Extend Active Directory Schema Exchange 2016 Attributes not Synchronizing

In this post, I want to address a specific issue that arises after updating the Active Directory Schema with the Exchange 2016 (or Exchange 2013) schema update or extensions.

One of the more common reasons for doing this, is if you have an existing Active Directory domain in which you implement an AD & O365 synchronization, where you manage users and groups on-prem.  Then if you want to, for example, hide a user or distribution group from the address list, you get an error saying the object is being synchronized from your on-premises organization.

Then you go ahead and update the Schema, select the msExchHideFromAddressLists attribute, then you perform a sync, which still doesn’t seem to sync that new attribute.  There are some additional steps you must take to make this work.

The How

  1. Update the AD Schema:
    setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
  2. Refresh the schema in Azure AD Connect:
    1. Right-click on your on-prem domain as pictured, click “Refresh Schema”.

  3. Select the new attribute you wish to sync from AD to O365:
    1. Double-click on your on-prem domain to open the properties.
    2. Click “Select Attributes”.
    3. Check-mark the new attributes you wish to sync, such as “msExchHideFromAddressLists”.  Then click OK.

  4. Add new attribute in the “Synchronization Rules Editor”.
    1. Open the “Synchronization Rules Editor”.
    2. For users, edit “In from AD – User Common”.  Click “No” to continue editing current rule if you get a pop-up message.
    3. For groups, edit “In from AD – Group Common”.  Click “No” to continue editing current rule if you get a pop-up message.
    4. Click “Transformations”, then click “Add transformation”.
    5. For each new attribute you want to sycn, as pictured below, select “Direct”, then select the appropriate “Target Attribute” and “Source”.
    6. Then click Save.

  5. Perform a manual AD & O365 sync, in PowerShell, type:
    Start-ADSyncSyncCycle -PolicyType Initial

Special Notes:

authOrig Attribute

If you synchronize the “authOrig” property, you must use PowerShell for the initial setting, after you perform the above steps.

For example, you must type the following in PowerShell:

Set-ADGroup -Identity "TestGroup1" -Add @{authOrig='CN=John Smith,OU=Users,OU=Accounting,OU=BUILDING1,DC=domain,DC=local'}

After that, you may view it in the user or group properties, Attribute Editor tab in ADUC.

8 Comments

  1. Hi Tim,
    Do you know if there is a way you can use an msDS-cloudExtensionAttribute in the on-prem AD to apply a specific address book policy to a user via a sync rule.

    eg I have a sync rule transformation for msDS-cloudExtensionAttribute1 to msExchHideFromAddressLists that works perfectly to hide users from the GAL.
    But I have no idea if there is an equivalent msExch…. attribute for ABP and if there is how to apply a specific ABP to a user.

    Thanks

  2. Hi Tim Great Article
    I am running Server 2012 R2 as AD01 for the domain, no On-Prem Exhange
    I have Azure AD Connect on another Server (2012 R2) LB01 (which is my Print Server as well) on the same domain.
    I installed Exchange PrepareSchema on my AD server which added the Exchange stuff to Attribute Editor. If I go into AZure Connect as per your article the extra Exchange stuff is not there. Do I need to install Exchange PrepareSchema on my second server LB01 which has AD Connect installed. Will this work?

    • No, you do not need to do that on LB01. Did you refresh the schema in AADC?

      • No, done now and all listed under Attributes. Thanks. One last question under Select Attributes all the msExch stuff is already ticked. Can I leave it or should I untick everything and just tick the stuff I want.

    • Hi Kelvyn ,

      Can you please guide that how did you installed Exchange PrepareSchema , as i am bit hesitant to install it from the wizard .

  3. Hi Tim,

    With your post I just fixed the issue which bugged me for few days.
    You are really a genius!
    I just wonder why there is no useful information getting to the point on the Internet, it must be a common issue for a lot of people when they sync their local AD to office 365.

    Anyway your post really helped people, thanks.

  4. Hi Tim. This is an awesome post. I’m facing a very weird situation.
    – My Om-Prem environment is Windows Server 2012 R2.
    – Functional and Domain levels are WS2012 R2 (both of them).
    – I have (nor ever had) an On-Prem Exchange environment.
    – I’m syncing environments since long time ago.
    – At least for the last year, I was able to set “msExchRequireAuthToSendTo” attribute to TRUE whenever I wanted to allow a DL to receive external e-mails. Now such attribute is missing from my On-Prem AD hence I’m not able to enable such feature for new DLs anymore.

    Will you please help me?

    Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *