On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote: > > > >> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote: > >> > >>> --[ UxBoD ]-- wrote: > >>> > >>>> Hi, > >>>> > >>>> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0. > >>>> > >>>> Performing the full sync fails after about 30 seconds with a message in the error log: > >>>> > >>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value > >>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value > >>>> > >>>> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like: > >>>> > >>>> dc=domain,dc=com > >>>> |_ o=Internal > >>>> |___o=a0000 > >>>> |____ou=Desktops > >>>> |_____uid=fred > >>>> > >>>> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com. > >>>> > >>>> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created. > >>>> > >>>> Though for some reason the replication is traversing the whole of the internal AD tree. > >>>> > >>> Because you set the AD subtree to be dc=domain,dc=com ? > >>> > >>>> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ? > >>>> > >>>> > >>> I think that's the way it was designed. Usually AD trees have a > >>> CN=Users,DC=domain,DC=com where all of the user entries live, and > >>> winsync is designed to work with that sort of structure. > >>> > >> <snip> > >> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized > >> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same > >> problem :( > >> > > <snip> > > I also tried creating an ou in AD, e.g., > > ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building > > Organizations under CNs but that also failed - John > > > Not sure what you mean by "building Organizations" - but it shouldn't > matter if it is under a CN or not. <snip> We're running 8.1. Based upon some of the change logs I've seen for some of the more recent versions of 389, I wonder if this is just a problem between 8.1 and Windows Server 2008. We are downgrading a Domain Controller to 2003 to see if the problem goes away - John -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
