排查同步过程中发生的错误Troubleshooting Errors during synchronization

将标识数据从 Windows Server Active Directory (AD DS) 同步到 Azure Active Directory (Azure AD) 时可能会发生错误。Errors could occur when identity data is synchronized from Windows Server Active Directory (AD DS) to Azure Active Directory (Azure AD). 本文概述不同类型的同步错误、导致这些错误的某些可能情况,以及这些错误的可能解决方法。This article provides an overview of different types of sync errors, some of the possible scenarios that cause those errors and potential ways to fix the errors. 本文介绍常见错误类型,不一定涵盖所有可能的错误。This article includes the common error types and may not cover all the possible errors.

本文假设读者熟悉 Azure AD 和 Azure AD Connect 的基础设计概念This article assumes the reader is familiar with the underlying design concepts of Azure AD and Azure AD Connect.

从 2016 年 9 月 1 日开始,默认为所有新的 Azure Active Directory 租户启用 Azure Active Directory 重复属性复原 功能。Starting September 1, 2016 Azure Active Directory Duplicate Attribute Resiliency feature will be enabled by default for all the new Azure Active Directory Tenants. 在接下来的几个月,自动为现有租户启用此功能。This feature will be automatically enabled for existing tenants in the upcoming months.

Azure AD Connect 通过它所同步的目录执行 3 种类型的操作:导入、同步和导出。Azure AD Connect performs three types of operations from the directories it keeps in sync: Import, Synchronization, and Export. 在执行所有这些操作时都可能发生错误。Errors can take place in all the operations. 本文重点介绍在导出到 Azure AD 期间发生的错误。This article mainly focuses on errors during Export to Azure AD.

导出到 Azure AD 期间发生的错误Errors during Export to Azure AD

以下部分介绍在使用 Azure AD 连接器导出到 Azure AD 期间可能发生的不同类型的同步错误。Following section describes different types of synchronization errors that can occur during the export operation to Azure AD using the Azure AD connector. 可以使用“contoso.partner.onmschina.cn”格式的名称来标识此连接器。This connector can be identified by the name format being "contoso.partner.onmschina.cn". 导出到 Azure AD 期间发生错误表示 Azure AD Connect (同步引擎)尝试针对 Azure Active Directory 执行的操作(添加、更新、删除等)失败。Errors during Export to Azure AD indicate that the operation (add, update, delete etc.) attempted by Azure AD Connect (Sync Engine) on Azure Active Directory failed.

导出错误概述

数据不匹配错误Data Mismatch Errors

InvalidSoftMatchInvalidSoftMatch

说明Description

  • 当 Azure AD Connect (同步引擎)指示 Azure Active Directory 添加或更新对象时,Azure AD 会使用 sourceAnchor 属性将传入对象与 Azure AD 中对象的 immutableId 属性进行匹配。When Azure AD Connect (sync engine) instructs Azure Active Directory to add or update objects, Azure AD matches the incoming object using the sourceAnchor attribute to the immutableId attribute of objects in Azure AD. 这种匹配称为 硬匹配This match is called a Hard Match.
  • 如果 Azure AD 找不到有任何对象的 immutableId 属性与传入对象的 sourceAnchor 属性匹配,则在预配新对象之前,它会回退为使用 ProxyAddresses 和 UserPrincipalName 属性来查找匹配项。When Azure AD does not find any object that matches the immutableId attribute with the sourceAnchor attribute of the incoming object, before provisioning a new object, it falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match. 这种匹配称为 软匹配This match is called a Soft Match. 软匹配旨在将 Azure AD 中已存在的对象(源自 Azure AD 的对象)与同步期间添加/更新的、代表相同实体(用户或组)的本地新对象进行匹配。The Soft Match is designed to match objects already present in Azure AD (that are sourced in Azure AD) with the new objects being added/updated during synchronization that represent the same entity (users, groups) on premises.
  • 如果硬匹配找不到任何匹配的对象,并且软匹配虽然找到了匹配的对象,但该对象的 immutableId 值与传入对象的 SourceAnchor 不同(这意味着匹配的对象已与本地 Active Directory 中的另一个对象同步),则会发生 InvalidSoftMatch 错误。InvalidSoftMatch error occurs when the hard match does not find any matching object AND soft match finds a matching object but that object has a different value of immutableId than the incoming object's SourceAnchor, suggesting that the matching object was synchronized with another object from on premises Active Directory.

