Chat now with support
Chat with Support

On Demand Migration Current - Active Directory Release Notes

Known Issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of this deployment.

Directory Sync known issues

Known Issue Issue ID
An attempt to install an older version of the agent software will fail if a newer version has already been successfully installed. If, for some reason, the older version is needed, first uninstall the newer version, then remove all registry references to the agent. 8060
The agent installer cannot accept a password with a first character of !. 8122
When discovery discovers an environment, it will read in the OU structure of all domains within the forest. The UI will show all domains and you can select them for use in all workflows. However, if a DC for that domain is not included, or the agent account does not have read access to the objects, they will not be read into the database. 8077
Cloud Only Security Groups are not read in when reading a cloud endpoint. 22453
User thumbnail photos do not sync to cloud environments. 8069
The PowerShell User Group should be added to the Tenant Group Filter as the Group Owner. A security group should not be used. 8070
An account with access to all domains within the forest is needed if you want to sync all domains within a single forest with a single agent. Using an enterprise admin account is the most efficient method for doing this. 8073
Mapping functions do not work with multivalued attributes. For example, (results(proxyaddresses,"x500:") will not return a true even if an X500 address is present. 8075
When a workflow for a cloud environment has been run once, but then has been idle for longer than 30 days, an error will be encountered when the job starts, and the job will fail and loop repeatedly until the retry count has been reached. 8079
In the German and Chinese Office365 tenants, Directory Sync will always do full synchronizations because the delta sync functionality is not available in these local tenants. 8095
An "Object with ID xyz was not found" error may occur when reading recently created Azure guest users due to the longer length of time for guest users to propagate. 8101
Remote Mailboxes from the source are incorrectly created in the target as Users instead of MailUsers. 8102
Delta syncs are limited to 30 days. To avoid full synchronization, a read in should be performed for all cloud environments every 29 days or less. 8108
Password sync does not support AES hashes. 21796
A template configured to sync a binary attribute to a non-binary attribute will not sync correctly. For example, if syncing Binary (ThumbnailPhoto) to String(ExtensionAttribute), the target attribute will be synced as "System.Byte[]" instead of the expected binary value converted into a string. 15683
A security group cannot be used as a filter group. 8057
When using filter groups for Cloud environments you need to ensure that a group containing any newly created objects is present in the environment filter. This can be accomplished by having a source and target filter group with the same name so they will match and synchronize between the environments. If these objects are not read in after creation, they will not have any additional updates synchronized and they will not be matched. 8076
When synchronizing local AD groups to Office 365 as Office 365 groups (Unified Groups) any contact in the source group will record an error in the logs and the contact will not appear in the target group. 8081
Office 365 Group settings are not copied to the target Office 365 Group. 8104
Likes for Office 365 Group conversations are not migrated. 8122
Custom schema attributes can be added to template mappings but are not visible in the drop-down selection list. 8072
All domains within an Active Directory Forest are visible within an environment when adding a single domain even though the agent account credentials may not have access to all domains. 8074
The DS-Core-Propagation-Data attribute is not synchronized by Directory Sync. The DS-Core-Propagation-Data attribute is a system attribute which is used by the Active Directory service and cannot and should not be modified by anything other than the directory itself. 34400
The mapping does not update the mailnickname attribute of Non mail-enabled security groups. 34481
Attribute filters cannot be applied to Security Groups. 14933
Cloud Environments that use Object Filter Exclusion options may see Unlicensed or Disabled Accounts read in when configured to Exclude Unlicensed or Disabled Accounts. This is because the AccountDisabled and SKUAssigned properties in Exchange Online Management are not always updated to reflect the true state of the object in Office365. 35957, 36574
Updates of non mail-enabled Security groups in Cloud to Local syncs fail due to an empty samAccountName value. 37254
Custom schema attributes can be added to template mappings, but are not visible in the drop-down selection list. 52326
Directory Sync will attempt to add Group Object as Owner to Teams/M365 and Distribution Group when the Group object shares similar name as the Group Owner. For M365 Groups and Teams, an error will be logged for these groups as they cannot be added as an owner. 41463
Password sync will fail for objects with non-English characters in the sAMAccountName. 41570
A directory operation error occurs when running a cloud to local workflow. 42444

The RC4 encryption (Rivest Cipher 4 or RC4-HMAC) is an element of Microsoft Kerberos authentication that Quest migration products require to sync Active Directory passwords between Source and Target environments. Disabling the use of the RC4 protocol enabled makes password syncing between environments impossible.

Beginning on November 8, 2022 Microsoft recommended an out of band (OOB) patch be employed to set AES as the default encryption type. The enabling and disabling use of the RC4 encryption protocol has potential impact beyond the function of password syncing of Quest migration tooling and should be considered carefully.

