ADAM - AD_Schema load fails with error

Discussion in 'Active Directory' started by Andrew Stanford, Jul 8, 2005.

  1. I have installed an new ADAM instance and I am attempting to run the
    following command;
    ldifde -i -f ad_schema.ldf -s itfswd7:389 -k -j . -c
    "CN=Schema,CN=Configuration,DC=X" #SchemaNamingContext

    The schema instance is installed on Windows XP pro, the AD server is Server
    2003. Also, I tried the above command with the -b switch specifying my user
    account. My account is a Domain Admin.

    I get the following error;
    Add error on line 12289: Referral
    The server side error is: 0x202b A referral was return from the server.
    The extended server error is:
    0000202B: RefErr: DSIS-03100738, data 0, 1 access points
    ref 1: 'x'

    754 entries modified successfully.
    An error has occurred in the program.

    -----------------------------------------------------------------
    Inspecting the ldif.log file shows that the last entry successfully modified
    was 754. The log entry for 755 says;
    755: cn=DNS-Host-Name-Attributes,cn=Extended-Rights, cn=Configuration,dc=X
    Entry DN: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    cn=Configuration,dc=X

    ....the rest of the entry is the same as the error information displayed at
    the command prompt.

    Any help on this matter would be great.

    Thanks in advance,
    Andrew
     
    Andrew Stanford, Jul 8, 2005
    #1
    1. Advertising

  2. Andrew Stanford

    Lee Flight Guest

    Hi

    that looks like the ad_schema.ldf that comes with ADAMSync,
    that being the case it's

    -c "cn=Configuration,dc=X" #configurationNamingContext

    that you need in your ldifde command line.

    Lee Flight

    "Andrew Stanford" <> wrote in
    message news:...
    >I have installed an new ADAM instance and I am attempting to run the
    > following command;
    > ldifde -i -f ad_schema.ldf -s itfswd7:389 -k -j . -c
    > "CN=Schema,CN=Configuration,DC=X" #SchemaNamingContext
    >
    > The schema instance is installed on Windows XP pro, the AD server is
    > Server
    > 2003. Also, I tried the above command with the -b switch specifying my
    > user
    > account. My account is a Domain Admin.
    >
    > I get the following error;
    > Add error on line 12289: Referral
    > The server side error is: 0x202b A referral was return from the server.
    > The extended server error is:
    > 0000202B: RefErr: DSIS-03100738, data 0, 1 access points
    > ref 1: 'x'
    >
    > 754 entries modified successfully.
    > An error has occurred in the program.
    >
    > -----------------------------------------------------------------
    > Inspecting the ldif.log file shows that the last entry successfully
    > modified
    > was 754. The log entry for 755 says;
    > 755: cn=DNS-Host-Name-Attributes,cn=Extended-Rights, cn=Configuration,dc=X
    > Entry DN: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    > cn=Configuration,dc=X
    >
    > ...the rest of the entry is the same as the error information displayed at
    > the command prompt.
    >
    > Any help on this matter would be great.
    >
    > Thanks in advance,
    > Andrew
    >
     
    Lee Flight, Jul 8, 2005
    #2
    1. Advertising

  3. Thanks Lee... yes I am using the ad_schema.ldf that comes with adamsync and
    the file seemed to load just fine, as did the required schema_metadata.ldf

    Moving on to the next step: I tried to run the following command;
    adamsync /install itfswd7:389 bttest.xml /log -

    Gives me the message;
    Establishing connection to target server itfswd7:389.
    Updating configuration file on bttest.xml.
    Reading Configuration File from bttest.xml
    Please enter password:
    Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,dc=btweb,dc=ADAM
    Unable to read attribute objectclass on
    DC=btweb,DC=bakertilly,DC=net,dc=btweb,d
    c=ADAM.

    Here is the contents of BTTest.xml;
    <?xml version="1.0" ?>
    <doc>
    <configuration>
    <config-name>ADAMApplication</config-name>
    <security-mode>object</security-mode>
    <source-ad-name>btdcprimary.btweb.bakertilly.net</source-ad-name>

    <source-ad-partition>DC=btweb,DC=bakertilly,DC=net</source-ad-partition>
    <source-ad-account>axs2</source-ad-account>
    <target-rdn>dc=btweb,dc=ADAM</target-rdn>
    <account-domain>btweb</account-domain>
    <query>
    <base-dn>DC=btweb,DC=bakertilly,DC=net</base-dn>
    <object-filter>(objectClass=*)</object-filter>
    </query>
    </configuration>
    </doc>

    So the DC server is called btdcprimary on the domain btweb.bakertilly.net
    The adam instance is called adam1 and the partition is dc=btweb,dc=ADAM


    Thanks,
    Andrew


    "Lee Flight" wrote:

    > Hi
    >
    > that looks like the ad_schema.ldf that comes with ADAMSync,
    > that being the case it's
    >
    > -c "cn=Configuration,dc=X" #configurationNamingContext
    >
    > that you need in your ldifde command line.
    >
    > Lee Flight
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    > >I have installed an new ADAM instance and I am attempting to run the
    > > following command;
    > > ldifde -i -f ad_schema.ldf -s itfswd7:389 -k -j . -c
    > > "CN=Schema,CN=Configuration,DC=X" #SchemaNamingContext
    > >
    > > The schema instance is installed on Windows XP pro, the AD server is
    > > Server
    > > 2003. Also, I tried the above command with the -b switch specifying my
    > > user
    > > account. My account is a Domain Admin.
    > >
    > > I get the following error;
    > > Add error on line 12289: Referral
    > > The server side error is: 0x202b A referral was return from the server.
    > > The extended server error is:
    > > 0000202B: RefErr: DSIS-03100738, data 0, 1 access points
    > > ref 1: 'x'
    > >
    > > 754 entries modified successfully.
    > > An error has occurred in the program.
    > >
    > > -----------------------------------------------------------------
    > > Inspecting the ldif.log file shows that the last entry successfully
    > > modified
    > > was 754. The log entry for 755 says;
    > > 755: cn=DNS-Host-Name-Attributes,cn=Extended-Rights, cn=Configuration,dc=X
    > > Entry DN: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    > > cn=Configuration,dc=X
    > >
    > > ...the rest of the entry is the same as the error information displayed at
    > > the command prompt.
    > >
    > > Any help on this matter would be great.
    > >
    > > Thanks in advance,
    > > Andrew
    > >

    >
    >
    >
     
    Andrew Stanford, Jul 8, 2005
    #3
  4. Andrew Stanford

    Lee Flight Guest

    Hi

    the ADAM partition name must match the AD partition name
    to within a trailing suffix in the current beta of ADAMSync (not
    the improved Windows Server R2 version, also in public beta) .

