Hello, all. I'm having grief trying to get DS 8.0 to synchronize with Active Directory on Windows 2003 Server R2. I first tried to synchronize an existing branch of DS with ntuser ids to a fresh AD. That kept failing with sync total update aborted LDAP error operations error code 1 and messages about failing to replay creation in the errors log. I then deleted the agreement, created a new empty branch in DS, and set up a windows synchronization agreement. All the errors went away. I also verified communication with /usr/lib64/mozldap/ldapsearch -Z -P ./cert8.db -h <hostname> -p 636 -D "cn=Synch Manager,cn=users,dc=some,dc=domain" -w - -s sub -b "cn=Users,dc=some,dc=domain" "cn=*" However, when I create a new user in DS, it does not propagate to AD. I create the user, add the NT user option and set the uid as well as check the create new account and delete account boxes. The DS is set up as a single master. We do not want entries from AD propagating to DS, just from DS to AD. We initially created the synchronization user in AD as a member of domain admins. We also tried making it a member of enterprise and schema admins. Nothing seems to work. We see nothing in the AD logs to indicate where the failure is. We see very little on DS: [20/Apr/2009:21:41:21 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=TestWinSync" (timberline:636)". [20/Apr/2009:21:41:22 -0400] - Entry "uid=Guest,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "person" [20/Apr/2009:21:41:22 -0400] - Entry "uid=SUPPORT_388945a0,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object clas [20/Apr/2009:21:41:22 -0400] - Entry "uid=Administrator,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class " [20/Apr/2009:21:41:22 -0400] - Entry "uid=krbtgt,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "person" [20/Apr/2009:21:41:22 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=TestWinSync" (timberline:636)". Sent 18 entries. [20/Apr/2009:21:43:07 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): windows_replay_update: Cannot replay add operation. [20/Apr/2009:21:43:07 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed [20/Apr/2009:21:48:06 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed [20/Apr/2009:21:55:58 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): windows_replay_update: Cannot replay add operation. [20/Apr/2009:21:55:58 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed [20/Apr/2009:22:00:59 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed I was surprised to see the entries for the Windows based users propagating. They do not show up in DS. I'm assuming the replay add operation failures are the attempts to add the user defined in DS. The user was most minimal with only SN, givenname, cn, uid, password and the above mentioned nt attributes set. Not being very versed in AD, I'm sure I must be making some dumb mistake but I don't see what it is. Any suggestions on where to look? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