换而言之,若要使软匹配正常工作,要进行软匹配的对象不应使用 immutableId的任何值。In other words, in order for the soft match to work, the object to be soft-matched with should not have any value for the immutableId. 如果设置了 immutableId 值的任何对象不符合硬匹配条件但符合软匹配条件,相应的操作会导致 InvalidSoftMatch 同步错误。If any object with immutableId set with a value is failing the hard-match but satisfying the soft-match criteria, the operation would result in an InvalidSoftMatch synchronization error.

Azure Active Directory 架构不允许两个或更多个对象的以下属性使用相同值。Azure Active Directory schema does not allow two or more objects to have the same value of the following attributes. (此列表并不详尽。)(This is not an exhaustive list.)

  • ProxyAddressesProxyAddresses
  • UserPrincipalNameUserPrincipalName
  • onPremisesSecurityIdentifieronPremisesSecurityIdentifier
  • ObjectIdObjectId

Note

Azure AD 重复属性复原功能也将作为 Azure Active Directory 的默认行为推出。Azure AD Attribute Duplicate Attribute Resiliency feature is also being rolled out as the default behavior of Azure Active Directory. 该功能可使 Azure AD 更灵活地处理本地 AD 环境中的重复 ProxyAddresses 和 UserPrincipalName 属性,减少 Azure AD Connect(以及其他同步客户端)遇到的同步错误。This will reduce the number of synchronization errors seen by Azure AD Connect (as well as other sync clients) by making Azure AD more resilient in the way it handles duplicated ProxyAddresses and UserPrincipalName attributes present in on premises AD environments. 此功能无法解决重复错误。This feature does not fix the duplication errors. 因此,仍然需要修复数据。So the data still needs to be fixed. 但是,使用此功能可以预配新对象,否则,会由于 Azure AD 中存在重复值而无法预配。But it allows provisioning of new objects which are otherwise blocked from being provisioned due to duplicated values in Azure AD. 此外,这还减少了返回到同步客户端的同步错误。This will also reduce the number of synchronization errors returned to the synchronization client. 如果为租户启用此功能,则预配新对象期间不会出现 InvalidSoftMatch 同步错误。If this feature is enabled for your Tenant, you will not see the InvalidSoftMatch synchronization errors seen during provisioning of new objects.

