[389-users] loss of group members in AD after initialization of sync

Jean-Noel.Chardron at dr15.cnrs.fr (jean-Noël Chardron) · Thu, 11 Jun 2009 12:38:10 +0200

hello,

When I initiate a first full synchronization of DS and AD I lost members 
in groups

error log shows :

[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching 
AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid 
[c0e73a492ffbc04c9e85781a68f45023]
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [SFC]
[...]
[10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local 
entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: groupofuniquenames
objectClass: ntGroup
ntGroupDeleteGroup: true
cn: SFC
description: Service Financier et Comptable
uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, 
dc=cnrs, dc=
 fr
uniqueMember:[...]
follow 10 members

[...]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry from 
dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching 
AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid 
[0cdf6e627d64684cb10c70b3b8753fda]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [MX]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local 
entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: MX
sn: MX
givenName: Guillaume
cn: MX
ntUserCodePage: 0
ntUserAcctExpires: 0
ntUserDomainId: MX
mail: Guillaume.MX at dr15.cnrs.fr
ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda

[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): windows_process_total_entry: Looking 
dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours)
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" 
guid="c0e73a492ffbc04c9e85781a68f45023"
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" username="SFC"
[10/Jun/2009:15:01:34 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 
messages, 1 entries, 0 references
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_outbound: found AD entry 
dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
[10/Jun/2009:15:01:34 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 
messages, 1 entries, 0 references
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - 
windows_generate_update_mods: 
CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description : 
values are equal
[10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for 
uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
[10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for uid=

[follow 10 entries,]

[10/Jun/2009:15:01:35 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 
messages, 1 entries, 0 references
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching 
AD entry [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid 
[72a7171ffaa0d84a9ca4ec2d90a4ab2b]
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid 
[essaibug]
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:15:01:35 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 
messages, 1 entries, 0 references

[10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin - 
windows_generate_update_mods: 
CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName : 
values are equal
[10/Jun/2009:15:01:38 +0200] - smod - windows sync
[10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member
[10/Jun/2009:15:01:38 +0200] - smod 0 - value: member: 
CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member
[10/Jun/2009:15:01:38 +0200] - smod 1 - value: member:

[follow the 10 entries]

[10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - 
windows_update_remote_entry: modifying entry 
CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): Received result code 0 () for modify operation

[10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for 
uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr

[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry from 
dirsync: CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching 
AD entry [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid 
[72a7171ffaa0d84a9ca4ec2d90a4ab2b]
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid 
[essaibug]
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local 
entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: essaibug
sn: essaibug
cn: essaibug
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: essaibug
ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b

[10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" 
guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b"
[10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" 
username="essaibug"
[10/Jun/2009:15:07:13 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2 
messages, 1 entries, 0 references
[10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" 
(zebigbos:636): map_entry_dn_outbound: found AD entry 
dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"

(following the translation of google)
I suppose that during the initialization of the replication, groups have 
lost members (group sfc) with the logs in order explicit removal of the 
member in the group, sent by the DS to AD. The most likely explanation 
and that the process is sequential but with a dispatch from AD to 
DS-anarchic, with a group can be created before members in DS users. 
these are leading to a later stage in a request for suppresssion AD DS 
to members of the group that did not exist before the creation of the 
group. This is "normal" since DS checks the consistency of information 
and therefore the group members. The solution to this problem is to 
create manually in the AD to add the lost members in the group or may be 
to initialize sync twice in a closed time.

The administrator of the Windows server and the AD insulted me as a 
result of this blunder
I asked him if he had a backup of the AD. he had not

-- 

Jean-Noel Chardron