Just figured it out.  I had written a script that finds people with the same username (which is uniformly how we&#39;ve done it) in both active directory and 389ds.  If they had the same username in both (I manually verified these were correct matches) I added the ntUser class and set their username in 389ds.<div>

<br></div><div>I didn&#39;t have a prob on the initial init because I hadn&#39;t run my script yet and only had a couple i added by hand.  I then ran my script which ended up pulling in people that were deleted in the AD side but on a blind search they show up from the deleted user&#39;s OU (or something like that).  Once I figured that out I also found a couple of people that were active accounts but were not in the subtree I had setup the windows sync for which also caused the problem.</div>

<div><br></div><div>So I wrote a new script to remove the ntUser objectClass for people not in the substree I was planning on syncing and did a new initialization of the consumer and it worked.</div><div><br></div><div><br>

<br><div class="gmail_quote">On Fri, Apr 30, 2010 at 1:41 PM, Rich Megginson <span dir="ltr">&lt;<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

<div class="im">Aaron Hagopian wrote:<br>
&gt; I had everything setup to sync to my domain controller and things were<br>
&gt; working fine.  Recently I saw this message in the logs:<br>
&gt;<br>
&gt; [30/Apr/2010:11:59:10 -0500] NSMMReplicationPlugin -<br>
&gt; agmt=&quot;cn=toto.hra.local&quot; (10:636): windows_replay_update: Cannot<br>
&gt; replay add operation.<br>
&gt;<br>
&gt; So I thought maybe I would try to remove the agreement and re-add it<br>
&gt; and re-initalize.  After doing this now I get this message again along<br>
&gt; with the every 5 seconds.<br>
&gt;<br>
&gt; [30/Apr/2010:12:01:31 -0500] NSMMReplicationPlugin -<br>
&gt; agmt=&quot;cn=toto.hra.local&quot; (10:636): Replica has no update vector. It<br>
&gt; has never been initialized.<br>
</div>This happens sometimes.  Not sure why, but sometimes you have to re-init<br>
a few times before it actually starts working.<br>
<div class="im">&gt;<br>
&gt; This is on 389-ds 1.2.5 running on x86_64 RHEL 5.4<br>
&gt;<br>
&gt; I think this all started when I added an ipHost entry to an OU that<br>
&gt; should not even be looked at for syncing purposes.<br>
</div>Does it have any user/person related or group related object classes?<br>
<div class="im">&gt; Any ideas on how to clear this up so I can sync with windows again?<br>
&gt;  I&#39;m not using the create new users or groups, just trying to sync<br>
&gt; passwords.<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
</div>&gt; ------------------------------------------------------------------------<br>
&gt;<br>
&gt; --<br>
&gt; 389 users mailing list<br>
&gt; <a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
&gt; <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
<font color="#888888"><br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</font></blockquote></div><br></div>