发生 InvalidSoftMatch 的示例情景Example Scenarios for InvalidSoftMatch

  1. 本地 Active Directory 中有两个或更多个对象的 ProxyAddresses 属性值相同。Two or more objects with the same value for the ProxyAddresses attribute exist in on-premises Active Directory. 在 Azure AD 中只会预配其中一个对象。Only one is getting provisioned in Azure AD.
  2. 本地 Active Directory 中有两个或更多个对象的 userPrincipalName 属性值相同。Two or more objects with the same value for the userPrincipalName attribute exists in on-premises Active Directory. 在 Azure AD 中只会预配其中一个对象。Only one is getting provisioned in Azure AD.
  3. 在本地 Active Directory 中添加了一个对象,该对象的 ProxyAddresses 属性值与 Azure Active Directory 中现有对象的该属性值相同。An object was added in the on premises Active Directory with the same value of ProxyAddresses attribute as that of an existing object in Azure Active Directory. 在本地添加的对象不会在 Azure Active Directory 中预配。The object added on premises is not getting provisioned in Azure Active Directory.
  4. 在本地 Active Directory 中添加了一个对象,该对象的 userPrincipalName 属性值与 Azure Active Directory 中某个帐户的该属性值相同。An object was added in on premises Active Directory with the same value of userPrincipalName attribute as that of an account in Azure Active Directory. 该对象不会在 Azure Active Directory 中预配。The object is not getting provisioned in Azure Active Directory.
  5. 将某个已同步的帐户从林 A 移到了林 B。Azure AD Connect(同步引擎)已使用 ObjectGUID 属性计算 SourceAnchor。A synced account was moved from Forest A to Forest B. Azure AD Connect (sync engine) was using ObjectGUID attribute to compute the SourceAnchor. 移动林后,SourceAnchor 值会不同。After the forest move, the value of the SourceAnchor is different. 林 B 中的新对象无法与 Azure AD 中的现有对象同步。The new object (from Forest B) is failing to sync with the existing object in Azure AD.
  6. 从本地 Active Directory 中意外删除了一个已同步的对象,同时,在 Active Directory 中为同一实体(例如用户)创建了新对象,但未删除 Azure Active Directory 中的帐户。A synced object got accidentally deleted from on premises Active Directory and a new object was created in Active Directory for the same entity (such as user) without deleting the account in Azure Active Directory. 新帐户无法与现有的 Azure AD 对象同步。The new account fails to sync with the existing Azure AD object.
  7. 卸载后重新安装 Azure AD Connect。Azure AD Connect was uninstalled and reinstalled. 重新安装期间,将一个不同的属性选作 SourceAnchor。During the reinstallation, a different attribute was chosen as the SourceAnchor. 以前同步的所有对象不再同步,并出现 InvalidSoftMatch 错误。All the objects that had previously synced stopped syncing with InvalidSoftMatch error.

案例:Example case:

  1. Bob Smith 是 Azure Active Directory 中的一个用户,该用户已从 contoso.comBob Smith is a synced user in Azure Active Directory from on premises Active Directory of contoso.com
  2. Bob Smith 的 UserPrincipalName 设置为 bobs@contoso.comBob Smith's UserPrincipalName is set as bobs@contoso.com.
  3. "abcdefghijklmnopqrstuv==" 是 Azure AD Connect 使用 Bob Smith 在本地 Active Directory 中的 objectGUID(在 Azure Active Directory 中,Bob Smith 的该属性为 immutableId)计算得出的 SourceAnchor"abcdefghijklmnopqrstuv==" is the SourceAnchor calculated by Azure AD Connect using Bob Smith's objectGUID from on premises Active Directory, which is the immutableId for Bob Smith in Azure Active Directory.
  4. Bob 还具有以下 proxyAddresses 属性值:Bob also has following values for the proxyAddresses attribute:
    • smtp: bobs@contoso.comsmtp: bobs@contoso.com
    • smtp: bob.smith@contoso.comsmtp: bob.smith@contoso.com
    • smtp: bob@contoso.comsmtp: bob@contoso.com
  5. 已将新用户 Bob Taylor添加到本地 Active Directory。A new user, Bob Taylor, is added to the on premises Active Directory.
  6. Bob Taylor 的 UserPrincipalName 设置为 bobt@contoso.comBob Taylor's UserPrincipalName is set as bobt@contoso.com.
  7. "abcdefghijkl0123456789=="" 是 Azure AD Connect 使用 Bob Taylor 在本地 Active Directory 中的 objectGUID 计算得出的 sourceAnchor"abcdefghijkl0123456789=="" is the sourceAnchor calculated by Azure AD Connect using Bob Taylor's objectGUID from on premises Active Directory. Bob Taylor 的对象尚未同步到 Azure Active Directory。Bob Taylor's object has NOT synced to Azure Active Directory yet.
  8. Bob Taylor 还具有以下 proxyAddresses 属性值Bob Taylor has the following values for the proxyAddresses attribute
    • smtp: bobt@contoso.comsmtp: bobt@contoso.com
    • smtp: bob.taylor@contoso.comsmtp: bob.taylor@contoso.com
    • smtp: bob@contoso.comsmtp: bob@contoso.com
  9. 在同步期间,Azure AD Connect 会识别到在本地 Active Directory 中添加了 Bob Taylor,并要求 Azure AD 做出相同的更改。During sync, Azure AD Connect will recognize the addition of Bob Taylor in on premises Active Directory and ask Azure AD to make the same change.
  10. Azure AD 首先会执行硬匹配。Azure AD will first perform hard match. 也就是说,它会搜索 immutableId 等于 "abcdefghijkl0123456789==" 的任何对象。That is, it will search if there is any object with the immutableId equal to "abcdefghijkl0123456789==". 如果 Azure AD 中没有任何其他对象具有该 immutableId,硬匹配会失败。Hard Match will fail as no other object in Azure AD will have that immutableId.
  11. 然后,Azure AD 将尝试对 Bob Taylor 进行软匹配。Azure AD will then attempt to soft-match Bob Taylor. 也就是说,它将搜索 proxyAddresses 等于上述三个值(包括 smtp: bob@contoso.com)的任何对象That is, it will search if there is any object with proxyAddresses equal to the three values, including smtp: bob@contoso.com
  12. Azure AD 根据软匹配条件查找 Bob Smith 的对象。Azure AD will find Bob Smith's object to match the soft-match criteria. 但该对象的 immutableId 值为 "abcdefghijklmnopqrstuv=="。But this object has the value of immutableId = "abcdefghijklmnopqrstuv==". 这表示该对象是从本地 Active Directory 中的另一对象同步来的。which indicates this object was synced from another object from on premises Active Directory. 因此,Azure AD 无法软匹配这些对象,从而导致 InvalidSoftMatch 同步错误。Thus, Azure AD cannot soft-match these objects and results in an InvalidSoftMatch sync error.