    So if your AD partition is

    DC=btweb,DC=bakertilly,DC=net

    then your ADAM partition must be

    DC=btweb,DC=bakertilly,DC=net[,<target-rdn>]

    where [] indicates an optional component so if you want the
    ADAM partition to be

    DC=btweb,DC=bakertilly,DC=net,DC=ADAM

    you would need to create the partition

    DC=btweb,DC=bakertilly,DC=net,DC=ADAM

    and specify

    <target-rdn>dc=ADAM</target-rdn>

    in your config.xml. You could also just create an ADAM
    partition

    DC=btweb,DC=bakertilly,DC=net

    and not specify and target-rdn

    <target-rdn></target-rdn>


    Lee Flight


    "Andrew Stanford" <> wrote in
    message news:...
    > Thanks Lee... yes I am using the ad_schema.ldf that comes with adamsync
    > and
    > the file seemed to load just fine, as did the required schema_metadata.ldf
    >
    > Moving on to the next step: I tried to run the following command;
    > adamsync /install itfswd7:389 bttest.xml /log -
    >
    > Gives me the message;
    > Establishing connection to target server itfswd7:389.
    > Updating configuration file on bttest.xml.
    > Reading Configuration File from bttest.xml
    > Please enter password:
    > Saving Configuration File on
    > DC=btweb,DC=bakertilly,DC=net,dc=btweb,dc=ADAM
    > Unable to read attribute objectclass on
    > DC=btweb,DC=bakertilly,DC=net,dc=btweb,d
    > c=ADAM.
    >
    > Here is the contents of BTTest.xml;
    > <?xml version="1.0" ?>
    > <doc>
    > <configuration>
    > <config-name>ADAMApplication</config-name>
    > <security-mode>object</security-mode>
    > <source-ad-name>btdcprimary.btweb.bakertilly.net</source-ad-name>
    >
    > <source-ad-partition>DC=btweb,DC=bakertilly,DC=net</source-ad-partition>
    > <source-ad-account>axs2</source-ad-account>
    > <target-rdn>dc=btweb,dc=ADAM</target-rdn>
    > <account-domain>btweb</account-domain>
    > <query>
    > <base-dn>DC=btweb,DC=bakertilly,DC=net</base-dn>
    > <object-filter>(objectClass=*)</object-filter>
    > </query>
    > </configuration>
    > </doc>
    >
    > So the DC server is called btdcprimary on the domain btweb.bakertilly.net
    > The adam instance is called adam1 and the partition is dc=btweb,dc=ADAM
    >
    >
    > Thanks,
    > Andrew
    >
    >
    > "Lee Flight" wrote:
    >
    >> Hi
    >>
    >> that looks like the ad_schema.ldf that comes with ADAMSync,
    >> that being the case it's
    >>
    >> -c "cn=Configuration,dc=X" #configurationNamingContext
    >>
    >> that you need in your ldifde command line.
    >>
    >> Lee Flight
    >>
    >> "Andrew Stanford" <> wrote in
    >> message news:...
    >> >I have installed an new ADAM instance and I am attempting to run the
    >> > following command;
    >> > ldifde -i -f ad_schema.ldf -s itfswd7:389 -k -j . -c
    >> > "CN=Schema,CN=Configuration,DC=X" #SchemaNamingContext
    >> >
    >> > The schema instance is installed on Windows XP pro, the AD server is
    >> > Server
    >> > 2003. Also, I tried the above command with the -b switch specifying my
    >> > user
    >> > account. My account is a Domain Admin.
    >> >
    >> > I get the following error;
    >> > Add error on line 12289: Referral
    >> > The server side error is: 0x202b A referral was return from the server.
    >> > The extended server error is:
    >> > 0000202B: RefErr: DSIS-03100738, data 0, 1 access points
    >> > ref 1: 'x'
    >> >
    >> > 754 entries modified successfully.
    >> > An error has occurred in the program.
    >> >
    >> > -----------------------------------------------------------------
    >> > Inspecting the ldif.log file shows that the last entry successfully
    >> > modified
    >> > was 754. The log entry for 755 says;
    >> > 755: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    >> > cn=Configuration,dc=X
    >> > Entry DN: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    >> > cn=Configuration,dc=X
    >> >
    >> > ...the rest of the entry is the same as the error information displayed
    >> > at
    >> > the command prompt.
    >> >
    >> > Any help on this matter would be great.
    >> >
    >> > Thanks in advance,
    >> > Andrew
    >> >

    >>
    >>
    >>
     
    Lee Flight, Jul 8, 2005
    #4
  5. Hi,

    Thanks for your help so far. There seems to be a fair amount of important
    information missing from the documentation.

    I uninstalled the ADAM instance I had and installed a new one with the
    parition;
    dc=btweb,dc=bakertilly,dc=net,dc=adam

    I edited the config file as described and managed to load it using adamsync
    /install.

    I have tried to run the following command and get the error shown below. It
    also pops up the dialog saying that "adamsync.exe has encountered a problem,
    do you want to send a error report to Microsoft etc...". ;
    adamsync /sync itfswd7:389 AdamApplication /log -
    Establishing connection to target server itfswd7:389.
    Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    Saved configuration file.
    Error fetching message from resource fileError occured fetching
    internationalize
    d message number 13. Error code: 317


    Any thoughts on this error. I also tried the above with a partition called
    dc=btweb,dc=bakertilly,dc=net dropping the contents of the <target-rdn> tag
    as suggested. I got a similar message, the only difference being the message
    number. This time it seemed to be trying to read message number 87 (instead
    of 13 in the previous test).

    I wonder if I should be using the newer version that comes with R2. I
    wasn't aware of it but have downloaded it now. Will the procedures for
    install and sync be similar to what I have just been through? Is there a
    document that describes the improvements to this new release?

    Thanks,
    Andrew Stanford

    "Lee Flight" wrote:

    > Hi
    >
    > the ADAM partition name must match the AD partition name
    > to within a trailing suffix in the current beta of ADAMSync (not
    > the improved Windows Server R2 version, also in public beta) .
    >
    > So if your AD partition is
    >
    > DC=btweb,DC=bakertilly,DC=net
    >
    > then your ADAM partition must be
    >
    > DC=btweb,DC=bakertilly,DC=net[,<target-rdn>]
    >
    > where [] indicates an optional component so if you want the
    > ADAM partition to be
    >
    > DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    >
    > you would need to create the partition
    >
    > DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    >
    > and specify
    >
    > <target-rdn>dc=ADAM</target-rdn>
    >
    > in your config.xml. You could also just create an ADAM
    > partition
    >
    > DC=btweb,DC=bakertilly,DC=net
    >
    > and not specify and target-rdn
    >
    > <target-rdn></target-rdn>
    >
    >
    > Lee Flight
    >
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    > > Thanks Lee... yes I am using the ad_schema.ldf that comes with adamsync
    > > and
    > > the file seemed to load just fine, as did the required schema_metadata.ldf
    > >
    > > Moving on to the next step: I tried to run the following command;
    > > adamsync /install itfswd7:389 bttest.xml /log -
    > >
    > > Gives me the message;
    > > Establishing connection to target server itfswd7:389.
    > > Updating configuration file on bttest.xml.
    > > Reading Configuration File from bttest.xml
    > > Please enter password:
    > > Saving Configuration File on
    > > DC=btweb,DC=bakertilly,DC=net,dc=btweb,dc=ADAM
    > > Unable to read attribute objectclass on
    > > DC=btweb,DC=bakertilly,DC=net,dc=btweb,d
    > > c=ADAM.
    > >
    > > Here is the contents of BTTest.xml;
    > > <?xml version="1.0" ?>
    > > <doc>
    > > <configuration>
    > > <config-name>ADAMApplication</config-name>
    > > <security-mode>object</security-mode>
    > > <source-ad-name>btdcprimary.btweb.bakertilly.net</source-ad-name>
    > >
    > > <source-ad-partition>DC=btweb,DC=bakertilly,DC=net</source-ad-partition>
    > > <source-ad-account>axs2</source-ad-account>
    > > <target-rdn>dc=btweb,dc=ADAM</target-rdn>
    > > <account-domain>btweb</account-domain>
    > > <query>
    > > <base-dn>DC=btweb,DC=bakertilly,DC=net</base-dn>
    > > <object-filter>(objectClass=*)</object-filter>
    > > </query>
    > > </configuration>
    > > </doc>
    > >
    > > So the DC server is called btdcprimary on the domain btweb.bakertilly.net
    > > The adam instance is called adam1 and the partition is dc=btweb,dc=ADAM
    > >
    > >
    > > Thanks,
    > > Andrew
    > >
    > >
    > > "Lee Flight" wrote:
    > >
    > >> Hi
    > >>
    > >> that looks like the ad_schema.ldf that comes with ADAMSync,
    > >> that being the case it's
    > >>
    > >> -c "cn=Configuration,dc=X" #configurationNamingContext
    > >>
    > >> that you need in your ldifde command line.
    > >>
    > >> Lee Flight
    > >>
    > >> "Andrew Stanford" <> wrote in
    > >> message news:...
    > >> >I have installed an new ADAM instance and I am attempting to run the
    > >> > following command;
    > >> > ldifde -i -f ad_schema.ldf -s itfswd7:389 -k -j . -c
    > >> > "CN=Schema,CN=Configuration,DC=X" #SchemaNamingContext
    > >> >
    > >> > The schema instance is installed on Windows XP pro, the AD server is
    > >> > Server
    > >> > 2003. Also, I tried the above command with the -b switch specifying my
    > >> > user
    > >> > account. My account is a Domain Admin.
    > >> >
    > >> > I get the following error;
    > >> > Add error on line 12289: Referral
    > >> > The server side error is: 0x202b A referral was return from the server.
    > >> > The extended server error is:
    > >> > 0000202B: RefErr: DSIS-03100738, data 0, 1 access points
    > >> > ref 1: 'x'
    > >> >
    > >> > 754 entries modified successfully.
    > >> > An error has occurred in the program.
    > >> >
    > >> > -----------------------------------------------------------------
    > >> > Inspecting the ldif.log file shows that the last entry successfully
    > >> > modified
    > >> > was 754. The log entry for 755 says;
    > >> > 755: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    > >> > cn=Configuration,dc=X
    > >> > Entry DN: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
    > >> > cn=Configuration,dc=X
    > >> >
    > >> > ...the rest of the entry is the same as the error information displayed
    > >> > at
    > >> > the command prompt.
    > >> >
    > >> > Any help on this matter would be great.
    > >> >
    > >> > Thanks in advance,
    > >> > Andrew
    > >> >
    > >>
    > >>
    > >>

    >
    >
    >
     
    Andrew Stanford, Jul 11, 2005
    #5
  6. Andrew Stanford

    Lee Flight Guest

    Hi

    inline below...

    "Andrew Stanford" <> wrote in
    message news:...
    > Hi,
    >
    > Thanks for your help so far. There seems to be a fair amount of important
    > information missing from the documentation.
    >
    > I uninstalled the ADAM instance I had and installed a new one with the
    > parition;
    > dc=btweb,dc=bakertilly,dc=net,dc=adam
    >
    > I edited the config file as described and managed to load it using
    > adamsync
    > /install.
    >
    > I have tried to run the following command and get the error shown below.
    > It
    > also pops up the dialog saying that "adamsync.exe has encountered a
    > problem,
    > do you want to send a error report to Microsoft etc...". ;
    > adamsync /sync itfswd7:389 AdamApplication /log -
    > Establishing connection to target server itfswd7:389.
    > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    > Saved configuration file.
    > Error fetching message from resource fileError occured fetching
    > internationalize
    > d message number 13. Error code: 317
    >
    >
    > Any thoughts on this error. I also tried the above with a partition called
    > dc=btweb,dc=bakertilly,dc=net dropping the contents of the <target-rdn>
    > tag
    > as suggested. I got a similar message, the only difference being the
    > message
    > number. This time it seemed to be trying to read message number 87
    > (instead
    > of 13 in the previous test).


    I have not seen either of those errors I think they have come up before
    once or twice on the NGs; I have never managed a repro. It may be
    that you need to uninstall ADAM and retry.

    > I wonder if I should be using the newer version that comes with R2. I
    > wasn't aware of it but have downloaded it now. Will the procedures for
    > install and sync be similar to what I have just been through? Is there a
    > document that describes the improvements to this new release?


    If you can try the R2 release then that is the way to go, unfortunately
    there is a woeful lack of documentation on this release at present. In
    fact the R2 ADAMsync has less documentation than the beta you have
    been using however my experience is that the code is improved.

    The /install and /sync steps are much the same for the R2 release,
    there are some minor changes to the config.xml. The only advertised
    feature that has been added is the ability to sync user objects in AD
    to bindProxy objects in ADAM. If you have problems with it please
    post back (stating that you are using the R2 release) and we will try
    and help.

    Lee Flight
     
    Lee Flight, Jul 11, 2005
    #6
  7. Hi,

    Thanks again for your help.

    I ended up switching to the 2003 R2 version. It was a bit of messing around
    as it seemed that it wouldn't install on anything except the trial version of
    2003. Bit of a pain... never mind.

    I tweaked the config file and after a few attempts managed to get it to
    install.

    I then had a couple of issues doing the sync. It would run for ages, then
    error. I found the answer in your post to Tom C (adamsync /sync error). I
    have hit a couple of other attributes that also need to be excluded, but feel
    that I am on the right track.

    Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
    wondering if we can confiure it to only include a subset of users from the
    DC? i.e. only the users that are likely to use the application. What would
    you recommend?

