--[ UxBoD ]-- wrote: > ----- Original Message ----- > >> --[ UxBoD ]-- wrote: >> >>> ----- Original Message ----- >>> >>> >>>> On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote: >>>> >>>> >>>>> John A. Sullivan III wrote: >>>>> >>>>> >>>>>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote: >>>>>> >>>>>> >>>>>> >>>>>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> --[ UxBoD ]-- wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> We are setting up a new Windows 2K3 AD server and attempting >>>>>>>>> to >>>>>>>>> syncronise the users from our LDAP server version 8.1.0. >>>>>>>>> >>>>>>>>> Performing the full sync fails after about 30 seconds with a >>>>>>>>> message in the error log: >>>>>>>>> >>>>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute >>>>>>>>> type >>>>>>>>> "ARecord" in entry >>>>>>>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" >>>>>>>>> failed: duplicate new value >>>>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" >>>>>>>>> to >>>>>>>>> attribute type "dnsproperty" in entry >>>>>>>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" >>>>>>>>> failed: duplicate new value >>>>>>>>> >>>>>>>>> and none of the users or groups are sent to AD. I am guessing >>>>>>>>> it may be how our LDAP server schema is setup as we use >>>>>>>>> something like: >>>>>>>>> >>>>>>>>> dc=domain,dc=com >>>>>>>>> |_ o=Internal >>>>>>>>> |___o=a0000 >>>>>>>>> |____ou=Desktops >>>>>>>>> |_____uid=fred >>>>>>>>> >>>>>>>>> We have set the Windows subtree to be dc=domain,dc=com and the >>>>>>>>> replication subtree to be dc=domain,dc=com with a DS subtree >>>>>>>>> of >>>>>>>>> o=Internal,dc=domain,dc=com. >>>>>>>>> >>>>>>>>> Our understanding was that within AD Users & Groups GUI we >>>>>>>>> should have seen a similar schema created. >>>>>>>>> >>>>>>>>> Though for some reason the replication is traversing the whole >>>>>>>>> of the internal AD tree. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Because you set the AD subtree to be dc=domain,dc=com ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Should we create a new Organisational Unit within AD called, >>>>>>>>> for arguments sake, clients and set the Windows subtree to be >>>>>>>>> ou=clients,dc=domain,dc=com so that it forces it to that >>>>>>>>> branch >>>>>>>>> ? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> I think that's the way it was designed. Usually AD trees have a >>>>>>>> CN=Users,DC=domain,DC=com where all of the user entries live, >>>>>>>> and >>>>>>>> winsync is designed to work with that sort of structure. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> <snip> >>>>>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and >>>>>>> synchronized >>>>>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact >>>>>>> same >>>>>>> problem :( >>>>>>> >>>>>>> >>>>>>> >>>>>> <snip> >>>>>> I also tried creating an ou in AD, e.g., >>>>>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like >>>>>> building >>>>>> Organizations under CNs but that also failed - John >>>>>> >>>>>> >>>>>> >>>>> Not sure what you mean by "building Organizations" - but it >>>>> shouldn't >>>>> matter if it is under a CN or not. >>>>> >>>>> >>>> <snip> >>>> We're running 8.1. Based upon some of the change logs I've seen for >>>> some of the more recent versions of 389, I wonder if this is just a >>>> problem between 8.1 and Windows Server 2008. We are downgrading a >>>> Domain Controller to 2003 to see if the problem goes away - John >>>> >>>> >>>> >>> The problem still exists on W2K3/32bit and we see the following >>> error: >>> >>> windows_tot_run: failed to obtain data to send to the consumer; LDAP >>> error - 1 >>> >>> >> Enable the replication log level - >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> >>> The user we are bind with in AD is a member of Domain Admins; do we >>> need to add some other group or security membership ? >>> >>> > > Hi Rich, > > that is what I did not get the error message. Here is the complete output: > > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Received result code 32 (0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=ad,DC=domain,DC=com' ) for add operation > This is saying that the DN mapping is not working - are you trying to add an RHDS entry like uid=foo,ou=bar,ou=people,DC=domain,DC=com to AD, but AD doesn't have ou=bar,CN=Users,DC=ad,DC=domain,DC=com ? Note that winsync will not add sub-ou containers > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): windows_replay_update: Cannot replay add operation. > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Beginning linger on the connection > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1 > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): No linger to cancel on the connection > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Disconnected from the consumer > [20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): State: start -> ready_to_acquire_replica > >