如何解决 InvalidSoftMatch 错误How to fix InvalidSoftMatch error

发生 InvalidSoftMatch 错误的最常见原因是两个对象的 SourceAnchor (immutableId) 不同,但 ProxyAddresses 和/或 UserPrincipalName 属性(在 Azure AD 中执行软匹配过程中会使用这些属性)的值相同。The most common reason for the InvalidSoftMatch error is two objects with different SourceAnchor (immutableId) have the same value for the ProxyAddresses and/or UserPrincipalName attributes, which are used during the soft-match process on Azure AD. 解决软匹配无效错误In order to fix the Invalid Soft Match

  1. 识别导致错误的重复 proxyAddresses、userPrincipalName 或其他属性值。Identify the duplicated proxyAddresses, userPrincipalName, or other attribute value that's causing the error. 另外,识别冲突中涉及到哪两个(或更多个)对象。Also identify which two (or more) objects are involved in the conflict.
  2. 识别哪个对象会以及哪个对象不会继续使用重复值。Identify which object should continue to have the duplicated value and which object should not.
  3. 从不会继续使用该值的对象中删除重复值。Remove the duplicated value from the object that should NOT have that value. 应该在对象的来源目录中进行更改。You should make the change in the directory where the object is sourced from. 在某些情况下,可能需要删除其中一个有冲突的对象。In some cases, you may need to delete one of the objects in conflict.
  4. 如果在本地 AD 中进行更改,请让 Azure AD Connect 同步更改。If you made the change in the on premises AD, let Azure AD Connect sync the change.

Note

根据定义,ImmutableId 在对象的生存期内不应更改。ImmutableId, by definition, should not change in the lifetime of the object. 如果在配置 Azure AD Connect 时未考虑到上述列表中的某些情景,Azure AD Connect 为代表相同实体(同一个用户/组/联系人等)的、存在你想要继续使用的 Azure AD 对象的 AD 对象计算的 SourceAnchor 值不同。If Azure AD Connect was not configured with some of the scenarios in mind from the above list, you could end up in a situation where Azure AD Connect calculates a different value of the SourceAnchor for the AD object that represents the same entity (same user/group/contact etc) that has an existing Azure AD Object that you wish to continue using.

ObjectTypeMismatchObjectTypeMismatch

说明Description

当 Azure AD 尝试对两个对象进行软匹配时,“对象类型”(如用户、组、联系人等)不同的两个对象可能对用于执行软匹配的属性使用了相同值。When Azure AD attempts to soft match two objects, it is possible that two objects of different "object type" (such as User, Group, Contact etc.) have the same values for the attributes used to perform the soft match. 由于 Azure AD 不允许这些属性重复,相应操作可能会导致“ObjectTypeMismatch”同步错误。As duplication of these attributes is not permitted in Azure AD, the operation can result in "ObjectTypeMismatch" synchronization error.