    An idea that has been put forward was to create a new group and put required
    users into that. I am guessing that I could maybe filter the sync down to
    just users by adjusting the config file so the object-filter tag says
    (objectClass=Users), but am not sure how to limit the users that arrive in
    ADAM from there.


    Regards,
    Andrew Stanford

    "Lee Flight" wrote:

    > Hi
    >
    > inline below...
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    > > Hi,
    > >
    > > Thanks for your help so far. There seems to be a fair amount of important
    > > information missing from the documentation.
    > >
    > > I uninstalled the ADAM instance I had and installed a new one with the
    > > parition;
    > > dc=btweb,dc=bakertilly,dc=net,dc=adam
    > >
    > > I edited the config file as described and managed to load it using
    > > adamsync
    > > /install.
    > >
    > > I have tried to run the following command and get the error shown below.
    > > It
    > > also pops up the dialog saying that "adamsync.exe has encountered a
    > > problem,
    > > do you want to send a error report to Microsoft etc...". ;
    > > adamsync /sync itfswd7:389 AdamApplication /log -
    > > Establishing connection to target server itfswd7:389.
    > > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    > > Saved configuration file.
    > > Error fetching message from resource fileError occured fetching
    > > internationalize
    > > d message number 13. Error code: 317
    > >
    > >
    > > Any thoughts on this error. I also tried the above with a partition called
    > > dc=btweb,dc=bakertilly,dc=net dropping the contents of the <target-rdn>
    > > tag
    > > as suggested. I got a similar message, the only difference being the
    > > message
    > > number. This time it seemed to be trying to read message number 87
    > > (instead
    > > of 13 in the previous test).

    >
    > I have not seen either of those errors I think they have come up before
    > once or twice on the NGs; I have never managed a repro. It may be
    > that you need to uninstall ADAM and retry.
    >
    > > I wonder if I should be using the newer version that comes with R2. I
    > > wasn't aware of it but have downloaded it now. Will the procedures for
    > > install and sync be similar to what I have just been through? Is there a
    > > document that describes the improvements to this new release?

    >
    > If you can try the R2 release then that is the way to go, unfortunately
    > there is a woeful lack of documentation on this release at present. In
    > fact the R2 ADAMsync has less documentation than the beta you have
    > been using however my experience is that the code is improved.
    >
    > The /install and /sync steps are much the same for the R2 release,
    > there are some minor changes to the config.xml. The only advertised
    > feature that has been added is the ability to sync user objects in AD
    > to bindProxy objects in ADAM. If you have problems with it please
    > post back (stating that you are using the R2 release) and we will try
    > and help.
    >
    > Lee Flight
    >
    >
    >
     
    Andrew Stanford, Jul 13, 2005
    #7
  8. Andrew Stanford

    Lee Flight Guest

    Hi

    sounds like you are making good progress, more below...

    "Andrew Stanford" <> wrote in
    message news:...

    > Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
    > wondering if we can confiure it to only include a subset of users from the
    > DC? i.e. only the users that are likely to use the application. What would
    > you recommend?
    >
    > An idea that has been put forward was to create a new group and put
    > required
    > users into that. I am guessing that I could maybe filter the sync down to
    > just users by adjusting the config file so the object-filter tag says
    > (objectClass=Users), but am not sure how to limit the users that arrive in
    > ADAM from there.


    Yes, using an AD group is a useful idea. So if you have an AD group
    called AppUsers with distinguishedName

    CN=AppUsers,OU=Groups,DC=a,DC=b

    and add the AD users that you want to sync to ADAM to that group then
    you would need an LDAP filter something like (ignore any line wraps):

    (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))

    which as an element in your config.xml would look like (ignore any line
    wraps):

    (&amp;(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))

    that should sync just the members of the group (it would not sync their
    group membership). If the users in question are already members of a
    large number of groups then things will start to slow up.

    A potential downside is that if as user is ever in the group when the /sync
    runs then they will be sync'ed to ADAM but if they are removed from the AD
    group I suspect they will remain in ADAM.

    Lee Flight
     
    Lee Flight, Jul 13, 2005
    #8
  9. Hi,


    The sync process is failing. It seems to take about 20 minutes and it
    populates ADAM with lots of OU's and some CN's, I seem to be missing the most
    important part... the actual Users.

    At the end of each sync run I get an error similar to this;
    Updating the configuration file DirSync cookie with a new value.
    Unable to find object (ldapDisplayName=msExchADCGlobalNames) in the target
    schema.
    Equivalent object in the source schema is
    <GUID=f62ad3546aacb340a3bacef25e2da01d>.
    Unable to find object (ldapDisplayName=replicatedObjectVersion) in the
    target sc
    hema.
    Equivalent object in the source schema is
    <GUID=96d4a1fcfb82bc40928dbe464e331d02>.
    Unable to find object (ldapDisplayName=replicationSignature) in the target
    schem
    a.
    Equivalent object in the source schema is
    <GUID=2c605edf31c88a4a9416f99f3cf2c9dc>.
    Ldap error occured. ldap_add_sW: No Such Attribute.
    Extended Info: .
    Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    Saved configuration file.

    I then add more "exclude" tags to the config file and try again. So far the
    excludes I have added are;
    <exclude>showinaddressbook</exclude>
    <exclude>publicdelegates</exclude>
    <exclude>msExchHideFromAddressLists</exclude>
    <exclude>homeMTA</exclude>
    <exclude>deliveryMechanism</exclude>
    <exclude>homeMDB</exclude>
    <exclude>mailNickname</exclude>
    <exclude>msExchHomeServerName</exclude>
    <exclude>msExchALObjectVersion</exclude>
    <exclude>msExchHideFromAddressList</exclude>
    <exclude>msExchMasterAccountSid</exclude>
    <exclude>msExchUserAccountControl</exclude>
    <exclude>msExchMailboxSecurityDescriptor</exclude>
    <exclude>msExchMailboxGuid</exclude>
    <exclude>dLMemDefault</exclude>
    <exclude>msExchPoliciesIncluded</exclude>
    <exclude>telephoneAssistant</exclude>
    <exclude>replicatedObjectVersion</exclude>
    <exclude>replicationSignature</exclude>
    <exclude>msExchADCGlobalNames</exclude>

    I didn't think there would be this many problems with the schema as I have
    loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM

    I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
    schema" and the AD server as the "Base schema". I then check the "Mark
    non-present elements as included" menu option and then "Create LDIF File...".

    I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
    AD schemas be the same at this point? Is there an easier way to figure out
    the required "exclude" tags?

    --
    Regards,
    Andrew Stanford


    "Lee Flight" wrote:

    > Hi
    >
    > sounds like you are making good progress, more below...
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    >
    > > Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
    > > wondering if we can confiure it to only include a subset of users from the
    > > DC? i.e. only the users that are likely to use the application. What would
    > > you recommend?
    > >
    > > An idea that has been put forward was to create a new group and put
    > > required
    > > users into that. I am guessing that I could maybe filter the sync down to
    > > just users by adjusting the config file so the object-filter tag says
    > > (objectClass=Users), but am not sure how to limit the users that arrive in
    > > ADAM from there.

