--[ UxBoD ]-- wrote: > ----- Original Message ----- > >> On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote: >> >>> John A. Sullivan III wrote: >>> >>>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote: >>>> >>>> >>>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote: >>>>> >>>>> >>>>>> --[ UxBoD ]-- wrote: >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> We are setting up a new Windows 2K3 AD server and attempting to >>>>>>> syncronise the users from our LDAP server version 8.1.0. >>>>>>> >>>>>>> Performing the full sync fails after about 30 seconds with a >>>>>>> message in the error log: >>>>>>> >>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type >>>>>>> "ARecord" in entry >>>>>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" >>>>>>> failed: duplicate new value >>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to >>>>>>> attribute type "dnsproperty" in entry >>>>>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" >>>>>>> failed: duplicate new value >>>>>>> >>>>>>> and none of the users or groups are sent to AD. I am guessing >>>>>>> it may be how our LDAP server schema is setup as we use >>>>>>> something like: >>>>>>> >>>>>>> dc=domain,dc=com >>>>>>> |_ o=Internal >>>>>>> |___o=a0000 >>>>>>> |____ou=Desktops >>>>>>> |_____uid=fred >>>>>>> >>>>>>> We have set the Windows subtree to be dc=domain,dc=com and the >>>>>>> replication subtree to be dc=domain,dc=com with a DS subtree of >>>>>>> o=Internal,dc=domain,dc=com. >>>>>>> >>>>>>> Our understanding was that within AD Users & Groups GUI we >>>>>>> should have seen a similar schema created. >>>>>>> >>>>>>> Though for some reason the replication is traversing the whole >>>>>>> of the internal AD tree. >>>>>>> >>>>>>> >>>>>> Because you set the AD subtree to be dc=domain,dc=com ? >>>>>> >>>>>> >>>>>>> Should we create a new Organisational Unit within AD called, >>>>>>> for arguments sake, clients and set the Windows subtree to be >>>>>>> ou=clients,dc=domain,dc=com so that it forces it to that branch >>>>>>> ? >>>>>>> >>>>>>> >>>>>>> >>>>>> I think that's the way it was designed. Usually AD trees have a >>>>>> CN=Users,DC=domain,DC=com where all of the user entries live, >>>>>> and >>>>>> winsync is designed to work with that sort of structure. >>>>>> >>>>>> >>>>> <snip> >>>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and >>>>> synchronized >>>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact >>>>> same >>>>> problem :( >>>>> >>>>> >>>> <snip> >>>> I also tried creating an ou in AD, e.g., >>>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like >>>> building >>>> Organizations under CNs but that also failed - John >>>> >>>> >>> Not sure what you mean by "building Organizations" - but it >>> shouldn't >>> matter if it is under a CN or not. >>> >> <snip> >> We're running 8.1. Based upon some of the change logs I've seen for >> some of the more recent versions of 389, I wonder if this is just a >> problem between 8.1 and Windows Server 2008. We are downgrading a >> Domain Controller to 2003 to see if the problem goes away - John >> >> > > The problem still exists on W2K3/32bit and we see the following error: > > windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1 > Enable the replication log level - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > The user we are bind with in AD is a member of Domain Admins; do we need to add some other group or security membership ? > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