发生 ObjectTypeMismatch 错误的示例情景Example Scenarios for ObjectTypeMismatch error

  • 在 Office 365 中创建了一个支持邮件的安全组。A mail enabled security group is created in Office 365. 管理员在本地 AD 中添加了一个新用户或联系人(尚未同步到 Azure AD),并且该对象的 ProxyAddresses 属性值与 Office 365 组的该属性值相同。Admin adds a new user or contact in on premises AD (that's not synchronized to Azure AD yet) with the same value for the ProxyAddresses attribute as that of the Office 365 group.

案例Example case

  1. 管理员在 Office 365 中为税务部门创建一个支持邮件的新安全组,并提供了电子邮件地址 tax@contoso.com。Admin creates a new mail enabled security group in Office 365 for the Tax department and provides an email address as tax@contoso.com. 为此组分配的 ProxyAddresses 属性值为 smtp: tax@contoso.comThis group is assigned the ProxyAddresses attribute value of smtp: tax@contoso.com
  2. 有一个新用户加入了 Contoso.com,管理员在本地为该用户创建了 proxyAddress 为 smtp: tax@contoso.com 的帐户A new user joins Contoso.com and an account is created for the user on premises with the proxyAddress as smtp: tax@contoso.com
  3. 当 Azure AD Connect 同步新用户帐户时,会出现“ObjectTypeMismatch”错误。When Azure AD Connect will sync the new user account, it will get the "ObjectTypeMismatch" error.

如何解决 ObjectTypeMismatch 错误How to fix ObjectTypeMismatch error

发生 ObjectTypeMismatch 错误的最常见原因是两个对象的类型(用户、组、联系人等)不同,但 ProxyAddresses 属性值相同。The most common reason for the ObjectTypeMismatch error is two objects of different type (User, Group, Contact etc.) have the same value for the ProxyAddresses attribute. 解决 ObjectTypeMismatch:In order to fix the ObjectTypeMismatch:

  1. 识别导致错误的重复 proxyAddresses(或其他属性)值。Identify the duplicated proxyAddresses (or other attribute) value that's causing the error. 另外,识别冲突中涉及到哪两个(或更多个)对象。Also identify which two (or more) objects are involved in the conflict.
  2. 识别哪个对象会以及哪个对象不会继续使用重复值。Identify which object should continue to have the duplicated value and which object should not.
  3. 从不会继续使用该值的对象中删除重复值。Remove the duplicated value from the object that should NOT have that value. 请注意,应该在对象的来源目录中进行更改。Note that you should make the change in the directory where the object is sourced from. 在某些情况下,可能需要删除其中一个有冲突的对象。In some cases, you may need to delete one of the objects in conflict.
  4. 如果在本地 AD 中进行更改,请让 Azure AD Connect 同步更改。If you made the change in the on premises AD, let Azure AD Connect sync the change.

重复属性Duplicate Attributes

AttributeValueMustBeUniqueAttributeValueMustBeUnique

说明Description

Azure Active Directory 架构不允许两个或更多个对象的以下属性使用相同值。Azure Active Directory schema does not allow two or more objects to have the same value of the following attributes. 也就是说,Azure AD 中的每个对象在给定的实例中都必须对这些属性使用唯一值。That is each object in Azure AD is forced to have a unique value of these attributes at a given instance.

  • ProxyAddressesProxyAddresses
  • UserPrincipalNameUserPrincipalName

如果 Azure AD Connect 尝试添加新对象或更新现有对象,但该对象的上述属性值已分配给 Azure Active Directory 中的另一个对象,则该操作会导致“AttributeValueMustBeUnique”同步错误。If Azure AD Connect attempts to add a new object or update an existing object with a value for the above attributes that is already assigned to another object in Azure Active Directory, the operation results in the "AttributeValueMustBeUnique" sync error.