    >
    > Yes, using an AD group is a useful idea. So if you have an AD group
    > called AppUsers with distinguishedName
    >
    > CN=AppUsers,OU=Groups,DC=a,DC=b
    >
    > and add the AD users that you want to sync to ADAM to that group then
    > you would need an LDAP filter something like (ignore any line wraps):
    >
    > (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
    >
    > which as an element in your config.xml would look like (ignore any line
    > wraps):
    >
    > (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
    >
    > that should sync just the members of the group (it would not sync their
    > group membership). If the users in question are already members of a
    > large number of groups then things will start to slow up.
    >
    > A potential downside is that if as user is ever in the group when the /sync
    > runs then they will be sync'ed to ADAM but if they are removed from the AD
    > group I suspect they will remain in ADAM.
    >
    > Lee Flight
    >
    >
    >
     
    Andrew Stanford, Jul 14, 2005
    #9
  10. Further to my previous post... My most recent sync has just finished, but I
    am not sure what to do now as the error message seems to have changed and
    there doesn't seem to be any clear direction as to what attribute or class I
    should be excluding now. See the error message below;
    Processing Entry: Page 34, Frame 1, Entry 53, Count 1, USN 0
    Processing source entry <guid=b6170c0f999c414b8467410dab6a5491>
    Processing in-scope entry b6170c0f999c414b8467410dab6a5491.
    (sourceobjectguid=?b6?17?0c?0f?99?9c?41?4b?84?67?41?0d?ab?6a?54?91) exists
    in ta
    rget. Converting object creation to object modification.
    Renaming target object
    CN=G_LL_PARTNER,OU=Liverpool,DC=btweb,DC=bakertilly,DC=ne
    t,DC=adam to CN=G_LL_PARTNER,<GUID=60c303d5840d344c83273b981d810351>.
    Deferring synchronization of attribute member to end of run. Deleting
    attribute.

    Modifying attributes: description, groupType, lastagedchange,
    Previous entry took 0 seconds (362, 10) to process

    Processing Entry: Page 34, Frame 1, Entry 54, Count 1, USN 0
    Processing source entry <guid=a2ce363ab7cfba4db26be703b7b1363c>
    Processing in-scope entry a2ce363ab7cfba4db26be703b7b1363c.
    (sourceobjectguid=?a2?ce?36?3a?b7?cf?ba?4d?b2?6b?e7?03?b7?b1?36?3c) exists
    in ta
    rget. Converting object creation to object modification.
    Renaming target object CN=Page
    Amy-1,OU=BT,OU=ITF,DC=btweb,DC=bakertilly,DC=net,
    DC=adam to CN=Page Amy-1,<GUID=26db62db0d01a54087b0d85a06960249>.
    Modifying attributes: sn, l, st, title, description, postalCode,
    physicalDeliver
    yOfficeName, telephoneNumber, facsimileTelephoneNumber, givenName, initials,
    dis
    playName, otherTelephone, info, securityProtocol, deletedItemFlags, co,
    departme
    nt, company, proxyAddresses, streetAddress, mDBStorageQuota,
    mDBOverQuotaLimit,
    otherHomePhone, autoReplyMessage, garbageCollPeriod, mDBUseDefaults,
    mAPIRecipie
    nt, extensionAttribute1, extensionAttribute2, extensionAttribute3,
    extensionAttr
    ibute4, extensionAttribute5, extensionAttribute6, extensionAttribute7,
    extension
    Attribute8, extensionAttribute9, extensionAttribute10, msExchAssistantName,
    home
    Directory, homeDrive, dBCSPwd, scriptPath, userWorkstations, userParameters,
    pro
    filePath, comment, legacyExchangeDN, userPrincipalName,
    textEncodedORAddress, ma
    il, homePhone, mobile, pager, unmergedAtts, msExchPreviousAccountSid,
    mDBOverHar
    dQuotaLimit, msExchPoliciesExcluded, lastagedchange,
    Ldap error occured. ldap_modify_sW: No Such Attribute.
    Extended Info: 00000057: LdapErr: DSID-0C090A8A, comment: Error in attribute
    con
    version operation, data 0, vece.
    Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    Saved configuration file.


    Thanks in advance for your help.
    --
    Regards,
    Andrew Stanford


    "Andrew Stanford" wrote:

    > Hi,
    >
    >
    > The sync process is failing. It seems to take about 20 minutes and it
    > populates ADAM with lots of OU's and some CN's, I seem to be missing the most
    > important part... the actual Users.
    >
    > At the end of each sync run I get an error similar to this;
    > Updating the configuration file DirSync cookie with a new value.
    > Unable to find object (ldapDisplayName=msExchADCGlobalNames) in the target
    > schema.
    > Equivalent object in the source schema is
    > <GUID=f62ad3546aacb340a3bacef25e2da01d>.
    > Unable to find object (ldapDisplayName=replicatedObjectVersion) in the
    > target sc
    > hema.
    > Equivalent object in the source schema is
    > <GUID=96d4a1fcfb82bc40928dbe464e331d02>.
    > Unable to find object (ldapDisplayName=replicationSignature) in the target
    > schem
    > a.
    > Equivalent object in the source schema is
    > <GUID=2c605edf31c88a4a9416f99f3cf2c9dc>.
    > Ldap error occured. ldap_add_sW: No Such Attribute.
    > Extended Info: .
    > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
    > Saved configuration file.
    >
    > I then add more "exclude" tags to the config file and try again. So far the
    > excludes I have added are;
    > <exclude>showinaddressbook</exclude>
    > <exclude>publicdelegates</exclude>
    > <exclude>msExchHideFromAddressLists</exclude>
    > <exclude>homeMTA</exclude>
    > <exclude>deliveryMechanism</exclude>
    > <exclude>homeMDB</exclude>
    > <exclude>mailNickname</exclude>
    > <exclude>msExchHomeServerName</exclude>
    > <exclude>msExchALObjectVersion</exclude>
    > <exclude>msExchHideFromAddressList</exclude>
    > <exclude>msExchMasterAccountSid</exclude>
    > <exclude>msExchUserAccountControl</exclude>
    > <exclude>msExchMailboxSecurityDescriptor</exclude>
    > <exclude>msExchMailboxGuid</exclude>
    > <exclude>dLMemDefault</exclude>
    > <exclude>msExchPoliciesIncluded</exclude>
    > <exclude>telephoneAssistant</exclude>
    > <exclude>replicatedObjectVersion</exclude>
    > <exclude>replicationSignature</exclude>
    > <exclude>msExchADCGlobalNames</exclude>
    >
    > I didn't think there would be this many problems with the schema as I have
    > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    >
    > I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
    > schema" and the AD server as the "Base schema". I then check the "Mark
    > non-present elements as included" menu option and then "Create LDIF File...".
    >
    > I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
    > AD schemas be the same at this point? Is there an easier way to figure out
    > the required "exclude" tags?
    >
    > --
    > Regards,
    > Andrew Stanford
    >
    >
    > "Lee Flight" wrote:
    >
    > > Hi
    > >
    > > sounds like you are making good progress, more below...
    > >
    > > "Andrew Stanford" <> wrote in
    > > message news:...
    > >
    > > > Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
    > > > wondering if we can confiure it to only include a subset of users from the
    > > > DC? i.e. only the users that are likely to use the application. What would
    > > > you recommend?
    > > >
    > > > An idea that has been put forward was to create a new group and put
    > > > required
    > > > users into that. I am guessing that I could maybe filter the sync down to
    > > > just users by adjusting the config file so the object-filter tag says
    > > > (objectClass=Users), but am not sure how to limit the users that arrive in
    > > > ADAM from there.

