You can't enable the "Device writeback" option in Azure AD Connect
- Your Azure AD organization isn't enabled for device writeback.
- One or more of the domain controllers that hold an operations master role (also known as a flexible single master operations or FSMO role) in your environment aren't replicating.
Step 1: Troubleshoot FSMO role or replication issues
- Run the repadmin /showrepl command to display a report that shows replication status. To do this, follow these steps:
- Open a command prompt as an administrator.
- Run the following command:
repadmin /showrepl * /csv > replication.csv
- Examine the Replication.csv file, and then troubleshoot and correct any errors.
- Seize the FSMO role. In some instances, the server that holds an FMSO role may not be advertising itself correctly. Seizing itself may fix the issue.
To do this, follow these steps:
- On a domain controller or a computer that has the Remote Server Administration Tools Pack installed, open a command prompt as an administrator.
- Run the following command:
netdom query FSMO
- For each computer that's listed in the output, follow the steps in the "Seize FSMO roles" section of the following Microsoft Knowledge Base article:255504 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
Step 2: Enable the organization for device writebackFollow these steps on the server on which Azure AD Connect is installed:
- Make sure that the Remote Server Administration Tools Pack is installed. For more information, see Installing or Removing the Remote Server Administration Tools Pack.
- Open Active Directory Module for Windows PowerShell as an administrator. For more information, see Active Directory Administration with Windows PowerShell.
- Go to %ProgramFiles%\Microsoft Azure Active Directory Connect\AdPrep, and then run the following commands:
Initialize-ADSyncDeviceWriteBack –domainname <domain.com>In this command, the placeholder <domain.com> represents your Active Directory domain. For example, run Initialize-ADSyncDeviceWriteBack –domainname contoso.com.
You may have to run this command for each domain in your Active Directory environment.
- When you're prompted, enter the enterprise administrator user name.
- Open the Azure AD Connect configuration wizard. You should now be able to enable device writeback.
You may see an error message that resembles the following:
ForestFqdn : <Forest_Name>
AdConnectorId : b3eeda3e-9a35-4cee-9fbe-a6fe1b0f8382
PropertiesToRetrieve : msDS-DeviceLocation,name,displayName,distinguishedName,objectClass
NamingContextType : Configuration
BaseDnType : Relative
AdConnectorUserName : <Domain>\MSOL_d95558f154ee
BaseDn : CN=Services
LdapFilter : (objectClass=msDS-DeviceRegistrationService)
SearchScope : Subtree
Exception Details :
System.Management.Automation.CmdletInvocationException: Error HRESULT E_FAIL has been returned from a call to a COM component. ---> System.Runtime.InteropServices.COMException: Error HRESULT E_FAIL has been returned from a call to a COM component. at MmsServerRCW.IMMSServer2.SearchADSyncDirectoryObjects(String forestFqdn, Guid& adConnectorGuid, String namingContextType, String baseDnType, String baseDn, String ldapFilter, String searchScope, String propertiesToLoad, String userName, String password, String& outputSerializedResult) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.ProcessRecord()
Task Category: Replicaiton
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Article ID: 3085068 - Last Review: 08/28/2015 16:44:00 - Revision: 2.0
- o365022013 o365 o365e o365m o365a KB3085068