AD Connect migration error on Out sync rules
Why I write this article
Hi, In my last migration process of AD connect between servers I was using new preview feature, that is allowing exporting existing configuration like
- Synchronization filters
- Synchronization rules
- Account settings
- Sing In settigs
- etc.
In some custom implementation of AD connect we will have Out and In synchronization rule. Import process to new AD connect server don’t work for Out synchronization rules but rest is working so we like to use it to cover 90 % of settings. So in this post I will write workaround for this issue.
How to prepare AD connect to migration
Whole process is described in Microsoft docs under this link: Migrate settings from an existing server
Error when importing AD connect settings with custom Out rules
Step 1: In install AD connect process, choose custom and select Import Synchronization settings
Step 2: Follow steps in installation wizard until it finished with error
Step 3: Log verification will show with rule is causing issue, logs file are located on folder: C:\ProgramData\AADConnect or you can navigate from AD connect interface. File name starts with: trace-
- In error we can veryfie that we have issue with this attribute: extension_87ce92dfb96b4ac689f8f53836bffaa6_extensionAttribute1
- Error and attribute are connected to this syc rule: AAD - User DirectoryExtension - Cloned - 10/14/2019 11:09:04 AM (0b0cfd4f-e8b8-47b2-8a15-b0557cef3949)
- Rule ID connected to error : 0b0cfd4f-e8b8-47b2-8a15-b0557cef3949
**Note**: Rule ID will be required to implement workaround.
[19:54:05.912] [ 26] [ERROR] Out to AAD - User DirectoryExtension - Cloned - 10/14/2019 11:09:04 AM (0b0cfd4f-e8b8-47b2-8a15-b0557cef3949): AttributeFlowMapping’s specified target attribute ‘extension_87ce92dfb96b4ac689f8f53836bffaa6_extensionAttribute1’ is not a defined attribute type. Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet
Exception Data (Raw): Microsoft.Online.Deployment.PowerShell.PowerShellInvocationException: Out to AAD - User DirectoryExtension - Cloned - 10/14/2019 11:09:04 AM (0b0cfd4f-e8b8-47b2-8a15-b0557cef3949): AttributeFlowMapping’s specified target attribute ‘extension_87ce92dfb96b4ac689f8f53836bffaa6_extensionAttribute1’ is not a defined attribute type. Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet
—> System.ServiceModel.FaultException`1[Microsoft.Azure.ActiveDirectory.ADSyncManagement.Contract.ADSyncManagementServiceFault]: Out to AAD - User DirectoryExtension - Cloned - 10/14/2019 11:09:04 AM (0b0cfd4f-e8b8-47b2-8a15-b0557cef3949): AttributeFlowMapping’s specified target attribute ‘extension_87ce92dfb96b4ac689f8f53836bffaa6_extensionAttribute1’ is not a defined attribute type.
Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Azure.ActiveDirectory.ADSyncManagement.Contract.IADSyncManagementService.SetSynchronizationRule(String syncRuleXml) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet.ProcessRecord() — End of inner exception stack trace — at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell) at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary
2 commandParameters, Boolean isScript) at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask1.ImportSynchronizationRules(String directoryName, Guid connectorIdentifier, List1 standardSynchronizationRules, List1 customSynchronizationRules) at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask1.CreateNewConnectors(TContext context) at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask1.ConfigureSyncEngine(TContext context) at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute() at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper() [19:54:05.916] [ 26] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file [19:54:05.916] [ 26] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False [19:54:05.931] [ 26] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True [19:54:05.932] [ 26] [INFO ] PerformConfigurationPageViewModel.PerformWorkflowInstallationAndUpdateState: result of installation operations - Failed [19:54:05.932] [ 26] [ERROR] ExecuteADSyncConfiguration: configuration failed. Skipping export of synchronization policy. resultStatus=Failed [19:54:05.968] [ 26] [ERROR] PerformConfigurationPageViewModel: We encountered a problem and couldn’t complete the integration. [19:54:05.968] [ 26] [ERROR] PerformConfigurationPageViewModel: An error occurred executing Configure AAD Sync task: Out to AAD - User DirectoryExtension - Cloned - 10/14/2019 11:09:04 AM (0b0cfd4f-e8b8-47b2-8a15-b0557cef3949): AttributeFlowMapping’s specified target attribute >’extension_87ce92dfb96b4ac689f8f53836bffaa6_extensionAttribute1’ is not a defined attribute type. Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdletMicrosoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet
Step 4: Veryfie that attributes exist in Azure Active Directory, for this we will use PowerShell
## Connect to Azure Active Directory
Connect-AzureAD
Account Environment TenantId TenantDomain AccountTy
pe
------- ----------- -------- ------------ ---------
admin.xxxxxxxxx@zzzzz.onmicrosoft.com AzureCloud aaaaaa-bbbb-ffff-ccccc-gggggggggggggg zzzzz.onmicrosoft.com User
Step 5: Check on existing user that parameters exist in Azure Active Directory
## Select UserPrincipalName one of synchronized users from local Active Directory
$AADUser = Get-AzureADUser -ObjectId UserPrincipalName
$AADUser | Select -ExpandProperty ExtensionProperty
Key Value
--- -----
odata.metadata https://graph.windows.net/aaaaaaaaaa-b25b-456f-b283-cf...
odata.type Microsoft.DirectoryServices.User
createdDateTime 19.10.2020 08:49:15
employeeId
onPremisesDistinguishedName CN=aaaaaa,OU=bbbbbb,OU=bbb,OU=yyyy,OU=zzzz...
userIdentities []
extension_87ce92dfb96b4ac689f8f53836bffaa6_extensionAttribute1 ttttttttttttttttttttttttttttttttttttt
## Veryfie attribute
Error resolving workaround
Step 1: Uninstall AD connect, you don’t have to remove all components just Sync Engine
Step 2: On local drive of new AD connect server navigate to folder with exported configuration
Step 3: In exported configuration folder, navigate to sub folder: SynchronizationRules
Step 4: In folder: SynchronizationRules find rule with ID from error
Step 5: Copy file with rule ID from error to diffrent folder.
Step 6: Re-run process of Import Synchronization settings
Step 7: On last step unselect start synchronization, we need to add Outgoing rules.
**Note**: We need to manually add missing rules from error. For adding rules user **Sync rules editor** on AD connect server
Summary
We have 90 % settings migrated to new AD connect.
Leave a comment