可能的情景:Possible Scenarios:

  1. 向已同步的对象分配了重复值,导致与另一个已同步的对象冲突。Duplicate value is assigned to an already synced object, which conflicts with another synced object.

案例:Example case:

  1. Bob Smith 是 Azure Active Directory 中的一个用户,该用户已从 contoso.com 本地 Active Directory 同步Bob Smith is a synced user in Azure Active Directory from on premises Active Directory of contoso.com
  2. Bob Smith 在本地的 UserPrincipalName 设置为 bobs@contoso.comBob Smith's UserPrincipalName on premises is set as bobs@contoso.com.
  3. Bob 还具有以下 proxyAddresses 属性值:Bob also has following values for the proxyAddresses attribute:
    • smtp: bobs@contoso.comsmtp: bobs@contoso.com
    • smtp: bob.smith@contoso.comsmtp: bob.smith@contoso.com
    • smtp: bob@contoso.comsmtp: bob@contoso.com
  4. 已将新用户 Bob Taylor添加到本地 Active Directory。A new user, Bob Taylor, is added to the on premises Active Directory.
  5. Bob Taylor 的 UserPrincipalName 设置为 bobt@contoso.comBob Taylor's UserPrincipalName is set as bobt@contoso.com.
  6. Bob Taylor 还具有以下 ProxyAddresses 属性值 i.Bob Taylor has the following values for the ProxyAddresses attribute i. smtp: bobt@contoso.com ii。smtp: bobt@contoso.com ii. smtp: bob.taylor@contoso.comsmtp: bob.taylor@contoso.com
  7. Bob Taylor 的对象已成功与 Azure AD 同步。Bob Taylor's object is synchronized with Azure AD successfully.
  8. 管理员决定使用以下值更新 Bob Taylor 的 ProxyAddresses 属性:i.Admin decided to update Bob Taylor's ProxyAddresses attribute with the following value: i. smtp: bob@contoso.comsmtp: bob@contoso.com
  9. Azure AD 将尝试使用上述值更新 Bob Taylor 在 Azure AD 中的对象,但该操作会失败,因为 ProxyAddresses 值已分配给 Bob Smith,从而导致“AttributeValueMustBeUnique”错误。Azure AD will attempt to update Bob Taylor's object in Azure AD with the above value, but that operation will fail as that ProxyAddresses value is already assigned to Bob Smith, resulting in "AttributeValueMustBeUnique" error.

如何解决 AttributeValueMustBeUnique 错误How to fix AttributeValueMustBeUnique error

发生 AttributeValueMustBeUnique 错误的最常见原因是两个对象的 SourceAnchor (immutableId) 不同,但 ProxyAddresses 和/或 UserPrincipalName 属性值相同。The most common reason for the AttributeValueMustBeUnique error is two objects with different SourceAnchor (immutableId) have the same value for the ProxyAddresses and/or UserPrincipalName attributes. 解决 AttributeValueMustBeUnique 错误In order to fix AttributeValueMustBeUnique error

  1. 识别导致错误的重复 proxyAddresses、userPrincipalName 或其他属性值。Identify the duplicated proxyAddresses, userPrincipalName or other attribute value that's causing the error. 另外,识别冲突中涉及到哪两个(或更多个)对象。Also identify which two (or more) objects are involved in the conflict.
  2. 识别哪个对象会以及哪个对象不会继续使用重复值。Identify which object should continue to have the duplicated value and which object should not.
  3. 从不会继续使用该值的对象中删除重复值。Remove the duplicated value from the object that should NOT have that value. 请注意,应该在对象的来源目录中进行更改。Note that you should make the change in the directory where the object is sourced from. 在某些情况下,可能需要删除其中一个有冲突的对象。In some cases, you may need to delete one of the objects in conflict.
  4. 如果在本地 AD 中进行更改,请让 Azure AD Connect 同步更改,使错误得到解决。If you made the change in the on premises AD, let Azure AD Connect sync the change for the error to get fixed.