    > >
    > > Yes, using an AD group is a useful idea. So if you have an AD group
    > > called AppUsers with distinguishedName
    > >
    > > CN=AppUsers,OU=Groups,DC=a,DC=b
    > >
    > > and add the AD users that you want to sync to ADAM to that group then
    > > you would need an LDAP filter something like (ignore any line wraps):
    > >
    > > (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
    > >
    > > which as an element in your config.xml would look like (ignore any line
    > > wraps):
    > >
    > > (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
    > >
    > > that should sync just the members of the group (it would not sync their
    > > group membership). If the users in question are already members of a
    > > large number of groups then things will start to slow up.
    > >
    > > A potential downside is that if as user is ever in the group when the /sync
    > > runs then they will be sync'ed to ADAM but if they are removed from the AD
    > > group I suspect they will remain in ADAM.
    > >
    > > Lee Flight
    > >
    > >
    > >
     
    Andrew Stanford, Jul 14, 2005
    #10
  11. Andrew Stanford

    Lee Flight Guest

    Hi

    sorry I had not picked up you want to sync from an Exchange extended
    AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    the schema in sync then you do not need to fiddle with exclude attrs.
    More below....

    "Andrew Stanford" <> wrote in
    message news:...

    > I didn't think there would be this many problems with the schema as I have
    > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    >
    > I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
    > schema" and the AD server as the "Base schema". I then check the "Mark
    > non-present elements as included" menu option and then "Create LDIF
    > File...".
    >
    > I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
    > AD schemas be the same at this point? Is there an easier way to figure out
    > the required "exclude" tags?


    What works for me is:

    Install an ADAM instance and create the naming context that you want in it,
    do not apply any LDIFs

    Run ADSchemaAnalyzer load the exchange extended schema from the DC
    as the *target*, load the (minimal) ADAM schema as the base. Then check
    the "Mark all non-present elements as included" menu option and then
    "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)

    Load the LDIF just created into the ADAM Schema

    Load MS-AdamSyncMetadata.LDF into the ADAM schema

    Create the ADAMSync XML file and assuming that it is only user objects that
    you want, use

    <object-filter>(&amp;(objectCategory=Person)(objectClass=User))</object-filter> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
     
    Lee Flight, Jul 14, 2005
    #11
  12. Hi,

    Finally... SUCCESS. I have managed to syncronize a Group from AD to my ADAM
    instance. I even got my code to authenticate against.

    So, just continuing on with my investigation of this technology... I changed
    a password in AD then tried to run the adamsync again to get the new password
    down into ADAM. The following is a dump from the command prompt;

    C:\WINDOWS\ADAM>adamsync /sync localhost:389
    dc=btweb,dc=bakertilly,dc=net,dc=ad
    am /log -
    Adamsync.exe v1.0 (5.2.3790.1939)
    Establishing connection to target server localhost:389.
    Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    Saved configuration file.
    ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    Establishing connection to source server btdccy.btweb.bakertilly.net:389.
    Using file .?dam3A.tmp as a store for deferred dn-references.
    Populating the schema cache
    Populating the well known objects cache
    Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    Starting DirSync Search with object mode security.

    Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    Modifying target object CN=Harding-Rolls
    Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    ly,DC=net.
    Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    Ldap error occured. ldap_modify_sW: Constraint Violation.
    Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE), data
    0,
    Att 90296 (lockoutTime)
    ..
    Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    Saved configuration file.

    Any ideas on this one.
    --
    Regards,
    Andrew Stanford


    "Lee Flight" wrote:

    > Hi
    >
    > sorry I had not picked up you want to sync from an Exchange extended
    > AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    > the schema in sync then you do not need to fiddle with exclude attrs.
    > More below....
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    >
    > > I didn't think there would be this many problems with the schema as I have
    > > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    > >
    > > I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
    > > schema" and the AD server as the "Base schema". I then check the "Mark
    > > non-present elements as included" menu option and then "Create LDIF
    > > File...".
    > >
    > > I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
    > > AD schemas be the same at this point? Is there an easier way to figure out
    > > the required "exclude" tags?

    >
    > What works for me is:
    >
    > Install an ADAM instance and create the naming context that you want in it,
    > do not apply any LDIFs
    >
    > Run ADSchemaAnalyzer load the exchange extended schema from the DC
    > as the *target*, load the (minimal) ADAM schema as the base. Then check
    > the "Mark all non-present elements as included" menu option and then
    > "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
    >
    > Load the LDIF just created into the ADAM Schema
    >
    > Load MS-AdamSyncMetadata.LDF into the ADAM schema
    >
    > Create the ADAMSync XML file and assuming that it is only user objects that
    > you want, use
    >
    > <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    >
    >
     
    Andrew Stanford, Jul 18, 2005
    #12
  13. Further to my post... I tried adamsync with the /fs switch and that work OK,
    but wasn't exactly what I wanted as it took ages to resync every user again.
    I had a look at the other switches. Ran with the /MAI switch, changed
    password in AD again, ran adamsync /sync again and it worked OK this time.

    Is this approach OK. I was sure what it meant by marking the ADAM instance
    as authorative, but it sounds like we are giving the ADAM instance more
    privaleges maybe.

