Error Active Directory Target Reconciliation
Hi,
I am trying to run target reconciliation for AD.
I reconciled 8000 users successfully, but I have 22 users with errors.
I want to know if the problem is with the AD user attributes or with the OIM.
I'm getting the following exception:
INFO,15 Apr 2011 11:22:53,229,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : setTaskSchedulerObjectName : Starting Active Directory Target Reconciliation
ERROR,15 Apr 2011 11:22:53,687,[OIMCP.ADCS],====================================================
ERROR,15 Apr 2011 11:22:53,687,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange : null
ERROR,15 Apr 2011 11:22:53,687,[OIMCP.ADCS],====================================================
ERROR,15 Apr 2011 11:22:53,688,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,15 Apr 2011 11:22:53,688,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange
ERROR,15 Apr 2011 11:22:53,688,[OIMCP.ADCS],
ERROR,15 Apr 2011 11:22:53,689,[OIMCP.ADCS],Description : null
ERROR,15 Apr 2011 11:22:53,689,[OIMCP.ADCS],Thor.API.Exceptions.IllegalInputException
at Thor.API.Operations.tcReconciliationOperationsClient.ignoreEvent(Unknown Source)
at sun.reflect.GeneratedMethodAccessor287.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
at $Proxy73.ignoreEvent(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.processUserChange(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.processBatch(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.performReconciliation(Unknown Source)
at com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:178)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)
ERROR,15 Apr 2011 11:22:53,689,[OIMCP.ADCS],================= End Stack Trace =======================
INFO,15 Apr 2011 11:22:53,781,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : execute : End of Active Directory Reconciliation....
Thanks,
Ariel
"Thor.API.Exceptions.IllegalInputException" , this exception tells me that the data which you are reconciling has unsupported characters.
Validate the data ..
Thanks
Suren
Similar Messages
-
This issue is driving us nuts - there are no issues with Domain Controllers or AD in this environment. The server it is citing in the error has been retired - it was gracefully dcpromo'ed down and removed from the environment. DNS has no record of it, nor is it located anywhere else. We are not able to log into Outlook Web App either with authentication failed errors - and I can't help but expect these 2 issues are related? I tried hard coding the Configuration Domain Controller at the org level, as well as using the -staticdomaincontrollers and -staticglobalcatalogservers with the "Set-ExchangeServer" powershell command - no luck.... System settings of the exchange 2010 servers show they are pointing to the correct DCs - but I still get this error accompanied with long delays in rendering windows in EMC. Extremely frustrating..... I have an issue logged with MS now, but they aren't looking at them until Nov 9. Has anyone seen this issue at all? More info on the OWA config - using Form based auth, and I'm not able to perform a simple test-owaconnectivity -mailboxcredential (get-credential\username) -allowuntrustedcertificate -allowinsecurelogon - please help
Create a "global catalog" on the 2nd domain contoller, will fix this problem.
To create a new global catalog:
On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services .
In the console tree, double-click Sites , and then double-click <var>sitename</var> .
Double-click Servers , click your domain controller, right-click NTDS Settings , and then click Properties .
On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
Restart the domain controller. -
An Active Directory error 0x51 occurred when trying to check the suitability of server
We have several exchange administrators and two exchange 2010 servers and one exchange 2007 server. I am getting the following error message
when opening up Exchange Management Console on one of the exchange 2010 server.
"An Active Directory error 0x51 occurred when trying to check the suitability of server 'dc101.domain.local'. Error: 'Active directory
response: The LDAP server is unavailable.'
dc101 does not exist anymore. I tried changing the Configuration Domain Controller by manually specify a domain controller but get the exact
same error message and also gets an empty list when selecting the domain. Other administrators who logs into to the same server do not get this error message.
If I open the exchange management console on another exchange server, it works without problem. Is there a setting somewhere I need to change
to point it to the correct domain controller using power shell?I fixed it for myself.
Organization Configuration->Modify Configuration Domain Controller->select Use a default domain controller
-
Hi,
I am trying to install certificate services on a windows 2008 server (R2 ENT SP1) with a PCIe nCipher HSM module installed on it. The version of nCipher SW is = 11.30. It is a RootCA, and I am trying to use a key that is already stored in the HSM (I
have done this before with a PCI HSM (older HW version)). I select “Use existing private key” and “Select an existing private key on this computer” on the wizard, then i change the CSP to nCipher and click on "search" the key I am looking for
appears and I select that one. I repeat, I have done this before and it works with a PCI HSM module.
The installation is finished before being prompted to insert the operator cards, and it ends with two errors:
<Error>: Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
And:
<Error>: Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct state to perform the requested operation.
0x8007139f (WIN32: 5023)
The servermanager.log says:
1856: 2014-07-23 18:27:48.195 [CAManager] Sync: Validity period units: Years
1856: 2014-07-23 18:27:48.928 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x800703E5): CCertSrvSetup::Install: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
1856: 2014-07-23 18:27:48.928 [Provider] CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress.
0x800703e5 (WIN32: 997)'
1856: 2014-07-23 18:27:48.928 [Provider] Adding error message.
1856: 2014-07-23 18:27:48.928 [Provider] [STAT] For 'Certification Authority':
And:
1856: 2014-07-23 18:27:49.053 [CAWebProxyManager] Sync: Initializing defaults
1856: 2014-07-23 18:27:49.162 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x8007139F): CCertSrvSetup::Install: The group or resource is not in the correct state to perform the requested operation. 0x8007139f (WIN32: 5023)
at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
1856: 2014-07-23 18:27:49.162 [Provider] CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct
state to perform the requested operation. 0x8007139f (WIN32: 5023)'
1856: 2014-07-23 18:27:49.162 [Provider] Adding error message.
Has anyone experienced this before? Am I missing something here?
Any help will be very appreciated
Thanks in advance
Best regards
Alejandro Lozano VillanuevaHi, thanks for your support.
I have been playing around a bit with some ncipher commands and found this:
C:\Program Files (x86)\nCipher\nfast\bin>cspcheck.exe
cspcheck: fatal error: File key_mscapi_container-1c44b9424a23f6cddc91e8a065241a0
9aa719e4f (key #1): 0 modules contain the counter (NVRAM file ID 021c44b9424a23f
6cddc91)
cspcheck: information: 2 containers and 2 keys found.
cspcheck: fatal error occurred.
If I perform the same command on the original server (the server with the original kmdata folder and with the running RootCA services):
E:\nfast\bin>cspcheck.exe
cspcheck: information: 2 containers and 2 keys found.
cspcheck: everything seems to be in order.
Strange?
Moreover, when I do a csptest.exe command (also on both servers, i find this)
On the new server:
C:\Program Files (x86)\nCipher\nfast\bin>csptest.exe
nCipher CSP test software
=========================
Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
Provider name: nCipher Enhanced Cryptographic Provider
Version number: 1.48
User key containers:
Container 'csptest.exe' has no stored keys.
Container 'Administrator' has no stored keys.
Machine key containers:
Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
Container 'ROOTCA' has no stored keys.
Container 'csptest.exe' has no stored keys.
While in the old server:
E:\nfast\bin>csptest.exe
nCipher CSP test software
=========================
Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
Provider name: nCipher Enhanced Cryptographic Provider
Version number: 1.40
User key containers:
Container 'csptest.exe' has no stored keys.
Machine key containers:
Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
Container 'ROOTCA' has a 2048-bit signature key.
Container 'csptest.exe' has no stored keys.
As you can see, the container called ROOTCA, which is the one that I use during the installation, says it has no stored keys. While on the old server, it says it contains a key. Why is this happening? I dont know, I am copying the complete
key management folder from one server to another and initialize the security world with that folder as I always do, and i dont have any errors during this procedure.
Do you know what could be the cause of this? or how can I fix this? Thanks a lot, best regards.
Alejandro Lozano Villanueva -
Problems using native query in Active Directory connector v 9.1
Hello,
Has anyone ran into a problem when trying to do a query with a not operator?
I want to import all users, but not computers.. so I tried the query (&(objectClass=user)(!objectclass=computer))
I tried this query directly in the active directory and it worked.
The problem is when I apply it to OIM it gives out the following error:
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Enter
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Enter
INFO,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],Starting Active Directory Trusted Reconciliation
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Exit
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Enter
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Exit
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Exit
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ActiveDirectoryRecon/performReconciliation :query (&(&(objectClass=user)(!objectclass=computer))(whenChanged>=19000101000000.0Z))
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Exit
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Enter
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Exit
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],Critical Extensions Supported
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Enter
DEBUG,29 Oct 2008 19:48:06,549,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Exit
DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Exit
ERROR,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::searchResultPageEnum():Unbalanced parenthesis
DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Enter
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Exit
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Exit
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Exit
INFO,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],End of Active Directory Reconciliation....
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryReconTask/execute End
Thanks in advance,
TomicHi,
Try this and it will work.I am using it.
(&(objectClass=user)(!(objectClass=computer)))
Regards
Nitesh -
Active Directory server is not available
i have just setup and started testing a new exchange 2007 on my network. we did not have a exchange before, so this is a new install.
my domain, xxx.com is a windows 2000 native AD. the exchange 2007 is a win 2003 sp1 x64, it is also a DC and has all roles assigned to it
in my network i have
dc01 win2000 sp4 dc (gc)
dc02 win2000 sp4 dc (gc)
exch01 win 2003 sp1 dc, rid, pdc, fmso, gc, infrastucture and naming
the install went well, and i have been testing it for the past 2 weeks this dummy accounts. test smtp connectors, etc. all was working fine. to the point that i have started planing the migration of the users
today i did some mods to IIS for a owa free SSL from startcom (as well as the root CAs). i have remove it since.
i now get the following errors when i start the console, or shell. :
Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
It was running command 'get-ExchangeAdministrator'.
The following error(s) were reported while loading topology information:
get-ExchangeServer
Failed
Error:
Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
A local error occurred.
get-UMServer
Failed
Error:
Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
A local error occurred.
HELP.. i have no idea what it does not like.
exbpa does not report anything, i even get it to connect to the exch01 for it AD access.
Any ideas??
Thanks
Paul Gartner
(over all i like what i have been seeing in ex2007)i think that you might be confusing "AD user account" and "profile". you DO NOT delete administrator from your AD Users and Computers. you only delete the Profile (\documents and settings\administrator folder). you can NOT do this while you are logged on using the administrator account.
be sure to backup any data in your my documents and any favorites
create another user that is in the domain admin group of your active directory, log on with that account and verify that the exchange tools works. then follow this to remove the profile.
>1). Logon the Exchange server by using another admin account.
>2). Open Control Panel, select System.
>3). Select Advanced tab and click the Settings button of User Profile.
>4). Delete the Profile of user which encounters this issue.
>5). Click OK.
>6). Restart the server and logon it by using Administrator account.
>
once this is done, logon with your administrator account and try the tools again, they should work.tn
Paul Gartner -
Windows Server 2013; Exchange Server 2013 with Cumulative Update 1
Cannot install Cumulative Update 3 for Exchange Server 2013. It fails with
[xxx] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid. See the Exchange setup log for more information on this error.
[xxx] [0] [ERROR] Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid.
[xxx] [0] [ERROR] The supplied credential is invalid.
(Crosses - XXX - replace original values.)
I have found that a few others have experienced the same problem but found no solution, nor could come up with anything myself. If it is any hint, Event 40961 was logged in the Event Viewer around the same time on almost all installation attempts to be purely
conincidental:
The Security System could not establish a secured connection with the server
ldap/xxx.xxx/[email protected] No authentication protocol was available.
Both Windows Server and Exchange Server otherwise work OK, and do not recall any issues with Cumlative Update 1 installation.Hi vhr1,
Based on my knowledge, the Event ID 40961 is a warning message.
This behavior occurs when we restart the server that was promoted to a DC. The Windows Time service tries to authenticate before Directory Services has started.
Found some resources for your reference even if the Exchange Version is mismatched:
http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx
http://support.microsoft.com/kb/823712/en-us
About the error message, "Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid."
The error message InvalidCredentials means: the wrong password was supplied or the SASL credentials cannot be processed.
Found a similar thread for your reference, hope it is helpful:
http://social.technet.microsoft.com/Forums/en-US/98e26ad6-8e43-4ef5-8ff9-e9fee6e76bda/bind-operation-is-invalid?forum=exchangesvrdeploylegacy
Feel free to contact me if there is any problem.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
is not available.
Help please!Hi,
As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC.
If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
are different site then check the ports are open on firewall.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
If issue reoccurs, post dcdiag /q result.
NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
Active Directory Metadata Cleanup
http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights. -
Hi All,
I have just added my first 2010 exchange server to our organisation.
Upon trying to enter the product key, i get the following:
Error:
Active Directory operation failed on DC01.myorg.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B
Exchange Management Shell command attempted:
set-exchangeserver -Identity 'CAS01' -ProductKey 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'
I get a similar error when trying to run the cmdlet New-ClientAccessArray.
It would appear there is a inheritance of permissions issue somewhere but where. Most other references to this error are on mailbox moved where the error is with the mailbox being moved. where is it here?
Any thoughts? This is driving me mad :(Hi,
After much research on the forums I found this solution that worked for me:
Technet
Article
Tanks,
Arthur. -
Active Directory service discovery failed
Hi forum user,
I have integrated my SGD with AD.
I saw the following error in jserver log file:
# more jserver2698_error.log
2007/07/24 15:25:22.626 (pid 2698) server/ldap/error #1185261922626
Sun Secure Global Desktop Software (4.31) ERROR:
Active Directory service discovery failed: Failed to find any valid Site objects.
Looking up Global Catalog DNS name: gc.tcp.telbru.com.bn. - HIT
Looking for GC on server: Active Directory:ts1.telbru.com.bn:/172.25.11.96:3268:Up - HIT
Checking for CN=Configuration: DC=telbru,DC=com,DC=bn - MISS
Checking for CN=Configuration: CN=Configuration,DC=telbru,DC=com,DC=bn - HIT
Looking up domain root context: DC=telbru,DC=com,DC=bn - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: portal.telbru.com.bn - HIT
Failed to discover Active Directory Site, Domain and server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
Why the error occurred ?
What is the resolution to this error ?
Appreciate any help. Thanks.This error message is telling you that SGD failed to find any site objects in your AD tree. This should not stop users from logging in, it will just mean that SGD will not be able to work out which AD site is local to the SGD server.
If you are not using sites in your AD setup, then you do not need to worry about this.
Hope this helps,
DD -
Active Directory Discovery fails to bind to OU
I am continuously receiving the following error:
Active Directory System Discovery Agent failed to bind to container
LDAP://OU=DOMAIN CONTROLLERS,DC=MYDOMAIN,DC=COM. Error: The specified directory service attribute or value does not exist.
Not sure what to check at this point. I have checked permissions on the OU, Server has read permissions. Here is screenshot of properties:Have you tried discovery of the entire forest, not just a single OU? If that works then it has to be permissions to that OU. If it fails, then it would be no permissions to the forest.
I'd also consider using a user account (just as a test). Personally I've always used the site server computer account, but you could also try a user account for this to ensure that it's not something else.
Wally Mead -
Error running Organization Lookup Recon in OIM 11g R2 with Active Directory
Hi all,
I have an implementation of OIM 11g R2, with an Active Directory 11.1.1.5.0 connecting to an instance of Active Directory on Windows Server 2008. I am trying to run the "Active Directory Organization Lookup Reconciliation" scheduled task, but the job fails with this error:
oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
This is the full stack trace from the oim_domain.log file:
oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:176)
at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:115)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:382)
at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
at sun.reflect.GeneratedMethodAccessor739.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
The Connector Server is installed on the AD instance, and the key has been set, and used appropriately in the Active Directory Connector Server IT Resource in OIM.
Any advice on how to resolve this error or on any possible causes would be much appreciated, thank you.From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory
Refer http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#CHDDJGIG -
Error while trying to provision OIM user to Active Directory using SSL
Hi All,
I am able to see the users through LDAP browser using SSL but am getting the following error while trying to provision OIM users to AD using SSL.
I am using Microsoft Active Directory connector type 9.11.
Response: Connection Error encountered
Response Description: Error encountered while connecting to target system
I did some testing using "Diagnostic Dashboard" and the following are the results.
Test Name: Target System SSL Trust Verification: Passed
Test Name: Test Basic Connectivity: Failed
Exceptions:
ITResource information values are not correct. Enter the correct values.
java.lang.reflect.InvocationTargetException
javax.naming.CommunicationException: simple bind failed:
unable to find valid certification path to requested target.Test Name: Test Provisioning:Failed
Note: Without SLL all the above tests got Passed.
Can anybody help me out from this issue.
Thanks in advance.
Pradeep Kumar.I am able to connect to AD using 636 port number from LDAP browser and as the following test got Passed i think that my certificatee should be correct.
Test Name: Target System SSL Trust Verification.
Input Parameters
Target System: idm.orademo.com
Port: 636 Certificate Store
Location: /usr/java/jdk1.6.0_14/jre/lib/security/cacerts
Result : Passed
ITResource Values:
ADAM LockoutThreshold Value
ADGroup LookUp Definition Lookup.ADReconciliation.GroupLookup
Admin FQDN cn=Administrator,cn=Users,dc=orademo,dc=com
Admin Password *******
Allow Password Provisioning yes
AtMap ADGroup AtMap.ADGroup
AtMap ADUser AtMap.AD
Invert Display Name no
Port Number 636
Remote Manager Prov Lookup AtMap.AD.RemoteScriptlookUp
Remote Manager Prov Script Path
Root Context dc=orademo,dc=com
Server Address idm.orademo.com
Target Locale: TimeZone GMT
UPN Domain orademo.com
Use SSL yes
isADAM no
isLookupDN no
isUserDeleteLeafNode no
Thansk & Regards,
Pradeep Kumar. -
Issue with Active Directory User Target Recon
Hi ,
I am facing an issue with Active Directory User Target Recon
My environment is OIM 11g R2 with BP03 patch applied
AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
Checked the user profile of users processed can see AD account provisioned for users
My query is why this job is not processing allthe users.Please point if i am missing some thing .
thanks in advanceCheck the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
-Bikash -
What am I trying to do?
I have tried installing Microsoft Exchange Server 2013 Cumulative Update 7 Setup on a fresh install of Windows Server 2012 R2 but it gets stuck when running the setup exe on Step 8 of 14 “Mailbox Transport Service” I have included full
error logs at the bottom of the page but the basics are in order it will throw which loop around are:
[01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
[01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
Exchange is currently running in the envirmonet on 2010 Sp3 I am installing 2013 CU7 fresh so I can migrate the databases over.
What am I running?
2 X DC on domain and forest functional level 2008R2 both writable
1 X fresh install of Windows 2012 R2 which is domain joined
What have I tried?
Checked Ipv6 is enabled on all DC NICS and Existing Exchange Servers
Rebooted every server
Run setup as Administrator
My account is part of the domain Enterprise Admin group
Tried adding "Exchange Server" or "Exchange Enterprise Servers" to the group policy and doing the relevant gpupdate /force and reboot :
Computer Configuration Windows Settings
Security Settings + Local Policies
User Rights Assignment Mange auditing and security log
Turned off firewall on DC and Exchange Server even stopped the service
Turned off all AV on the DC and Exchange Server
Checked I could telnet to global catalog servers on port 3268 which I can
Checked the global catalog records existed in DNS which they all do
Done the obvious ping tests all round which confirms connectivity
Schema has been prepared using appropriate commands before running the setup exe
setup.exe /PrepareSchema /IacceptExchangeServerLicenseTerms
Making sure the following path has full permissions:
EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
Restarted Microsoft Exchange Active Directory Topology service
DcDiag all looks good
What have I noticed that is suspicious?
Microsoft Exchange Transport service will not start even though both of its dependences services have started:
Microsoft Filtering Management Service
Microsoft Exchange Active Directory Topology Service
It will eventually error with
“Windows could not start the Microsoft Exchange Transport Service on local computer
Error 1053: This Service did not respond to the start of control request in a timely fashion”
This error is from the GUI wizard itself:
Error:
The following error was generated when "$error.Clear();
$maxWait = New-TimeSpan -Minutes 8
$timeout = Get-Date;
$timeout = $timeout.Add($maxWait);
$currTime = Get-Date;
$successfullySetConfigDC = $false;
while($currTime -le $timeout)
$setSharedCDCErrors = @();
try
Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
$successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
if($successfullySetConfigDC)
break;
Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
catch
Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
Start-Sleep -Seconds 30;
$currTime = Get-Date;
if( -not $successfullySetConfigDC)
Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
" was run: "System.Exception: Unable to set shared config DC.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Exchange logs which have been written:
