Extend Active Directory Schema Exchange 2016 Attributes not Synchronizing

In this post, I want to address a specific issue that arises after updating the Active Directory Schema with the Exchange 2016 (or Exchange 2013) schema update or extensions.

One of the more common reasons for doing this, is if you have an existing Active Directory domain in which you implement an AD & O365 synchronization, where you manage users and groups on-prem.  Then if you want to, for example, hide a user or distribution group from the address list, you get an error saying the object is being synchronized from your on-premises organization.

Then you go ahead and update the Schema, select the msExchHideFromAddressLists attribute, then you perform a sync, which still doesn’t seem to sync that new attribute.  There are some additional steps you must take to make this work.

The How

  1. Update the AD Schema:
    setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
  2. Refresh the schema in Azure AD Connect:
    1. Right-click on your on-prem domain as pictured, click “Refresh Schema”.

  3. Select the new attribute you wish to sync from AD to O365:
    1. Double-click on your on-prem domain to open the properties.
    2. Click “Select Attributes”.
    3. Check-mark the new attributes you wish to sync, such as “msExchHideFromAddressLists”.  Then click OK.

  4. Add new attribute in the “Synchronization Rules Editor”.
    1. Open the “Synchronization Rules Editor”.
    2. For users, edit “In from AD – User Common”.  Click “No” to continue editing current rule if you get a pop-up message.
    3. For groups, edit “In from AD – Group Common”.  Click “No” to continue editing current rule if you get a pop-up message.
    4. Click “Transformations”, then click “Add transformation”.
    5. For each new attribute you want to sycn, as pictured below, select “Direct”, then select the appropriate “Target Attribute” and “Source”.
    6. Then click Save.

  5. Perform a manual AD & O365 sync, in PowerShell, type:
    Start-ADSyncSyncCycle -PolicyType Initial

Special Notes:

authOrig Attribute

If you synchronize the “authOrig” property, you must use PowerShell for the initial setting, after you perform the above steps.

For example, you must type the following in PowerShell:

Set-ADGroup -Identity "TestGroup1" -Add @{authOrig='CN=John Smith,OU=Users,OU=Accounting,OU=BUILDING1,DC=domain,DC=local'}

After that, you may view it in the user or group properties, Attribute Editor tab in ADUC.

Leave a Reply

Your email address will not be published. Required fields are marked *