----- Original Message ----- > --[ UxBoD ]-- wrote: > > ----- Original Message ----- > > > >> On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote: > >> > >>> John A. Sullivan III wrote: > >>> > >>>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote: > >>>> > >>>> > >>>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote: > >>>>> > >>>>> > >>>>>> --[ UxBoD ]-- wrote: > >>>>>> > >>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> We are setting up a new Windows 2K3 AD server and attempting > >>>>>>> to > >>>>>>> syncronise the users from our LDAP server version 8.1.0. > >>>>>>> > >>>>>>> Performing the full sync fails after about 30 seconds with a > >>>>>>> message in the error log: > >>>>>>> > >>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute > >>>>>>> type > >>>>>>> "ARecord" in entry > >>>>>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" > >>>>>>> failed: duplicate new value > >>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" > >>>>>>> to > >>>>>>> attribute type "dnsproperty" in entry > >>>>>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" > >>>>>>> failed: duplicate new value > >>>>>>> > >>>>>>> and none of the users or groups are sent to AD. I am guessing > >>>>>>> it may be how our LDAP server schema is setup as we use > >>>>>>> something like: > >>>>>>> > >>>>>>> dc=domain,dc=com > >>>>>>> |_ o=Internal > >>>>>>> |___o=a0000 > >>>>>>> |____ou=Desktops > >>>>>>> |_____uid=fred > >>>>>>> > >>>>>>> We have set the Windows subtree to be dc=domain,dc=com and the > >>>>>>> replication subtree to be dc=domain,dc=com with a DS subtree > >>>>>>> of > >>>>>>> o=Internal,dc=domain,dc=com. > >>>>>>> > >>>>>>> Our understanding was that within AD Users & Groups GUI we > >>>>>>> should have seen a similar schema created. > >>>>>>> > >>>>>>> Though for some reason the replication is traversing the whole > >>>>>>> of the internal AD tree. > >>>>>>> > >>>>>>> > >>>>>> Because you set the AD subtree to be dc=domain,dc=com ? > >>>>>> > >>>>>> > >>>>>>> Should we create a new Organisational Unit within AD called, > >>>>>>> for arguments sake, clients and set the Windows subtree to be > >>>>>>> ou=clients,dc=domain,dc=com so that it forces it to that > >>>>>>> branch > >>>>>>> ? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> I think that's the way it was designed. Usually AD trees have a > >>>>>> CN=Users,DC=domain,DC=com where all of the user entries live, > >>>>>> and > >>>>>> winsync is designed to work with that sort of structure. > >>>>>> > >>>>>> > >>>>> <snip> > >>>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and > >>>>> synchronized > >>>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact > >>>>> same > >>>>> problem :( > >>>>> > >>>>> > >>>> <snip> > >>>> I also tried creating an ou in AD, e.g., > >>>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like > >>>> building > >>>> Organizations under CNs but that also failed - John > >>>> > >>>> > >>> Not sure what you mean by "building Organizations" - but it > >>> shouldn't > >>> matter if it is under a CN or not. > >>> > >> <snip> > >> We're running 8.1. Based upon some of the change logs I've seen for > >> some of the more recent versions of 389, I wonder if this is just a > >> problem between 8.1 and Windows Server 2008. We are downgrading a > >> Domain Controller to 2003 to see if the problem goes away - John > >> > >> > > > > The problem still exists on W2K3/32bit and we see the following > > error: > > > > windows_tot_run: failed to obtain data to send to the consumer; LDAP > > error - 1 > > > Enable the replication log level - > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > The user we are bind with in AD is a member of Domain Admins; do we > > need to add some other group or security membership ? > > Hi Rich, that is what I did not get the error message. Here is the complete output: [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Received result code 32 (0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=ad,DC=domain,DC=com' ) for add operation [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): windows_replay_update: Cannot replay add operation. [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Beginning linger on the connection [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1 [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): No linger to cancel on the connection [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Disconnected from the consumer [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): State: start -> ready_to_acquire_replica -- Thanks, Phil
