question

Hi @BBRIT-1174 ,
Have you tried using the IdFix Directory Synchronization Error Remediation Tool from Microsoft?

https://www.microsoft.com/en-us/download/details.aspx?id=36832

Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

Hi! I have tried it, but when I click query, no results show up. I tried adding in my .com domain, but it fails because the domain can't be found (probably because only .local exists and .com is an added UPN).

I see 2 different errors when running the troubleshooter. (email addresses have been changed to a generic email for privacy)

This example comes from a user whose account is trying to sync via proxy address:
Unable to update this object because the ProxyAddresses value SMTP:user1@contoso.com associated with this object may already be associated with another object in your local directory services. To resolve this conflict, first determine which object should be using the conflicting value. Then, update or remove the conflicting value from the other object(s).

This example comes from a user whose account is trying to sync via UPN:
We detected that an object with UserPrincipalName “user2@contoso.onmicrosoft.com” cannot be synchronized because another object already has the same value of “user2@contoso.com” as its UserPrincipalName. To resolve the conflict you need to determine which of these two objects should be using this UserPrincipalName. The next step is to update the other object to change or remove the conflicting value.

In either case, I get the errors above when running the troubleshooter in AD Connect Health page and try to run the fix. It asks me "are both of these accounts for the same user" and I select "yes", then it suggests the fix, which fails.

My AD DS is not being used for anything yet, so I can remove/recreate those users as needed. I created each user in a synced OU, added their email address in the email field (which is same as UPN), made to to select .com for UPN instead of .local, and for a couple users (to test it out), I also added their email to the attribute "proxy address" and told AD Connect to include that attribute.

I feel like I am so close, but am missing something.

I think I have found the issue... AD Connect is trying to use ObjectGUID instead of mS-DS-ConsistencyGuid. It says I cannot change the source anchor because attribute mS-DS-ConsistencyGuid is already being using in my active directory. So, I am uninstalling and re-installing AD Connect to set the source anchor as mS-DS-ConsistencyGuid.