-Office 365 中的重复或无效属性导致无法进行目录同步-Duplicate or invalid attributes prevent directory synchronization in Office 365

数据验证失败Data Validation Failures

IdentityDataValidationFailedIdentityDataValidationFailed

说明Description

在允许将数据写入目录之前,Azure Active Directory 会对数据本身强制实施各种限制。Azure Active Directory enforces various restrictions on the data itself before allowing that data to be written into the directory. 这些限制为确保最终用户尽可能获得最佳体验,同时可以使用依赖于此数据的应用程序。These restrictions are to ensure that end users get the best possible experiences while using the applications that depend on this data.

方案Scenarios

a.a. UserPrincipalName 属性值包含无效/不支持的字符。The UserPrincipalName attribute value has invalid/unsupported characters. b.b. UserPrincipalName 属性不符合所需的格式。The UserPrincipalName attribute does not follow the required format.

如何解决 IdentityDataValidationFailed 错误How to fix IdentityDataValidationFailed error

a.a. 确保 userPrincipalName 属性包含支持的字符并使用所需的格式。Ensure that the userPrincipalName attribute has supported characters and required format.

FederatedDomainChangeErrorFederatedDomainChangeError

说明Description

该事例导致“FederatedDomainChangeError” 同步错误:用户的 UserPrincipalName 后缀已从一个联合域更改为另一个联合域。This case results in a "FederatedDomainChangeError" sync error when the suffix of a user's UserPrincipalName is changed from one federated domain to another federated domain.

方案Scenarios

某个已同步用户的 UserPrincipalName 后缀已从一个联合域更改为本地的另一个联合域。For a synchronized user, the UserPrincipalName suffix was changed from one federated domain to another federated domain on premises. 例如,UserPrincipalName = bob@contoso.com 已更改为 UserPrincipalName = bob@fabrikam.comFor example, UserPrincipalName = bob@contoso.com was changed to UserPrincipalName = bob@fabrikam.com.

示例Example

  1. 在 Active Directory 中,已将 Contoso.com 的帐户 Bob Smith 添加为新用户,其 UserPrincipalName 为 bob@contoso.comBob Smith, an account for Contoso.com, gets added as a new user in Active Directory with the UserPrincipalName bob@contoso.com
  2. Bob 将移到 Contoso.com 中名为 Fabrikam.com 的另一个分支机构,其 UserPrincipalName 更改为 bob@fabrikam.comBob moves to a different division of Contoso.com called Fabrikam.com and their UserPrincipalName is changed to bob@fabrikam.com
  3. contoso.com 和 fabrikam.com 域是与 Azure Active Directory 联合的域。Both contoso.com and fabrikam.com domains are federated domains with Azure Active Directory.
  4. Bob 的 userPrincipalName 不会更新,并且会导致“FederatedDomainChangeError”同步错误。Bob's userPrincipalName does not get updated and results in a "FederatedDomainChangeError" sync error.

如何解决How to fix

如果用户的 UserPrincipalName 后缀已从 bob@contoso.com 更新为 bob@fabrikam.com,并且 contoso.comfabrikam.com 都是联合域,则执行以下步骤可以解决同步错误If a user's UserPrincipalName suffix was updated from bob@contoso.com to bob@fabrikam.com, where both contoso.com and fabrikam.com are federated domains, then follow these steps to fix the sync error

  1. 在 Azure AD 中将用户的 UserPrincipalName 从 bob@contoso.com 更新为 bob@contoso.partner.onmschina.cn。Update the user's UserPrincipalName in Azure AD from bob@contoso.com to bob@contoso.partner.onmschina.cn. 可以在 Azure AD PowerShell 模块中使用以下 PowerShell 命令: Set-MsolUserPrincipalName -UserPrincipalName bob@contoso.com -NewUserPrincipalName bob@contoso.partner.onmschina.cnYou can use the following PowerShell command with the Azure AD PowerShell Module: Set-MsolUserPrincipalName -UserPrincipalName bob@contoso.com -NewUserPrincipalName bob@contoso.partner.onmschina.cn
  2. 允许下一个同步周期尝试同步。Allow the next sync cycle to attempt synchronization. 这一次,同步会成功,并且会按预期将 Bob 的 UserPrincipalName 更新为 bob@fabrikam.com 。This time synchronization will be successful and it will update the UserPrincipalName of Bob to bob@fabrikam.com as expected.

