----- Original Message ----- > On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote: > > John A. Sullivan III wrote: > > > On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote: > > > > > >> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote: > > >> > > >>> --[ UxBoD ]-- wrote: > > >>> > > >>>> Hi, > > >>>> > > >>>> We are setting up a new Windows 2K3 AD server and attempting to > > >>>> syncronise the users from our LDAP server version 8.1.0. > > >>>> > > >>>> Performing the full sync fails after about 30 seconds with a > > >>>> message in the error log: > > >>>> > > >>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type > > >>>> "ARecord" in entry > > >>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" > > >>>> failed: duplicate new value > > >>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to > > >>>> attribute type "dnsproperty" in entry > > >>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" > > >>>> failed: duplicate new value > > >>>> > > >>>> and none of the users or groups are sent to AD. I am guessing > > >>>> it may be how our LDAP server schema is setup as we use > > >>>> something like: > > >>>> > > >>>> dc=domain,dc=com > > >>>> |_ o=Internal > > >>>> |___o=a0000 > > >>>> |____ou=Desktops > > >>>> |_____uid=fred > > >>>> > > >>>> We have set the Windows subtree to be dc=domain,dc=com and the > > >>>> replication subtree to be dc=domain,dc=com with a DS subtree of > > >>>> o=Internal,dc=domain,dc=com. > > >>>> > > >>>> Our understanding was that within AD Users & Groups GUI we > > >>>> should have seen a similar schema created. > > >>>> > > >>>> Though for some reason the replication is traversing the whole > > >>>> of the internal AD tree. > > >>>> > > >>> Because you set the AD subtree to be dc=domain,dc=com ? > > >>> > > >>>> Should we create a new Organisational Unit within AD called, > > >>>> for arguments sake, clients and set the Windows subtree to be > > >>>> ou=clients,dc=domain,dc=com so that it forces it to that branch > > >>>> ? > > >>>> > > >>>> > > >>> I think that's the way it was designed. Usually AD trees have a > > >>> CN=Users,DC=domain,DC=com where all of the user entries live, > > >>> and > > >>> winsync is designed to work with that sort of structure. > > >>> > > >> <snip> > > >> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and > > >> synchronized > > >> at cn=users,dc=myad,dc=domain,dc=com but still have the exact > > >> same > > >> problem :( > > >> > > > <snip> > > > I also tried creating an ou in AD, e.g., > > > ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like > > > building > > > Organizations under CNs but that also failed - John > > > > > Not sure what you mean by "building Organizations" - but it > > shouldn't > > matter if it is under a CN or not. > <snip> > We're running 8.1. Based upon some of the change logs I've seen for > some of the more recent versions of 389, I wonder if this is just a > problem between 8.1 and Windows Server 2008. We are downgrading a > Domain Controller to 2003 to see if the problem goes away - John > The problem still exists on W2K3/32bit and we see the following error: windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1 The user we are bind with in AD is a member of Domain Admins; do we need to add some other group or security membership ? -- Thanks, Phil -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
