none
Azure AD Connect trying to sync SystemMailbox RRS feed

  • Question

  • Good Afternoon,

    As mentioned in a previous thread, I am migrating Exchange 2007 (2 NLB CAS/HUB, 2 MBX CCR) with a hybrid Exchange 2010 server to Exchange 2013. Since I am a glutton for punishment, and inherited an environment that also needed Active Directory and DirSync upgraded, I have taken care of those already; some 2012r2 DC's mixed with 2008r2's in a Forest Functional Level of 2008r2 and made the jump to Azure AD Connect this week.

    Last night, after prepping the Schema and AD's (2 sibling Domains in same forest) Azure AD Connect started alerting every 30 minutes about not being able to sync a SystemMailbox account from the Forest Root Domain. With a creation date of yesterday, I assume this was created during the AD Prep. My question is, after reading through the AAD Connect documentation, that this should not be happening at all - it should be skipping those mailboxes by default. I assume this is happening to me because I upgraded DirSync instead of a fresh install and maybe some rules weren't created correctly?

    I haven't seen proof yet, but I did find something from Microsoft that it can happen and that I should copy the mail attribute into the mailNickname attribute. Problem being, both are blank.

    So, has anyone seen this or able to point me to some documentation on a fix where I don't have to learn the gibberish in the AAD Connect rules? Another possible option, there is supposedly another rule in AAD Connect, that ignores mailNicknames beginning with SystemMailbox, so I could simply copy the samAccountName into that field and force an initial sync?

    Thoughts?

    Tuesday, April 18, 2017 8:57 PM

Answers

  • Event log doesn't elucidate any more info than I have already said. I think I have this fixed, however. It's been 2 sync cycles and no email alerts.

    The Microsoft documentation I mentioned above is: 

    https://support.microsoft.com/en-us/help/2804688/you-can-t-sync-the-systemmailbox-or-discoverymailboxsearch-accounts-by-using-the-azure-active-directory-sync-tool 

    Although it was specifically mentioning Exchange 2010, this seems to have fixed my issue; I assume the entries to mail and/or mailNickname finally caused the filter to catch the account. Thanks for any assistance all.

    • Marked as answer by SysAdmin_D Thursday, April 20, 2017 9:43 PM
    Thursday, April 20, 2017 9:43 PM

All replies

  • Good Afternoon,

    As mentioned in a previous thread, I am migrating Exchange 2007 (2 NLB CAS/HUB, 2 MBX CCR) with a hybrid Exchange 2010 server to Exchange 2013. Since I am a glutton for punishment, and inherited an environment that also needed Active Directory and DirSync upgraded, I have taken care of those already; some 2012r2 DC's mixed with 2008r2's in a Forest Functional Level of 2008r2 and made the jump to Azure AD Connect this week.

    Last night, after prepping the Schema and AD's (2 sibling Domains in same forest) Azure AD Connect started alerting every 30 minutes about not being able to sync a SystemMailbox account from the Forest Root Domain. With a creation date of yesterday, I assume this was created during the AD Prep. My question is, after reading through the AAD Connect documentation, that this should not be happening at all - it should be skipping those mailboxes by default. I assume this is happening to me because I upgraded DirSync instead of a fresh install and maybe some rules weren't created correctly?

    I haven't seen proof yet, but I did find something from Microsoft that it can happen and that I should copy the mail attribute into the mailNickname attribute. Problem being, both are blank.

    So, has anyone seen this or able to point me to some documentation on a fix where I don't have to learn the gibberish in the AAD Connect rules? Another possible option, there is supposedly another rule in AAD Connect, that ignores mailNicknames beginning with SystemMailbox, so I could simply copy the samAccountName into that field and force an initial sync?

    Thoughts?

    Update the AADConnect schema

    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-installation-wizard

    Refresh directory schema

    This option is used if you have changed the schema in one of your on-premises AD DS forests. For example, you might have installed Exchange or upgraded to a Windows Server 2012 schema with device objects. In this case, you need to instruct Azure AD Connect to read the schema again from AD DS and update its cache. This action also regenerates the Sync Rules. If you add the Exchange schema, as an example, the Sync Rules for Exchange are added to the configuration.+

    When you select this option, all the directories in your configuration are listed. You can keep the default setting and refresh all forests or unselect some of them.


    Tuesday, April 18, 2017 9:53 PM
    Moderator
  • I think I did it correctly, but still getting the email alerts from O365 every 30 minutes. It's mentioning Username not valid, if that makes a difference.
    Tuesday, April 18, 2017 11:37 PM
  • I think I did it correctly, but still getting the email alerts from O365 every 30 minutes. It's mentioning Username not valid, if that makes a difference.

    Whats the name of the System Mailbox that is not syncing? You don't need to include your domain in that, just the part before the @
    Wednesday, April 19, 2017 11:10 AM
    Moderator
  • SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
    Wednesday, April 19, 2017 3:54 PM
  • Please check some related event log in event viewer and AAd connect for further analysis.

    Best Regards,
    David Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 20, 2017 2:05 AM
    Moderator
  • Event log doesn't elucidate any more info than I have already said. I think I have this fixed, however. It's been 2 sync cycles and no email alerts.

    The Microsoft documentation I mentioned above is: 

    https://support.microsoft.com/en-us/help/2804688/you-can-t-sync-the-systemmailbox-or-discoverymailboxsearch-accounts-by-using-the-azure-active-directory-sync-tool 

    Although it was specifically mentioning Exchange 2010, this seems to have fixed my issue; I assume the entries to mail and/or mailNickname finally caused the filter to catch the account. Thanks for any assistance all.

    • Marked as answer by SysAdmin_D Thursday, April 20, 2017 9:43 PM
    Thursday, April 20, 2017 9:43 PM
  • This looks to be an old topic, but I have this same issue with a customer now.

    In your original post you mentioned that you'd upgraded to Azure AD Connect from DirSync.

    Since both of your SystemMailbox attributes for mail and mailNickName were blank, I assume you went with Method 2 in the support article you linked.

    Method 2 involves running a PowerShell command for DirSync that isn't available with Azure AD Connect:

    Start-OnlineCoexistenceSync

    So I'm wondering if you ran Start-ADSyncSyncCycle -PolicyType Initial

    or Start-ADSyncSyncCycle -PolicyType Delta

    ?

    Tuesday, November 6, 2018 2:10 AM
  • Method 2 in the article should be "Step 2", as it is not a complete solution in itself. In AD Connect the cmdlet is now:

    Start-ADSyncSyncCycle -PolicyType Delta

    The solution is to populate MailNickName with the SystemMailbox name attribute, so that the default exclusion rule applies in AD Connect/DirSync, and then these accounts won't be included in future syncs.

    Reference:

    https://support.microsoft.com/en-us/help/2804688/you-can-t-sync-the-systemmailbox-or-discoverymailboxsearch-accounts-by

    https://support.microsoft.com/en-us/help/2643629/one-or-more-objects-don-t-sync-when-the-azure-active-directory-sync-to

    Thursday, July 18, 2019 12:15 AM