After you set up Exchange federation for a hybrid deployment scenario, when you try to use the Windows Azure Active Directory Sync Tool to sync Windows Azure Active Directory (Windows Azure AD) with your on-premises Active Directory, the following issues may occur:
- Changes that are made to objects through the Office 365 portal aren't synced to the on-premises Active Directory installation.
- Exchange Server features that are expected to work together for the cloud and on-premises don't work as expected.
- You can't view or share online calendars with on-premises users or Exchange Online users.
- You don't receive the most current free/busy information between on-premises and cloud users.
- An error 8344 occurs in Microsoft Identity Integration Server (MIIS) that says, "Insufficient access rights to perform the operation."
These symptoms may occur if shared Exchange features aren't enabled and if the incorrect permissions are applied to Active Directory attributes.
To resolve this issue, follow these steps.
Step 1: Run the Windows Azure Active Directory Sync Tool Configuration Wizard
Mke sure that the latest Windows Azure Active Directory Sync Tool is installed and that you run the Windows Azure Active Directory Sync Tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.
Alternatively, you can run the Enable-MSOnlineRichCoexistence
cmdlet after the Directory Sync Tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.
Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissions
If step 1 doesn't resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:
To do this, follow these steps:
- In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
- In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
- On the Security tab, click Advanced.
Note You must enable advanced features to complete step 3.
- Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it's not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.
Step 2 may be required if the object does not inherit permissions from the parent. This issue may be resolved by making sure that the object inherits permissions from the parent object.
To run the Enable-MSOnlineRichCoexistence
cmdlet, follow these steps:
- At a command prompt, navigate to where the Directory Sync Tool is installed. By default, it's installed in the following location:
C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1
- Type the following command, and then press Enter:
- Type the following cmdlet, and then press Enter:
- When you're prompted for credentials, enter your enterprise admin credentials.
When you run the Enable-MSOnlineRichCoexistence
cmdlet, the cmdlet performs the following actions:
- Checks that directory synchronization is running. If directory synchronization is running, the following warning message is displayed:
- Sets Write permissions on all attributes for the MSOL_AD_SYNC account that directory synchronization created in the on-premises environment.
- Loads the Source MA and metaverse configurations for the write-back option that was selected. To do this, the Set-MSOnlineWriteBack cmdlet runs the Import-MIISServerConfig [-file path] cmdlet, where file path represents the location of the MA and metaverse config files that are included with the directory synchronization installation.
- Sets the AD MA credentials because the cmdlet has installed a “new” Source MA by using the following cmdlet:
Set-MIISADMAconfiguration [-forest] [-login] [-password] [-MA Name]
- Sets the Target MA credentials by using the following cmdlet.
Set-MIISExtMAConfiguration [-MOAC login] [-MOAC password] [-connection URL] [-MA Name]
- Sets the FullSyncNeeded registry value to indicate a full synchronization.
- Calls Start-OnlineCoexistenceSync to start directory synchronization by using the new configurations. The first sync is a full synchronization.
Still need help? Go to the Office 365 Community
Article ID: 2406830 - Last Review: May 31, 2013 - Revision: 24.0
- Microsoft Office 365 for enterprises (pre-upgrade)
- Microsoft Office 365 for education (pre-upgrade)
- Microsoft Exchange Online
- Windows Azure Active Directory
|o365 o365a o365e o365m o365022013 after upgrade o365062011 pre-upgrade hybrid KB2406830|