focusing on distribution group or mail enabled groups unable to sync.
Why do my Group not sync ?
- Your group may have a sync conflict caused by a duplicate or invalid attribute. To identify this problem use KB 2643629. The technical contact for the tenant will likely have received an email with details about the offending attribute
- A member of the group having one of the above conflicts could also cause the group to not sync correctly
- The group is being filtered by the Directory Synchronization tool
Following is a screenshot from KB 2643629, about default sync scoping rules:
MailEnabledGroup Can be filtered if any of the following condition is true
- Group has over 15000 members
- Display name is empty in which case you can follow KB 2508722 to fix the issue
- The group has not SMTP or primary SMTP address defined
- Group is placed under a filtered OU, Yes you can specify OU’s whose objects will not be synced to 365, read here about filtered OU’s
If you already fixed the above four conditions and still your issue is not resolved (Highly Unlikely 🙂 ) than please keep reading.
It is quite likely that filtered connectors are causing the issue.To diagnose the issue with filtered connector follow the below steps
- Open the MIIS Client by navigating to “C:\Program Files\Windows Azure Active Directory Synchronization Service\SYNCBUS\Synchronization Service\UIShell\miisclient.exe” .
- Click the Metaverse Search tab
- Set up a search filter for the group by:
- Double clicking the cell under Attribute
- Selecting proxyAddresses as the attribute type, “contains” as the Operator, and the proxy address of the group in question as the value
- Search for the group in question
- When the object appears in the results pane, double click it to bring up its properties and navigate to the connectors tab
If the Active Directory Management Agent connector is present and the Windows Azure Active Directory MA connector is missing it is likely you have a filtered disconnector
Fixing a Filtered Disconnector
Once the group is filtered and missing its WAAD connector it will not reach Office365 until this connection is made. We build the connections between on premise and cloud using a process called SMTP soft matching, which only occurs during a full sync. This process can take a long time and cause problems with mailbox delegation. Fortunately we can make these connections happen manually. The instructions below can help you perform manual joins for the group with filtered disconnectors.
- Ensure the Distribution Group in question has a displayName in Active Directory (refer to KB)
- Return to the Directory Synchronization server, open the MIIS Client, and click the joiners tab
- Choose the WAAD Management Agent from the dropdown
- Set up the data columns to allow you to easily parse through objects
- Click column settings in the top right of the Disconnectors Pane
- Remove accountExpires and adminCount
- Add alias, displayName, and proxyAddresses
- Repeat these steps for the Metaverse Search Results pane
- Set up a search filter that will return all groups with a displayName:
- Click Configure Search Filters in the middle of the two panes
- Click Add in the next dialogue box
- Add a name for your filter (i.e. All Groups with displayName)
- Select group under Metaverse Object Type, displayName under Metaverse Attribute, and is present under Operator. Leave the other fields as their defaults and click Add
- Click OK twice to return to the main Joiners window
- Select your newly created filter from the Metaverse Search Filter dropdown
- Click Apply Filter. You will now see all groups with a displayName in the bottom pane
- Click Search in the top right of the Disconnectors pane to display all disconnectors in the TargetWebService MA
- Match the group in question from the bottom pane to its disconnector in the top pane by using the alias, displayName, or proxyAddress attribute
- Before proceeding to a manual join you MUST ensure the sourceAnchor value is identical for both objects
- If the disconnector and group have the same sourceAnchor ensure the proper object is selected in each pane and click Join
- A confirmation prompt will appear, if you have selected the correct objects to join click Yes
- Click search in the Disconnectors pane to re-run the search in the WAAD. The Disconnector corresponding to the group you just manually joined should no longer be present in the search results.
- Repeat this process for any groups that have been orphaned by a filtered disconnector.
After the complition of the above steps either wait for the next schedule sync to finish which happens every 3 hrs or force a sync with Start-OnlineCoexistenceSync cmdlet. The changes should replicate now, you can do the metaverse search step again to validate the new object has the proper connectors.
Latest posts by Shishir Chandrawat (see all)
- Exchange 2010 Std: Mailbox server has reached the maximum database limit of 5 Error RcrExceedDbLimitException - December 12, 2016
- Exchange 2010: Unable to add Mailbox Database copies on DAG member servers, Error: An error occurred while processing a request on server - December 12, 2016
- Unable to Mount Microsoft Exchange DAG Database, Error: Failed to determine the mount status of the active database copy - December 12, 2016