[389-users] Windows Replication Agreement Help
Rich Megginson
rmeggins at redhat.com
Mon Jul 19 13:03:28 UTC 2010
John A. Sullivan III wrote:
> On Mon, 2010-07-19 at 04:26 -0400, John A. Sullivan III wrote:
>
>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
>>
>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
>>>
>>>> --[ UxBoD ]-- wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
>>>>>
>>>>> Performing the full sync fails after about 30 seconds with a message in the error log:
>>>>>
>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value
>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com" failed: duplicate new value
>>>>>
>>>>> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
>>>>>
>>>>> dc=domain,dc=com
>>>>> |_ o=Internal
>>>>> |___o=a0000
>>>>> |____ou=Desktops
>>>>> |_____uid=fred
>>>>>
>>>>> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
>>>>>
>>>>> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
>>>>>
>>>>> Though for some reason the replication is traversing the whole of the internal AD tree.
>>>>>
>>>> Because you set the AD subtree to be dc=domain,dc=com ?
>>>>
>>>>> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
>>>>>
>>>>>
>>>> I think that's the way it was designed. Usually AD trees have a
>>>> CN=Users,DC=domain,DC=com where all of the user entries live, and
>>>> winsync is designed to work with that sort of structure.
>>>>
>>> <snip>
>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
>>> problem :(
>>>
>> <snip>
>> I also tried creating an ou in AD, e.g.,
>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building
>> Organizations under CNs but that also failed - John
>>
> <snip>
> Hmm .. .more inconsistent behavior. I thought it might be a schema
> violation to put an O under a CN or O.
No. Maybe some sort of naming violation, not a schema violation, but I
don't think AD enforces those anyway, so it shouldn't matter.
> I tried creating it under DC;
> that did not work. I tried synching an OU instead of an O. That
> appeared to work but only transferred one of five users. I wonder if it
> is a 64 bit problem. The system where it is working is a 32 bit version
> of Windows
>
I doubt it is a 64-bit issue. Try turning on the replication log level
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
More information about the 389-users
mailing list