N/A
Comment fields that exceed the maximum length of 4000 characters will cause an error. 44556
When mail contacts are deleted from Exchange Online, the deletion is not reflected in the product. Workflows with 'Delete Objects' steps will not process contact deletes. 45392

Active Directory known issues

Known Issue Issue ID
The Server 2016 Rollback action may break a user's profile if the user is not a member of the BUILTIN\Administrators group on the target machine. 29544
The Cleanup job should not be used with bi-directional match/sync configurations as it may incorrectly remove target ACLs. 32588
On a Windows 10 or Windows 11 device, when performing the Entra Cutover action, the migrated user profiles may lose some of the installed Windows Store application or other Provisioned AppX Packages. These packages will need to be reinstalled by the user after they logon to their target profile. 36079
An Microsoft Entra ID device cannot be ReACLed if there is no matching group in mapping file. 36124
For Entra Device Cutover, Windows Hello for Business Setup cannot be completed when Source Account is a Direct Member of the Device BUILTIN\Administrators Group. 36627
The ODMAD Device Agent has not been designed to take special requirements of application servers, such as Exchange, SharePoint, Remote Desktop Services, IIS, etc. into consideration. Applications should be analyzed to determine if domain migration will be supported by each individual application and what remediation(s) may be required. Recreating/redeploying Application Servers in the target environment is recommended for best results. 43466
An group with the name of two or less characters cannot be assigned to a migration wave. 45514
Certificates are not migrated with Device Cutover. 46002
Rollback is not supported for Cloud to On-Prem and Cloud to Cloud Device Migration. 46422
When installing a provisioning package that has been renamed (filename is different from the package name in the package metadata), the cutover script will fail when trying to verify that installation was successful. 47517

Domain Move known issues

Known Issue Issue ID
Domain Move can not move the domain if it is being used for Active Directory Federation Service(ADFS) between on-prem Active Directory and Microsoft Entra ID. 35529

Domain Rewrite known issues

Known Issue Issue ID
Signed and encrypted messages will not be rewritten by the email rewrite service (ERS). 8004
When ERS is disabled, external email addresses of MEU's are not removed. 40937
Cloud Rewrite workflows will not run when prepare jobs are queued for both hybrid and cloud-only target objects. 44319
Forwarding from mailbox cannot be removed if ERS was enabled using skip setting up forwarding. 47362

Release History

The following lists the new features and resolved issues by deployment.

20.12.15.16

Resolved issues

Resolved Issue Issue ID
Password Filter and Password Propagation Service not treating all time as UTC. 53085

20.12.15.15

Resolved issues

Resolved Issue Issue ID
Password Propagation Service unable to query for target domain DC due to the domain controller list exceeding the query string length. 52998

20.12.15.14

Resolved issues

Resolved Issue Issue ID
Password Sync settings in environment is removed unintentionally from another part of the UI. 52730

20.12.15.13

Resolved issues

Resolved Issue Issue ID
The workflow's HasReadyEndpoint flag was not set to true after endpoint discovery finishes. 52653

20.12.15.12

Enhancements

Enhancement Issue ID
The ability to create a local admin user during Entra ID Join has been added. 51929

Resolved issues

Resolved Issue Issue ID
The Domain Rewrite wizard is missing the discovery scope filter page when there are multiple source tenants. 50620
The Password Filter and DS Password Change Service installers only allow 44 characters in the passphrase dialog. 51523
The Password Change service does not work if the user login contains special characters. 52240
The sidebar items appear in Entra ID Express before initial setup is complete. 52296

20.12.15.11

Resolved issues

Resolved Issue Issue ID
Well-known groups are not included in mapping file. 52398
UI is not allowing the Target Environment to be saved if the Directory Sync Agent is not selected for Password Monitor Service. 52419

20.12.15.10

Enhancements

Enhancement Issue ID
Improved encrypted value logic for AD Agent PowerShell script execution. 49994
An option to allow selecting Enroll into Intune without selecting either cleanup option and an option to separate Autopilot cleanup from Intune cleanup have been added to Autopilot/Intune Cleanup and Intune Enrollment. 51266
The webpage title for Microsoft Entra ID for Device has been updated. 51672
A link to instructions for the provisioning package has been added. 51930

Resolved issues

Resolved Issue Issue ID
Workflow with Read, Stage Data, and Write with test mode enabled will not record LastPushUSN for read. 49860
Tenant Discovery should provide progress when discovering user. 51487
PowerShell User creation information appears on the Environment page for Entra ID Express. 51501
Unable to switch password copy option back to the legacy Password Monitor Service option. 51667
The Directory Sync installer does not accept special characters when saving info into the registry key. 51676
A user can save without selecting either the Legacy Password Monitor Service or Modern Password Monitor Service option. 52011
GetPwChangeTargets fails with child domains. 52170

