If you administer DirSync for your organization, you likely have seen emails like this, indicating some of your users didn’t sync.
DirSync Error Email
It can be a frustrating email, since the “error description” is for some reason blank and the “On-premises object ID” column is not something that’s easy to correlate to a user account within your Active Directory. There are also application event log entries (FIMSynchronizationService #6111 and Directory Synchronization #0), but again these aren’t exactly rich with detail.
Many of you know that DirSync is actually a customized installation FIM 2010 R2’s Synchronization Service. Within the miisclient.exe console, you can look at your most recent “Export” job and examine the errors one at a time.
Miisclient.exe Console
(By the way, this is actually the place to go if you wanted to configure filtering for directory synchronization.)
Using this console certainly works, but it’s not an efficient way to resolve errors. Microsoft seems to acknowledge this, but falls short of a fix with that email, in my opinion. Instead of wearing out your mouse, I propose you use the PowerShell script I have written below. Within, I leverage the free FimSyncPowerShellModule which you’ll need to download and copy to:
…\System32\WindowsPowerShell\v1.0\Modules\FimSyncPowerShellModule\FimSyncPowerShellModule.psm1
Once you’ve copied the module, you’re ready to run the report, which can be downloaded here.
Here is a sample output, followed by the code itself.
Sample Output
<#
Description:
This script generates a list of users who are failing to export to Azure AD.
This script makes use of the FimSyncPowerShellModule
https://fimpowershellmodule.codeplex.com/
(Download and copy to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\FimSyncPowerShellModule\FimSyncPowerShellModule.psm1)
October 18 2013
Mike Crowley
http://mikecrowley.us
#>
#Import the FimSyncPowerShellModule Module
ipmo FimSyncPowerShellModule
#Get the last export run
$LastExportRun = (Get-MIIS_RunHistory -MaName 'Windows Azure Active Directory Connector' -RunProfile 'Export')[0]
#Get error objects from last export run (user errors only)
$UserErrorObjects = $LastExportRun | Get-RunHistoryDetailErrors | ? {$_.dn -ne $null}
$ErrorFile = @()
#Build the custom Output Object
$UserErrorObjects | % {
$TmpCSObject = Get-MIIS_CSObject -ManagementAgent 'Windows Azure Active Directory Connector' -DN $_.DN
[xml]$UserXML = $TmpCSObject.UnappliedExportHologram
$MyObject = New-Object PSObject -Property @{
EmailAddress = (Select-Xml -Xml $UserXML -XPath "/entry/attr" | select -expand node | ? {$_.name -eq 'mail'}).value
UPN = (Select-Xml -Xml $UserXML -XPath "/entry/attr" | select -expand node | ? {$_.name -eq 'userPrincipalName'}).value
ErrorType = $_.ErrorType
DN = $_.DN
}
$ErrorFile += $MyObject
}
$FileName = "$env:TMP\ErrorList-{0:yyyyMMdd-HHmm}" -f (Get-Date) + ".CSV"
$ErrorFile | select UPN, EmailAddress, ErrorType, DN | epcsv $FileName -NoType
#Output to the screen
$ErrorFile | select UPN, EmailAddress, ErrorType, DN
Write-Host
Write-Host $ErrorFile.count "users with errors. See here for a list:" -F Yellow
Write-Host $FileName -F Yellow
Write-Host
Mike Crowley's Whiteboard 
If you like this post, you may like my others on DirSync: https://mikecrowley.wordpress.com/tag/dirsync/
NOTE: I have found this report does not work until at least two export jobs exist. I may update the script, but in the meantime, just run another sync.
I expanded your script a little. It helped me a lot. I was having to do this stuff via type, cut, and paste for a while. Now it is much more automated thanks to knowing how to get some of the info out of FIM due to your post.
ForEach ($thing in $ErrorFile)
{
#This is a known error we can fix with resetting the UPN and resync.
if ($thing.ErrorType -eq “DataValidationFailed”)
{
Write-Host “The DataValidationFailed.”
if ($thing.UPN -like “*@sub1.domain.com”)
{
#coax out the data we need.
#Just a temp variable.
$a = “”
#sAMAccountName
$SAN = “”
$EMailAddy = “”
$Domain = “sub1.domain.com”
$a = $thing.UPN
$SAN = $a -replace “@sub1.domain.com”, “”
$EMailAddy = $thing.EmailAddress
Write-Host $SAN
Write-Host $Domain
#I wrote these out to a file because I am paranoid about not seeing the output
#and just running it the first couple times.
Write-Host “Set-MsolUserPrincipalName -UserPrincipalName $EMailAddy -NewUserPrincipalName $SAN@contoso.onmicrosoft.com”
$OtherErrorFile += “Set-MsolUserPrincipalName -UserPrincipalName $EMailAddy -NewUserPrincipalName $SAN@contoso.onmicrosoft.com`n”
}
elseif ($thing.UPN -like “*@sub2.domain.com”)
{
#coax out the data we need.
#Just a temp variable.
$b = “”
#sAMAccountName
$SAN = “”
$EMailAddy = “”
$Domain = “sub2.domain.com”
$b = $thing.UPN
$SAN = $b -replace “@sub2.domain.com”, “”
$EMailAddy = $thing.EmailAddress
Write-Host $SAN
Write-Host $Domain
#I wrote these out to a file because I am paranoid about not seeing the output
#and just running it the first couple times.
Write-Host “Set-MsolUserPrincipalName -UserPrincipalName $EMailAddy -NewUserPrincipalName $SAN@contoso.onmicrosoft.com”
$OtherErrorFile += “Set-MsolUserPrincipalName -UserPrincipalName $EMailAddy -NewUserPrincipalName $SAN@contoso.onmicrosoft.com`n”
}
else
#IF the UPN contains something besides my two sub domains…
{Write-Host “You have serious issues here!”}
}
#These errors may become “known” to me at some point. For right now I look
#at them on a case-by-case basis. Maybe later I can expand this section.
else {Write-Host “Something besides DataValidationFailed.”}
}
Cannot index into a null array when I try to execute the script
When running this with the latest Azure AD Connect, I get the “cannot index into a null array” error. To resolve, I had to open MIISClient and view the Connectors tab, properties of the Windows Azure Active Directory connector, and copy/paste the Name into two places in your script (line 18 and line 28) to replace the value for MaName and ManagementAgent parameters.
Hi Mike,
Sorry to bring up an old post. Within the script, is it possible to include the output of the “connected data source error”?. This is the detailed information about the sync issue, for example, “Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses smtp:first.last@domain.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values”.
I’m not sure of the exact syntax to use, but expect it to be somewhere witin the $MyObject.
Thanks in advance.
Mark.
Hi Mike/All,
Could anyone kindly assist me with including the detailed error information within the script? Is this possible?
Thanks,
Mark.