John A. Sullivan III wrote: > On Mon, 2010-07-19 at 04:26 -0400, John A. Sullivan III wrote: > >> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote: >> >>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote: >>> >>>> --[ UxBoD ]-- wrote: >>>> >>>>> Hi, >>>>> >>>>> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0. >>>>> >>>>> Performing the full sync fails after about 30 seconds with a message in the error log: >>>>> >>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value >>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value >>>>> >>>>> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like: >>>>> >>>>> dc=domain,dc=com >>>>> |_ o=Internal >>>>> |___o=a0000 >>>>> |____ou=Desktops >>>>> |_____uid=fred >>>>> >>>>> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com. >>>>> >>>>> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created. >>>>> >>>>> Though for some reason the replication is traversing the whole of the internal AD tree. >>>>> >>>> Because you set the AD subtree to be dc=domain,dc=com ? >>>> >>>>> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ? >>>>> >>>>> >>>> I think that's the way it was designed. Usually AD trees have a >>>> CN=Users,DC=domain,DC=com where all of the user entries live, and >>>> winsync is designed to work with that sort of structure. >>>> >>> <snip> >>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized >>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same >>> problem :( >>> >> <snip> >> I also tried creating an ou in AD, e.g., >> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building >> Organizations under CNs but that also failed - John >> > <snip> > Hmm .. .more inconsistent behavior. I thought it might be a schema > violation to put an O under a CN or O. No. Maybe some sort of naming violation, not a schema violation, but I don't think AD enforces those anyway, so it shouldn't matter. > I tried creating it under DC; > that did not work. I tried synching an OU instead of an O. That > appeared to work but only transferred one of five users. I wonder if it > is a 64 bit problem. The system where it is working is a 32 bit version > of Windows > I doubt it is a 64-bit issue. Try turning on the replication log level http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users >