20.12.15.9

Resolved issues

Resolved Issue Issue ID
On-Prem Directory Sync agent fails to log very long entries. 51957

20.12.15.8

Enhancements

Enhancement Issue ID
Changes to support UAE customers. 50964

Resolved issues

Resolved Issue Issue ID
The authentication cookie is too long with ODAzure Authentication 'Groups' claim. 50526
Sign out periodically fails with a redirect error. 51316
A client that is logged is as the wrong user account and presented with the Forbidden page, cannot select the correct user account. 51560
Active Directory Migration displays a forbidden error if a license is not available instead of the "no License" screen indicating to contact sales. 51565

20.12.15.7

Enhancements

Enhancement Issue ID
The Password Propagation Service component of Directory Sync that allows password synchronization in environments without RC4 Encryption has been added. 43285
The Migration, Credentials, and Credential Cache Profile tabs have been removed from the Entra ID for Device module. 51017
The SQL Repermission download has been removed from the Entra ID for Device module. 51018

Resolved issues

Resolved Issue Issue ID
For cloud endpoints, some multi-value reference attributes are synced as value attributes. 50019
Failure to read the domain environment for some reasons, shows up as exceptions in adding DCs to the database (Foreign Key constraint.) 50326
For domain cutover pre check, the DirSync SID match stage compares only one SID per tenant, even if tenant is linked to more than one AD. 50372
Intune Cleanup does not handle multiple enrollments. 51349
The ERS process stopped updating replicas due to a deadlock when adding or removing a tenant dictionary. 51507

20.12.15.6

Enhancements

Enhancement Issue ID
Support for Replace/Update Domains during import associated with Entra ID objects. 50223
The ability to stop ReACL Profiles if the machine contains a profile not part of the mapping has been added. 49714

Resolved issues

Resolved Issue Issue ID
Bulk Enrollment Path is missing for Microsoft Entra ID for Device SKU. 51226

20.12.15.5

Resolved issues

Resolved Issue Issue ID
Package verification fails at times. 50950

20.12.15.4

Enhancements

Enhancement Issue ID
The UI session timeout has been increased to 120 minutes. 50888

Resolved issues

Resolved Issue Issue ID
The UserPrincipalName will not be updated when the user has a manager that needs to be set. 50671
The Install-ProvisioningPackage -LogsDirectoryPath parameter has been removed. 50903

20.12.15.3

Resolved issues

Resolved Issue Issue ID
Selecting devices does not increment the Selected devices, and Actions to apply does not get enabled. 50571
Device selection throws a Javascript error. 50574

20.12.15.2

Enhancements

Enhancement Issue ID
The Express wizard has been updated to support Entra ID Device migration setup. For Entra ID Device migration, wizard options not applicable are hidden or disabled. 48534
"Out of Scope" directory objects are now filtered out on the Environment Details page. 50097

Resolved issues

Resolved Issue Issue ID
Agent state file corrupted by invalid XML characters produced by job error messages. 46542
Matched Non-MailEnabled Security Groups displayed as not matched on Environment Details view. 47644
Domain Move pre-flight check not filtering out archived agents during Directory Sync validation. 49626
For Migration for Active Directory Express, the "Clear Existing Unregistered devices from the project" option is not working. 50038
The agent Auth Key is missing from the Device Agent page in some cases. 50057
For Migration for Active Directory Express, the Environment View Back button navigates to the Directory Overview with no license error. 50067
For Migration for Active Directory Express, the "Clear matching users from the project" option is not working properly. 50163

20.12.15.1

Enhancements

Enhancement Issue ID
The version number has been added to the left navigation menu. 34611
Device registration has been optimized. 37728
Windows Defender registry keys have been added to the default exclusion list. 49628
The ability to add/edit the Device ReACL Profile has been added to Migration for Active Directory Express. 49825

Resolved issues

Resolved Issue Issue ID
A profile in use error occurs when attempting to delete a credential cache. 49764
Cannot ReACL multiple fileshares in a search filter. 49783
The Workflow Run button is disabled for customers with only a Directory Sync license. 49895

Incident response management

Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure

any degradation of the service is promptly identified and resolved. On Demand relies on Azure and AWS

infrastructure and as such, is subject to the possible disruption of these services. You can view the following

status pages:

System Requirements

The following web browsers are supported with On Demand:

  • Chrome or Firefox is recommended for the best cloud-based platform experience.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating