OIM 11gR2 Active Directory integration issue

Hi,
I am trying to install AD connector on OIM 11gR2 and have successfully performed all the necessary and relevant steps according to the deployment guide.
When i am trying to test the connector though, by running the "Active Directory Organization Lookup Recon" scheduled job i am getting the following error:
Exception Message oracle.iam.connectors.icfcommon.exceptions.Integration
Exception: The value for a key [Host] is not defined in the provided map.
Kindly help me out with this
Best Regards,
Varun

Hi,
i hope you are using the AD New connector(i.e. ICF based ) and your connector server key is not set properly. Most of the cases this is arises because of connector parameters. So verify the connector parameters and also have you put the AD connector jars on connector server side.
_Saurabh                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

Similar Messages

  • Cisco CSC SSM to Active directory integration issue

    Hi,
    I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.
    There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.
    Please suggest solution for this issue. Thank you.
    With Regards,
    Madhan kumar G.

    Hi,
    Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.
    Ø  Verify the following
    Ø  1. The client machines should be part of the windows domain
    Ø 
    Ø  2. File Sharing should be enabled on the client machine
    Ø 
    Ø  3."Remote Registry" Service should be enabled
    Ø 
    Ø  4. On the windows firewall, select "Windows Management Instrumentation
    Ø 
    Ø  (WMI)" as exception program to allow in bound WMI calls.
    Ø 
    Ø  Also, make sure the "File and Printer Sharing" is part of the exception list.
    Ø 
    Ø  5. The client is able to ping the Agent and the Domain Controllers.

  • ISE and MS Active Directory Integration Issue

    It appears that our ISE 1.2 solution is having issues with nested MS AD Groups. The first login attempt always fails, the second occasionally works and the third always works. Has anyone else experience this login issues with ISE 1.2 and MS AD?
    Sent from Cisco Technical Support iPhone App

    Rick,
    I am a little lost in the screenshots you posted. In your AD groups that you have pulled I dont see an authorization policy mapped to the first group. In the authentication report it looks like authentication is successfull.
    I have seen that ISE will only display a few of the groups now in ISE 1.2 can you build a policy based on the the group you want it to show and then try your authentication again? That is when ISE will show the specific group as opposed to ise pre 1.2 where it would show more groups.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Issue with Reset Password from Active Directory Integration Pack

    I seem to be having some issues with a subscription in the Reset Password activity from the Active Directory Integration Pack. The "User Password" field refuses to take a value from a subscription provided earlier in a Generate Random
    Text activity. As you will see in the screenshot below, when the Reset Password activity runs, the User Password value is blank.
    Any idea why this might be happening? It looks like a possible bug with the Active Directory Integration Pack.

    Hi John,
    I think this is not a bug, this should be by design because the password is a secure string. If you look for the Published data for Reset User Password activity at
    http://technet.microsoft.com/en-us/library/hh553463.aspx it is not listed there as well.
    If you need the the string (e.g. to send it via email) use the
    data from the "Generate Random Text" Activity.
    Regards,
    Stefan
    www.sc-orchestrator.eu ,
    Blog sc-orchestrator.eu

  • Problem in provisioning user from oim to active directory using ssl

    hi,
    problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
    15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
    15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
    AvailableAD():simple bind failed: 172.16.30.35:636
    15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
    me problems: Must set a query before executing
    com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
    at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
    at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
    at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
    at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
    nnectToAvailableNextAD(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
    archResultPageEnum(Unknown Source)
    at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
    known Source)
    at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
    ce)
    at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
    at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
    on.run(Unknown Source)
    at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
    at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
    ource)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
    ava:520)
    can any one help.
    Thanks and Regards,
    praveen,

    Are you able to connect to AD over SSL through some LDAP Browser ?
    Check the validity of Certificate ?
    Does your certificate appear in the list ?

  • Help with Active Directory Integration and kerberos

    Hello,
    I’m encountering a bug preventing me to use Active Directory integration with kerberos :
    Our domain name is CORP.DOMAIN.COM.
    When we request the GC in this domain :
    bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
    Server: 1.2.1.6
    Address: 1.2.1.6#53
    ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
    there is no answer.
    But when we request without corp, we find the servers :
    bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
    gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
    gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
    bash-3.00#
    Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
    Thank you.

    Hello
    the domain.com domain exist, but it's not our domain.
    so, when I put domain.com, it search with no result (nothing appends).
    our kdc.conf :
    [kdcdefaults]
    kdc_ports = 88,750
    [realms]
    CORP.DOMAIN.COM = {
    profile = /etc/krb5/krb5.conf
    database_name = /var/krb5/principal
    admin_keytab = /etc/krb5/kadm5.keytab
    acl_file = /etc/krb5/kadm5.acl
    kadmind_port = 749
    max_life = 8h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    default_principal_flags = +preauth
    krb.conf
    [libdefaults]
    default_realm = CORP.DOMAIN.COM
    default_checksum = rsa-md5
    [realms]
    CORP.DOMAIN.COM = {
    kdc = dc01.corp.domain.com
    kdc = dc02.corp.domain.com
    [domain_realm]
    .corp.domain.com = CORP.DOMAIN.COM
    corp.domain.com = CORP.DOMAIN.COM
    in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
    Thank you,

  • Active Directory integration: Invalid Token Error in Verification Service

    I'm having problems with Active Directory integration. I'm able to browse users in the task routing slip in JDeveloper. But I'm unable to login to the worklist application.
    Getting an "Invalid Token Error in Verification Service" error. Any pointers?
    <2007-06-12 21:40:36,843> <ERROR> <default.collaxa.cube.services> <PCException::<init>> Identity Service Configuration error.
    <2007-06-12 21:40:36,843> <ERROR> <default.collaxa.cube.services> <PCException::<init>> Identity Service Configuration file has error.
    <2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <PCRuntimeException::<init>> Identity Service Configuration error.
    <2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <PCRuntimeException::<init>> Identity Service Configuration file has error.
    <2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <::> WorkflowService:: VerificationService.destroyContext: invalid token: c9pHcmBFtc4q7/EY3xGAv/6hhfa6Hf5tllCb8ZYKtdSA/8/y0exRcwpjy0vWiWGgBPzuIh5Ur+l+ZHDNe0PKb9KiFScsKAG3JK1y+nIJtC827Rljhn8E+/BoF+ZIN6GFYn/iyo/6Mrlmz02Pg4QtetftO7eHJ01rEV5MmZFTXsg8iV6LQPnkAPjqmmsq+5bVYGGfSFpHX7FXk/0FrSabClKy6DKiwt/1Kp2Ldbj2RY8=
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> ORABPEL-30503
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Invalid Token Error in Verification Service.
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Invalid Token Error in Verification Service. Received invalid token c9pHcmBFtc4q7/EY3xGAv/6hhfa6Hf5tllCb8ZYKtdSA/8/y0exRcwpjy0vWiWGgBPzuIh5Ur+l+ZHDNe0PKb9KiFScsKAG3JK1y+nIJtC827Rljhn8E+/BoF+ZIN6GFYn/iyo/6Mrlmz02Pg4QtetftO7eHJ01rEV5MmZFTXsg8iV6LQPnkAPjqmmsq+5bVYGGfSFpHX7FXk/0FrSabClKy6DKiwt/1Kp2Ldbj2RY8= in destroyContext
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Check the underlying exception and correct the error. Contact oracle support if error is not fixable.
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.bpel.services.workflow.verification.impl.VerificationService.destroyContext(VerificationService.java:667)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.bpel.services.workflow.query.impl.TaskQueryService.destroyWorkflowContext(TaskQueryService.java:161)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at worklistapp.servlets.Logout.handleRequest(Logout.java:66)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at worklistapp.servlets.BaseServlet.doGet(BaseServlet.java:142)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at java.security.AccessController.doPrivileged(Native Method)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>      at java.lang.Thread.run(Thread.java:595)
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Caused by: BPEL-10555
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Identity Service Configuration error.
    <2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Identity Service Configuration file has error.

    Hi Adina,
    thank you for your answer (questions)!
    We use 10.1.3.1 SOA Suite and the default jazn.com Security Provider and what we set at java.naming.security.principal property is oc4jadmin.
    It is interesting, we deployed again out EAR and now it works again! There is not Invalid Token Error exception, but we didn't change almost anything...
    Can we debug it somehow?
    Where does this bug come from?
    Thanks!
    ric

  • Tutorial: Azure Active Directory integration with Igloo Software

    Click reply and tell us what you think:
    Tutorial: Azure Active Directory integration with Igloo Software
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Hello
    Can you be little clear, what you have tested with Airwatch MDM cloud?.. which scenarios?.. 
    1) Device Enrollment ?
    2) Access to Airwatch console?
    3) Access to Airwatch self service portal?
    By following the steps We do not get it working at all. by the way some of the steps in this tutorial are unclear and outdated;  
    I finally personally figured out how things should look like, and  make it work but only with Device Enrollment scenarios from the mobile devices itself. not from the pc and browsers or from the Access panel.

  • Active directory Integration with OBIEE

    Hi all,
    Can any one send me a link for active directory integration with OBIEE.
    I have imported the users succesfully and I was able to login to analytics as an AD user.
    But SSO is not possible. Kindly help me over this.
    Thanks,
    Haree.

    Thanks for reply veeravalli.
    Me too followed the same link and successfully imported all the users from AD into OBIEE and login in is also possible.
    But my requirement is to have Single Sign On ie.., users may log on to their Windows PCs and access Oracle BI EE via a standard web browser with no further authentication required on their part.
    Thanks,
    Haree

  • Can Microsoft active directory integrated with Oracle Applications

    Hi,
    Can anyone provide me any document on Microsoft Active Directory Integration with Oracle Applications(12.0.6)
    Manish

    Hi,
    It is possible, please refer to the following documents for details.
    Note: 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
    Note: 415007.1 - Oracle Application Server with Oracle E-Business Suite Release 12 FAQ
    Regards,
    Hussein

  • Active Directory integration with call manager

    Hi,
    I am facing issues while Integrating the CCM to my Active Directory using AD Plug-in.
    SITE SETUP:
    1. Windows 2003 Parent Domain Controller located remotely with GC.
    2. Windows 2003 Child Domain for the Parent DC located Locally with GC.
    3. Cisco CallManager 4.1.3 sr3b
    My Requirement is to integrate CCM with my Windows 2003 AD.
    My Questions are:
    1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
    2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
    3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
    Can anyone can help me on this?
    Thanks,
    V.Kumar

    1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
    Use the root domain, in this case the Parent domain.
    Cisco does not recommend having a Cisco Unified CallManager cluster service users in different domains because response times while user data is being retrieved might be less than optimal if domain controllers for all included domains are not local.
    2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
    Yes, actually all domains in the forest share the same Schema, which will be modified after running the AD plugin.
    3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
    Account should be a member of the Schema Admins group in Active Directory, try the one in parent domain.
    Correct permissions for CCMAdministration and similar example for your setup:
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a00806e8c04.html#wp1043057
    HTH

  • 11gr2 Active Directory User Target Delete Recon Search Root

    Hi All,
    latest AD conector with the patch.
    Have a situation where I need to change the root or base search for the delete recon. by default it seams to want to search at the domain level but that won't work for us. Checked the doc and can't seem to find anyway to change this for the delete recon.
    Thanx in advance
    Fred

    Hi,
    The issue is still pending. I am specifying the following parameters for the scheduled job :
    Batch Size : 100
    Object Type : User
    Batch Start : 1
    Resource Object Name : AD User
    Filter : startsWith('samAccountName','c')
    Scheduled Task Name : Active Directory User Target Recon
    Incremental Recon Attribute : uSNChanged
    Search Base : <blank>
    IT Resource Name : Active Directory
    Search Scope : subtree
    Latest Token : <blank>
    Sort By : samAccountName
    Number of Batches : All
    Sort Direction : asc
    The job runs successfully but no records are reconciled into UD_ADUSER table and the job reports the following error in the logs :
    [2012-10-25T02:32:04.785-07:00] [oim_server1] [ERROR] [] [org.quartz.impl.jdbcjobstore.JobStoreCMT] [tid: QuartzScheduler_OIMQuartzScheduler-iamoimdev-v1.capgroup.com1351057898397_MisfireHandler] [userId: oiminternal] [ecid: 80eeb34d89d5ed80:-343bffe9:13a9150ba30:-8000-0000000000000005,1:24567] [APP: oim#11.1.2.0.0] MisfireHandler: Error handling misfires: Unexpected runtime exception: null[[
    org.quartz.JobPersistenceException: Unexpected runtime exception: null [See nested exception: java.lang.NullPointerException]
    at org.quartz.impl.jdbcjobstore.JobStoreSupport.doRecoverMisfires(JobStoreSupport.java:3042)
    at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.manage(JobStoreSupport.java:3789)
    at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.run(JobStoreSupport.java:3809)
    Caused by: java.lang.NullPointerException
    at org.quartz.SimpleTrigger.computeNumTimesFiredBetween(SimpleTrigger.java:800)
    at org.quartz.SimpleTrigger.updateAfterMisfire(SimpleTrigger.java:514)
    at org.quartz.impl.jdbcjobstore.JobStoreSupport.doUpdateOfMisfiredTrigger(JobStoreSupport.java:944)
    at org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverMisfiredJobs(JobStoreSupport.java:898)
    at org.quartz.impl.jdbcjobstore.JobStoreSupport.doRecoverMisfires(JobStoreSupport.java:3029)
    Edited by: IDM_newbie on Oct 25, 2012 2:38 AM

  • Active Directory integration problem, Bind AC and OD

    Hi.
    I'm trying to set an Open Directory as "connect to a Directory System" because I have a windows 2000 server with Active Directory. But i have a problem when i click on "open directory Access", Access Directory appear and I select Active Directory.
    xxx.yyy is the server with active directory, with its admin and its password. but i cant Bind it and an error always appear.
    can you help me?
    what's "active directory domain"?is it xxx.yyy?
    and what's "computer ID"?
    Are there others parameters to set for example in DNS or other?
    help help help

    What are you trying to achieve by doing this?
    Got to http://www.afp548.com/ and serach for AD-OD integration.
    http://www.afp548.com/article.php?story=20051202151540574

  • Failover agents who work with active directory integration

    Hi Guys,
    I have implemented 'Active Directory' failover in SCOM. But what i see is that it doesn't work.
    The agents are assigned by AD, but the first (RMS Role) management server has got all the agents and is to busy and
    has got many problems to handle all the load. Even with this case nothing is failing over.
    A few i could failover with hand, but the most i cannot because 'change primary management' server is blanked out. Even with the agents turned back from manuel to automatic (blog Kevin Holman).
    1. Has anybody got any idea of getting the AD failover to work automatic?
    2. Has anybody got a workaround to do this manual, by powershell (SCOM 2012 R2 cmdlets), bypassing the grayed out 'Change primary management server?
    3. In my failover screen is see the management servers + the internet DMZ gateway server. I don't want to failover to the internet DMZ Gateway server. Can i delete this?
    Please have a look at my specific question. I did read many blogs who are based on powershell without AD integration or AD integration without explaining how the automatic failover works.
    Kind regards,
    André

    Hi,
    SCOM windows agents automatic failover does not require AD integration or PowerShell scripting or Configuration Manager or manual agents installation specially for small to medium environment and agents distribution between different SCOM management servers
    can be accomplished through push agents wizard, and windows agents failover can be simply verified from event viewer.
    Please refer to the below links for more details:
    How to Use Active Directory Domain Services to Assign Computers to Management Servers
    http://technet.microsoft.com/en-us/library/hh212712.aspx
    OpsMgr AD Integration - how it works
    http://blogs.msdn.com/b/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx
    Regards,
    Yan Li
    Regards, Yan Li

  • Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

    Hello everyone,
    I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
    subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
    According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
    ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
     HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
    to a value of 1. 
    As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
    I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
    and Services)
    I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
    Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
    cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
    I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
    I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
    the old DCs.
    Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
    Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
    Thanks in advance,
    Adam

    Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
    So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
    For clarity purpose, let's say I used the domain :
    domain = main domain
    subdomain = the domain whose DC are problematic (all of them).
    AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
    Command (the DSA guid is from a DC "clean" in another domain)
    repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
    I got the following message in the event viewer :
    Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
    Source domain controller:
    c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
    Number of objects examined and verified:
    0
    Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
    advisory mode option.
    How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
    Thanks in advance,
    Adam

Maybe you are looking for

  • Apply View criteria at runtime to child View object

    Hi, I am facing issues while trying to assign View Criteria to child VO that is part of View hierarchy at runtime. AM Model: Parent VO -> Child VO1 -> Child VO2 View Link between : Parent VO -> Child VO1 Child VO1 -> Child VO2 I have to apply View cr

  • InDesign CC Layers disappear on certain pages?

    Hi, As a relatively new user to InDesign, this may be a simple solution, however some of my colleagues were also unable to help me. When working on a document recently, I had tried to copy objects from one page to another, however when I tried to pla

  • How to remove the recent section on IOS 8 when double click on phone??

    When you double click on the phone to remove apps the recent section pops up showing you the recent people who you have texted.  How do you remove that recent section?  It is annoying.  I don't want to see it!!! Thank you

  • Shopping cart items revert to "Awaiting Approval"

    Hello all, I have situation where manager approved partially shopping cart. When requestor checks the shopping cart some items are in status "Rejected" and some in "Approved". Afterwards requestor just accept changes. When he press "Accept Changes" s

  • J2EE Engine not starting

    Hi I am having a problen in starting J2EE engine. Follwoing is the error log of file  DEV_JCONTROL. Can some body help me in this? Thanks in advance trc file: "D:\usr\sap\PCN\DVEBMGS00\work\dev_jcontrol", trc level: 1, release: "700" node name   : jc