[389-users] Windows Replication Agreement Help

--[ UxBoD ]-- uxbod at splatnix.net
Tue Jul 20 15:22:12 UTC 2010 

----- Original Message -----
> --[ UxBoD ]-- wrote:
> > ----- Original Message -----
> >
> >> On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote:
> >>
> >>> John A. Sullivan III wrote:
> >>>
> >>>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
> >>>>
> >>>>
> >>>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
> >>>>>
> >>>>>
> >>>>>> --[ UxBoD ]-- wrote:
> >>>>>>
> >>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> We are setting up a new Windows 2K3 AD server and attempting
> >>>>>>> to
> >>>>>>> syncronise the users from our LDAP server version 8.1.0.
> >>>>>>>
> >>>>>>> Performing the full sync fails after about 30 seconds with a
> >>>>>>> message in the error log:
> >>>>>>>
> >>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute
> >>>>>>> type
> >>>>>>> "ARecord" in entry
> >>>>>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com"
> >>>>>>> failed: duplicate new value
> >>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII"
> >>>>>>> to
> >>>>>>> attribute type "dnsproperty" in entry
> >>>>>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com"
> >>>>>>> failed: duplicate new value
> >>>>>>>
> >>>>>>> and none of the users or groups are sent to AD. I am guessing
> >>>>>>> it may be how our LDAP server schema is setup as we use
> >>>>>>> something like:
> >>>>>>>
> >>>>>>> dc=domain,dc=com
> >>>>>>> |_ o=Internal
> >>>>>>> |___o=a0000
> >>>>>>> |____ou=Desktops
> >>>>>>> |_____uid=fred
> >>>>>>>
> >>>>>>> We have set the Windows subtree to be dc=domain,dc=com and the
> >>>>>>> replication subtree to be dc=domain,dc=com with a DS subtree
> >>>>>>> of
> >>>>>>> o=Internal,dc=domain,dc=com.
> >>>>>>>
> >>>>>>> Our understanding was that within AD Users & Groups GUI we
> >>>>>>> should have seen a similar schema created.
> >>>>>>>
> >>>>>>> Though for some reason the replication is traversing the whole
> >>>>>>> of the internal AD tree.
> >>>>>>>
> >>>>>>>
> >>>>>> Because you set the AD subtree to be dc=domain,dc=com ?
> >>>>>>
> >>>>>>
> >>>>>>> Should we create a new Organisational Unit within AD called,
> >>>>>>> for arguments sake, clients and set the Windows subtree to be
> >>>>>>> ou=clients,dc=domain,dc=com so that it forces it to that
> >>>>>>> branch
> >>>>>>> ?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> I think that's the way it was designed. Usually AD trees have a
> >>>>>> CN=Users,DC=domain,DC=com where all of the user entries live,
> >>>>>> and
> >>>>>> winsync is designed to work with that sort of structure.
> >>>>>>
> >>>>>>
> >>>>> <snip>
> >>>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and
> >>>>> synchronized
> >>>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact
> >>>>> same
> >>>>> problem :(
> >>>>>
> >>>>>
> >>>> <snip>
> >>>> I also tried creating an ou in AD, e.g.,
> >>>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like
> >>>> building
> >>>> Organizations under CNs but that also failed - John
> >>>>
> >>>>
> >>> Not sure what you mean by "building Organizations" - but it
> >>> shouldn't
> >>> matter if it is under a CN or not.
> >>>
> >> <snip>
> >> We're running 8.1. Based upon some of the change logs I've seen for
> >> some of the more recent versions of 389, I wonder if this is just a
> >> problem between 8.1 and Windows Server 2008. We are downgrading a
> >> Domain Controller to 2003 to see if the problem goes away - John
> >>
> >>
> >
> > The problem still exists on W2K3/32bit and we see the following
> > error:
> >
> > windows_tot_run: failed to obtain data to send to the consumer; LDAP
> > error - 1
> >
> Enable the replication log level -
> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> > The user we are bind with in AD is a member of Domain Admins; do we
> > need to add some other group or security membership ?
> >

Hi Rich,

that is what I did not get the error message.  Here is the complete output:

[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Received result code 32 (0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:      'CN=Users,DC=ad,DC=domain,DC=com' ) for add operation
[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): windows_replay_update: Cannot replay add operation.
[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Beginning linger on the connection
[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1
[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): No linger to cancel on the connection
[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): Disconnected from the consumer
[20/Jul/2010:10:42:20 -0400] NSMMReplicationPlugin - agmt="cn=DomainAD" (adc01:636): State: start -> ready_to_acquire_replica

-- 
Thanks, Phil

More information about the 389-users mailing list