    Can you just clarify/confirm that I am on the right track here.
    --
    Regards,
    Andrew Stanford


    "Andrew Stanford" wrote:

    > Hi,
    >
    > Finally... SUCCESS. I have managed to syncronize a Group from AD to my ADAM
    > instance. I even got my code to authenticate against.
    >
    > So, just continuing on with my investigation of this technology... I changed
    > a password in AD then tried to run the adamsync again to get the new password
    > down into ADAM. The following is a dump from the command prompt;
    >
    > C:\WINDOWS\ADAM>adamsync /sync localhost:389
    > dc=btweb,dc=bakertilly,dc=net,dc=ad
    > am /log -
    > Adamsync.exe v1.0 (5.2.3790.1939)
    > Establishing connection to target server localhost:389.
    > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > Saved configuration file.
    > ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    > Establishing connection to source server btdccy.btweb.bakertilly.net:389.
    > Using file .?dam3A.tmp as a store for deferred dn-references.
    > Populating the schema cache
    > Populating the well known objects cache
    > Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    > Starting DirSync Search with object mode security.
    >
    > Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    > Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    > Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    > Modifying target object CN=Harding-Rolls
    > Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    > ly,DC=net.
    > Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    > Ldap error occured. ldap_modify_sW: Constraint Violation.
    > Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    > 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE), data
    > 0,
    > Att 90296 (lockoutTime)
    > .
    > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > Saved configuration file.
    >
    > Any ideas on this one.
    > --
    > Regards,
    > Andrew Stanford
    >
    >
    > "Lee Flight" wrote:
    >
    > > Hi
    > >
    > > sorry I had not picked up you want to sync from an Exchange extended
    > > AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    > > the schema in sync then you do not need to fiddle with exclude attrs.
    > > More below....
    > >
    > > "Andrew Stanford" <> wrote in
    > > message news:...
    > >
    > > > I didn't think there would be this many problems with the schema as I have
    > > > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    > > >
    > > > I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
    > > > schema" and the AD server as the "Base schema". I then check the "Mark
    > > > non-present elements as included" menu option and then "Create LDIF
    > > > File...".
    > > >
    > > > I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
    > > > AD schemas be the same at this point? Is there an easier way to figure out
    > > > the required "exclude" tags?

    > >
    > > What works for me is:
    > >
    > > Install an ADAM instance and create the naming context that you want in it,
    > > do not apply any LDIFs
    > >
    > > Run ADSchemaAnalyzer load the exchange extended schema from the DC
    > > as the *target*, load the (minimal) ADAM schema as the base. Then check
    > > the "Mark all non-present elements as included" menu option and then
    > > "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
    > >
    > > Load the LDIF just created into the ADAM Schema
    > >
    > > Load MS-AdamSyncMetadata.LDF into the ADAM schema
    > >
    > > Create the ADAMSync XML file and assuming that it is only user objects that
    > > you want, use
    > >
    > > <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    > >
    > >
     
    Andrew Stanford, Jul 18, 2005
    #13
  14. Andrew Stanford

    Lee Flight Guest

    Hi

    I think the problem with lockoutTime may be a bug. I will chase
    it up. As a workaround add lockoutTime as an <exclude> attribute
    in your XML configuration file and reapply the install.

    I'm confused by the statement "got my code to authenticate against"
    as ADAMSync cannot synch. passwords between AD and ADAM.
    If what you are saying is that you used a windows account from the
    domain that the ADAM server is a member of and authenticated OK
    then that's fine.

    Thanks
    Lee Flight

    "Andrew Stanford" <> wrote in
    message news:...
    > Hi,
    >
    > Finally... SUCCESS. I have managed to syncronize a Group from AD to my
    > ADAM
    > instance. I even got my code to authenticate against.
    >
    > So, just continuing on with my investigation of this technology... I
    > changed
    > a password in AD then tried to run the adamsync again to get the new
    > password
    > down into ADAM. The following is a dump from the command prompt;
    >
    > C:\WINDOWS\ADAM>adamsync /sync localhost:389
    > dc=btweb,dc=bakertilly,dc=net,dc=ad
    > am /log -
    > Adamsync.exe v1.0 (5.2.3790.1939)
    > Establishing connection to target server localhost:389.
    > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > Saved configuration file.
    > ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    > Establishing connection to source server btdccy.btweb.bakertilly.net:389.
    > Using file .?dam3A.tmp as a store for deferred dn-references.
    > Populating the schema cache
    > Populating the well known objects cache
    > Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    > Starting DirSync Search with object mode security.
    >
    > Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    > Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    > Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    > Modifying target object CN=Harding-Rolls
    > Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    > ly,DC=net.
    > Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    > Ldap error occured. ldap_modify_sW: Constraint Violation.
    > Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    > 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE),
    > data
    > 0,
    > Att 90296 (lockoutTime)
    > .
    > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > Saved configuration file.
    >
    > Any ideas on this one.
    > --
    > Regards,
    > Andrew Stanford
    >
    >
    > "Lee Flight" wrote:
    >
    >> Hi
    >>
    >> sorry I had not picked up you want to sync from an Exchange extended
    >> AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    >> the schema in sync then you do not need to fiddle with exclude attrs.
    >> More below....
    >>
    >> "Andrew Stanford" <> wrote in
    >> message news:...
    >>
    >> > I didn't think there would be this many problems with the schema as I
    >> > have
    >> > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    >> >
    >> > I then run the ADSchemaAnalyzer loading the ADAM instance as the
    >> > "target
    >> > schema" and the AD server as the "Base schema". I then check the "Mark
    >> > non-present elements as included" menu option and then "Create LDIF
    >> > File...".
    >> >
    >> > I load the resulting LDIF file into my ADAM instance. Shouldn't the
    >> > ADAM &
    >> > AD schemas be the same at this point? Is there an easier way to figure
    >> > out
    >> > the required "exclude" tags?

    >>
    >> What works for me is:
    >>
    >> Install an ADAM instance and create the naming context that you want in
    >> it,
    >> do not apply any LDIFs
    >>
    >> Run ADSchemaAnalyzer load the exchange extended schema from the DC
    >> as the *target*, load the (minimal) ADAM schema as the base. Then check
    >> the "Mark all non-present elements as included" menu option and then
    >> "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
    >>
    >> Load the LDIF just created into the ADAM Schema
    >>
    >> Load MS-AdamSyncMetadata.LDF into the ADAM schema
    >>
    >> Create the ADAMSync XML file and assuming that it is only user objects
    >> that
    >> you want, use
    >>
    >>
    >> <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter>
    >> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    >>
    >>
     
    Lee Flight, Jul 18, 2005
    #14
  15. Andrew Stanford

    Lee Flight Guest

    Hi

    [See my previous reply]

    I suspect that the reason /fs worked was because the problem attribute
    lockoutTime has been reset in the AD it originated from (by ,say,
    a succesful logon after the lockout Duration).

    Ditto for /MAI which I believe just marks the ADAM instance in a
    config set as authoritative but I'm not sure as I have never used it.

    I will file a bug against the lockoutTime attribute issue to try and
    get it excluded, in the meantime use an <exclude>.