LargeObjectLargeObject

说明Description

当某个属性超过 Azure Active Directory 架构设置的允许大小限制、长度限制或计数限制时,同步操作会导致 LargeObjectExceededAllowedLength 同步错误。When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema, the synchronization operation results in the LargeObject or ExceededAllowedLength sync error. 通常,此错误发生在以下属性上Typically this error occurs for the following attributes

  • userCertificateuserCertificate
  • userSMIMECertificateuserSMIMECertificate
  • thumbnailPhotothumbnailPhoto
  • ProxyAddressesproxyAddresses

可能的方案Possible Scenarios

  1. Bob 的 userCertificate 属性存储了过多的分配给 Bob 的证书。Bob's userCertificate attribute is storing too many certificates assigned to Bob. 其中可能包括旧的或过期的证书。These may include older, expired certificates. 硬限制为 15 个证书。The hard limit is 15 certificates. 有关如何处理 userCertificate 属性导致的 LargeObject 错误的详细信息,请参阅处理 userCertificate 属性导致的 LargeObject 错误一文。For more information on how to handle LargeObject errors with userCertificate attribute, please refer to article Handling LargeObject errors caused by userCertificate attribute.
  2. Bob 的 userSMIMECertificate 属性存储了过多的分配给 Bob 的证书。Bob's userSMIMECertificate attribute is storing too many certificates assigned to Bob. 其中可能包括旧的或过期的证书。These may include older, expired certificates. 硬限制为 15 个证书。The hard limit is 15 certificates.
  3. 在 Active Directory 中为 Bob 设置的 thumbnailPhoto 过大,无法在 Azure AD 中同步。Bob's thumbnailPhoto set in Active Directory is too large to be synced in Azure AD.
  4. 在 Active Directory 中自动填充 ProxyAddresses 属性期间,为某个对象分配了太多 ProxyAddresses。During automatic population of the ProxyAddresses attribute in Active Directory, an object has too many ProxyAddresses assigned.

如何解决How to fix

  1. 确保导致错误的属性在允许的限制范围内。Ensure that the attribute causing the error is within the allowed limitation.

现有的管理员角色冲突Existing Admin Role Conflict

说明Description

当用户对象具有以下项时,同步期间用户对象上将发生“现有管理员角色冲突” :An Existing Admin Role Conflict will occur on a user object during synchronization when that user object has:

  • 管理权限和administrative permissions and
  • 与现有 Azure AD 对象相同的 UserPrincipalNamethe same UserPrincipalName as an existing Azure AD object

不允许 Azure AD Connect 将本地 AD 中的用户对象与 Azure AD 中分配有管理角色的用户对象进行软匹配。Azure AD Connect is not allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it. 有关详细信息,请参阅 Azure AD UserPrincipalName 填充For more information see Azure AD UserPrincipalName population

现有管理员

如何解决How to fix

若要解决此问题,请执行以下任一操作:To resolve this issue do one of the following:

  • 将 UserPrincipalName 更改为与 Azure AD 中的管理员用户不匹配的值 - 这将在 Azure AD 中使用匹配的 UserPrincipalName 创建新用户change the UserPrincipalName to a value that does not match that of an Admin user in Azure AD - which will create a new user in Azure AD with the matching UserPrincipalName
  • 从 Azure AD 的管理员用户中删除管理角色,这将启用本地用户对象与现有 Azure AD 用户对象之间的软匹配。remove the administrative role from the Admin user in Azure AD, which will enable the soft match between the on-premises user object and the existing Azure AD user object.

Note

当本地用户对象与 Azure AD 用户对象之间的软匹配完成后,可以再次将管理角色分配给现有用户对象。You can assign the administrative role to the existing user object again after the soft match between the on-premises user object and the Azure AD user object has completed.