You can't enable the "Device writeback" option in Azure AD Connect

PROBLEM
When you run the Azure Active Directory (Azure AD) Connect configuration wizard, you can't enable the Device writeback option on the Customize synchronization options page. 
CAUSE
This issue can occur if one of the following conditions is true:
  • Your Azure AD organization isn't enabled for device writeback.
  • One or more of the domain controllers that hold an operations master role (also known as a flexible single master operations or FSMO role) in your environment aren't replicating.
SOLUTION

Step 1: Troubleshoot FSMO role or replication issues

  1. Run the repadmin /showrepl command to display a report that shows replication status. To do this, follow these steps:
    1. Open a command prompt as an administrator.
    2. Run the following command:
      repadmin /showrepl * /csv > replication.csv
    3. Examine the Replication.csv file, and then troubleshoot and correct any errors.
  2. Seize the FSMO role. In some instances, the server that holds an FMSO role may not be advertising itself correctly. Seizing itself may fix the issue.

    To do this, follow these steps:
    1. On a domain controller or a computer that has the Remote Server Administration Tools Pack installed, open a command prompt as an administrator.
    2. Run the following command:
      netdom query FSMO
    3. For each computer that's listed in the output, follow the steps in the "Seize FSMO roles" section of the following Microsoft Knowledge Base article:
      255504 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Step 2: Enable the organization for device writeback

Follow these steps on the server on which Azure AD Connect is installed:
  1. Make sure that the Remote Server Administration Tools Pack is installed. For more information, see Installing or Removing the Remote Server Administration Tools Pack.
  2. Open Active Directory Module for Windows PowerShell as an administrator. For more information, see Active Directory Administration with Windows PowerShell.
  3. Go to %ProgramFiles%\Microsoft Azure Active Directory Connect\AdPrep, and then run the following commands:
    1. Import-module .\AdSyncPrep.psm1
    2. Initialize-ADSyncDeviceWriteBack –domainname <domain.com> 
      In this command, the placeholder <domain.com> represents your Active Directory domain. For example, run Initialize-ADSyncDeviceWriteBack –domainname contoso.com.

      You may have to run this command for each domain in your Active Directory environment.
  4. When you're prompted, enter the enterprise administrator user name.
  5. Open the Azure AD Connect configuration wizard. You should now be able to enable device writeback. 
MORE INFORMATION
On the server on which Azure AD Connect is installed, review the logs in the following location:
C:\Users\<UserAccount which AAD Connect was installed>\AppData\Local\AADConnect\trace-<DateTime>.log

You may see an error message that resembles the following:
[13:15:30.864] [ 18] [ERROR] ADPowerShellQueyProvider:SearchAdSyncDirectoryObjects Failed to run the ldap search query. Parameter values passed to PowerShell:
ForestFqdn : <Forest_Name>
AdConnectorId : b3eeda3e-9a35-4cee-9fbe-a6fe1b0f8382
PropertiesToRetrieve : msDS-DeviceLocation,name,displayName,distinguishedName,objectClass
NamingContextType : Configuration
BaseDnType : Relative
AdConnectorUserName : <Domain>\MSOL_d95558f154ee
BaseDn : CN=Services
LdapFilter : (objectClass=msDS-DeviceRegistrationService)
SearchScope : Subtree
Exception Details :
System.Management.Automation.CmdletInvocationException: Error HRESULT E_FAIL has been returned from a call to a COM component. ---> System.Runtime.InteropServices.COMException: Error HRESULT E_FAIL has been returned from a call to a COM component. at MmsServerRCW.IMMSServer2.SearchADSyncDirectoryObjects(String forestFqdn, Guid& adConnectorGuid, String namingContextType, String baseDnType, String baseDn, String ldapFilter, String searchScope, String propertiesToLoad, String userName, String password, String& outputSerializedResult) at Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.ProcessRecord()
You may also see the following event 2092 warning message logged in Event Viewer on the domain controller that's experiencing the issue:
Event ID: 2092
Task Category: Replicaiton
Level: Warning
Description:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 3085068 - Last Review: 08/28/2015 16:44:00 - Revision: 2.0

Microsoft Azure Cloud Services, Microsoft Azure Active Directory, Microsoft Office 365, Office 365 Identity Management, Microsoft Intune, CRM Online via Office 365 E Plans

  • o365022013 o365 o365e o365m o365a KB3085068
Feedback