DirSync generates 10,000 email alerts

While DirSync is a nice canned version of FIM, I have found it can run in a wild loop. By Default the DirSync tool runs every 3 hours. If there are any errors, it generates an email to the technical contact’s email within the tenant configuration.

I was able to make it generate about 2 or 3 email conflict reports per second. That equates to 10,000+ emails in an hour.What caused this? Having an active directory forest with multiple domains. To understand let’s say there are two bob jones. One with a default UPN of bjones@chicago.domain.com and bjones@madison.domain.com, and let’s say for clarity these are also represented by the names chicago\bjones and madison\bjones, as in domain\samaccountname. Technically there is no conflict. The UPNs are unique across the forest and the samaccountnames are unique within each respective domain.

Using a powershell command I can set the UPN suffix to @domain.com for both accounts. It should be noted that the ADUC utility will prevent conflicts from occurring, thus allow changing the first one to @domain.com, but then prevent the second one from being changed to @domain.com

After there became two bjones@domain.com UPNs, DirSync found itself in a loop. When it generates a sync report to the technical contact on the office 365 tenant, it did so at a rate of 2 to 3 per second. This would not stop until I made one account different, such as bjones2@domain.com

I changed it to make every account the same as their email. What I didn’t expect what that bob jones in chicago, his logon account might have been chicago\bjones, but his configured email was bob.jones@domain.com. The administrator ran into a conflict while creating the email account in the Exchange management console (EMC) and unchecked “Use Policy” and gave bob in chicago a non standard email address.

Lessons learned: Set the UPN prefix to the prefix the the default email address, and then set the suffix to @domain.com.

Besides, I have run into places where you may logon as bj9874 and your email is bob.jones@domain.com. I would think you really want everyone logging in using their email address on office 365 portal, rather then their userid.

It’s worth noting that the prefix of the upn is, by default, is the same as the samaccount name when you setup the account in ADUC or EMC.

 

Advertisements

About Mike

owner of blog
This entry was posted in Azure, Office 365, PowerShell and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s