**The error will loop around for 8 minutes on trying to set-sharedconfig DC whatever this is trying to do ??
[01/20/2015 17:13:20.0084] [2] Active Directory session settings for 'Set-SharedConfigDC' are: View Entire Forest: 'True', Configuration Domain Controller:mydomain.com', Preferred Global Catalog: 'mydomain.com', Preferred Domain Controllers:
'{ mydomain.com}'
[01/20/2015 17:13:20.0084] [2] User specified parameters:
-DomainController:mydomain.com' -ErrorVariable:'setSharedCDCErrors' -ErrorAction:'SilentlyContinue'
[01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
[01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
[01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
[01/20/2015 17:13:20.0178] [2] Ending processing Set-SharedConfigDC
[01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
[01/20/2015 17:13:20.0193] [2] An error ocurred while setting shared config DC. Error: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details
No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
[01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
[01/20/2015 17:13:20.0193] [2] Waiting 30 seconds before attempting again.
[01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
[01/20/2015 17:13:50.0195] [2] Beginning processing Write-ExchangeSetupLog
[01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
[01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
[01/20/2015 17:13:50.0288] [2] Ending processing Write-ExchangeSetupLog
[01/20/2015 17:13:50.0288] [1] The following 1 error(s) occurred during task execution:
[01/20/2015 17:13:50.0288] [1] 0. ErrorRecord: Unable to set shared config DC.
[01/20/2015 17:13:50.0288] [1] 0. ErrorRecord: System.Exception: Unable to set shared config DC.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[01/20/2015 17:13:50.0288] [1] [ERROR] The following error was generated when "$error.Clear();
$maxWait = New-TimeSpan -Minutes 8
$timeout = Get-Date;
$timeout = $timeout.Add($maxWait);
$currTime = Get-Date;
$successfullySetConfigDC = $false;
while($currTime -le $timeout)
$setSharedCDCErrors = @();
try
Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
$successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
if($successfullySetConfigDC)
break;
Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
catch
Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
Start-Sleep -Seconds 30;
$currTime = Get-Date;
if( -not $successfullySetConfigDC)
Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
" was run: "System.Exception: Unable to set shared config DC.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[01/20/2015 17:13:50.0288] [1] [ERROR] Unable to set shared config DC.
[01/20/2015 17:13:50.0288] [1] [ERROR-REFERENCE] Id=AllADRolesCommonServiceControl___ee47ab1c06fb47919398e2e95ed99c6c Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/20/2015 17:13:50.0288] [1] Setup is stopping now because of one or more critical errors.
[01/20/2015 17:13:50.0288] [1] Finished executing component tasks.
[01/20/2015 17:13:50.0304] [1] Ending processing Install-BridgeheadRole
Windows Event Viewer:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=5276) Forest mydomain.com. Exchange Active Directory Provider couldn't find minimal required number of suitable Global Catalog servers
in either the local site 'Default-First-Site' or the following sites:Hi apl228,
1. Please make sure the IPv6 is enabled.
2. Please make sure the account that install Exchange server has Administrator permission.
3. Please make sure DNS has been configured correctly.
Thanks
Mavis Huang
TechNet Community Support
Maybe you are looking for
-
Compare Sting with Bind Variable
Hi I have a Query like this select tsk.name from table.name where upper(tsk.name) like upper(:be) here in :be i may enter stings like 'Design', 'Design-Review','Design-Rework' i need to check only for the string 'Design' please let me know to compate
-
Internal and Public DNS conflict breaks mail
History: We set up a new Mac Mini Server to replace our existing Server. The Mac Mini Server is setup behind a Time Capsule, which acts as our router and DHCP server. It also acts as our firewall on the public IP address and forwards mail to our inte
-
InDesign CS6 resolution for pixel documents not the same
I have just opened in InDesign CS6, a document made originaly in CS5.5. This document is in pixels. At 100%, the document should be pixel for pixel with my monitor (iMac 27" at about 104 ppi), but it seems it is more at 100% if you calculate at 72 pp
-
Install Oracle 817 on FedoraCore 2
Hi everybody, I tryed to install Oracle 817 on my FedoraCore2 with the same methode like on RH 9.0 On my RedHat 9.0 I hadn't problems but, on the Fedora I have one. I can execute the runInstall but when the screen appear I can't click on "next button
-
How can i display days(Feb 28,Mar 30&April 31...Dec) in layout
Hi Experts, i am facing smal problem if you have any solution please can you respond... this is my requirement : i am calaculating days for each month using funtion module. once i'll get those days (eg:28 days,30 days 31 days depends upon month)how c