    HTH
    Lee Flight


    "Andrew Stanford" <> wrote in
    message news:...
    > Further to my post... I tried adamsync with the /fs switch and that work
    > OK,
    > but wasn't exactly what I wanted as it took ages to resync every user
    > again.
    > I had a look at the other switches. Ran with the /MAI switch, changed
    > password in AD again, ran adamsync /sync again and it worked OK this time.
    >
    > Is this approach OK. I was sure what it meant by marking the ADAM instance
    > as authorative, but it sounds like we are giving the ADAM instance more
    > privaleges maybe.
    >
    > Can you just clarify/confirm that I am on the right track here.
    > --
    > Regards,
    > Andrew Stanford
    >
    >
    > "Andrew Stanford" wrote:
    >
    >> Hi,
    >>
    >> Finally... SUCCESS. I have managed to syncronize a Group from AD to my
    >> ADAM
    >> instance. I even got my code to authenticate against.
    >>
    >> So, just continuing on with my investigation of this technology... I
    >> changed
    >> a password in AD then tried to run the adamsync again to get the new
    >> password
    >> down into ADAM. The following is a dump from the command prompt;
    >>
    >> C:\WINDOWS\ADAM>adamsync /sync localhost:389
    >> dc=btweb,dc=bakertilly,dc=net,dc=ad
    >> am /log -
    >> Adamsync.exe v1.0 (5.2.3790.1939)
    >> Establishing connection to target server localhost:389.
    >> Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    >> Saved configuration file.
    >> ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    >> Establishing connection to source server btdccy.btweb.bakertilly.net:389.
    >> Using file .?dam3A.tmp as a store for deferred dn-references.
    >> Populating the schema cache
    >> Populating the well known objects cache
    >> Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    >> Starting DirSync Search with object mode security.
    >>
    >> Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    >> Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    >> Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    >> Modifying target object CN=Harding-Rolls
    >> Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    >> ly,DC=net.
    >> Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    >> Ldap error occured. ldap_modify_sW: Constraint Violation.
    >> Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    >> 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE),
    >> data
    >> 0,
    >> Att 90296 (lockoutTime)
    >> .
    >> Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    >> Saved configuration file.
    >>
    >> Any ideas on this one.
    >> --
    >> Regards,
    >> Andrew Stanford
    >>
    >>
    >> "Lee Flight" wrote:
    >>
    >> > Hi
    >> >
    >> > sorry I had not picked up you want to sync from an Exchange extended
    >> > AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    >> > the schema in sync then you do not need to fiddle with exclude attrs.
    >> > More below....
    >> >
    >> > "Andrew Stanford" <> wrote in
    >> > message news:...
    >> >
    >> > > I didn't think there would be this many problems with the schema as I
    >> > > have
    >> > > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    >> > >
    >> > > I then run the ADSchemaAnalyzer loading the ADAM instance as the
    >> > > "target
    >> > > schema" and the AD server as the "Base schema". I then check the
    >> > > "Mark
    >> > > non-present elements as included" menu option and then "Create LDIF
    >> > > File...".
    >> > >
    >> > > I load the resulting LDIF file into my ADAM instance. Shouldn't the
    >> > > ADAM &
    >> > > AD schemas be the same at this point? Is there an easier way to
    >> > > figure out
    >> > > the required "exclude" tags?
    >> >
    >> > What works for me is:
    >> >
    >> > Install an ADAM instance and create the naming context that you want
    >> > in it,
    >> > do not apply any LDIFs
    >> >
    >> > Run ADSchemaAnalyzer load the exchange extended schema from the DC
    >> > as the *target*, load the (minimal) ADAM schema as the base. Then
    >> > check
    >> > the "Mark all non-present elements as included" menu option and then
    >> > "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
    >> >
    >> > Load the LDIF just created into the ADAM Schema
    >> >
    >> > Load MS-AdamSyncMetadata.LDF into the ADAM schema
    >> >
    >> > Create the ADAMSync XML file and assuming that it is only user objects
    >> > that
    >> > you want, use
    >> >
    >> >
    >> > <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter>
    >> > ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    >> >
    >> >
     
    Lee Flight, Jul 18, 2005
    #15
  16. Sorry... missed a word there. I got my code to authenticate against ADAM.
    However, it only seems to work when the ADAM server is connected to the
    network.

    The idea is that we have an application, which will be taken out of the
    office. Not an unusual idea presented like that, but we are taking a server
    and a team of users out of the office. So a team will have a 2003 server
    running a ASP.net application. The team will access this using forms based
    security, which will hopefully be able to authenticate them against the ADAM
    instance. A requirement is that they access the application using the
    credentials that they use when in the office.

    So we are looking at populating an ADAM instance while they are still in the
    office, then using this for authentication while they are away.

    We have discovered that the authentication code does seem to need to be
    connected to the network containing the AD, otherwise it fails. Is it
    possible to authenticate against ADAM while the ADAM instance is not
    connected to the AD network?
    --
    Regards,
    Andrew Stanford


    "Lee Flight" wrote:

    > Hi
    >
    > I think the problem with lockoutTime may be a bug. I will chase
    > it up. As a workaround add lockoutTime as an <exclude> attribute
    > in your XML configuration file and reapply the install.
    >
    > I'm confused by the statement "got my code to authenticate against"
    > as ADAMSync cannot synch. passwords between AD and ADAM.
    > If what you are saying is that you used a windows account from the
    > domain that the ADAM server is a member of and authenticated OK
    > then that's fine.
    >
    > Thanks
    > Lee Flight
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    > > Hi,
    > >
    > > Finally... SUCCESS. I have managed to syncronize a Group from AD to my
    > > ADAM
    > > instance. I even got my code to authenticate against.
    > >
    > > So, just continuing on with my investigation of this technology... I
    > > changed
    > > a password in AD then tried to run the adamsync again to get the new
    > > password
    > > down into ADAM. The following is a dump from the command prompt;
    > >
    > > C:\WINDOWS\ADAM>adamsync /sync localhost:389
    > > dc=btweb,dc=bakertilly,dc=net,dc=ad
    > > am /log -
    > > Adamsync.exe v1.0 (5.2.3790.1939)
    > > Establishing connection to target server localhost:389.
    > > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > > Saved configuration file.
    > > ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    > > Establishing connection to source server btdccy.btweb.bakertilly.net:389.
    > > Using file .?dam3A.tmp as a store for deferred dn-references.
    > > Populating the schema cache
    > > Populating the well known objects cache
    > > Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    > > Starting DirSync Search with object mode security.
    > >
    > > Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    > > Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    > > Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    > > Modifying target object CN=Harding-Rolls
    > > Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    > > ly,DC=net.
    > > Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    > > Ldap error occured. ldap_modify_sW: Constraint Violation.
    > > Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    > > 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE),
    > > data
    > > 0,
    > > Att 90296 (lockoutTime)
    > > .
    > > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > > Saved configuration file.
    > >
    > > Any ideas on this one.
    > > --
    > > Regards,
    > > Andrew Stanford
    > >
    > >
    > > "Lee Flight" wrote:
    > >
    > >> Hi
    > >>
    > >> sorry I had not picked up you want to sync from an Exchange extended
    > >> AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    > >> the schema in sync then you do not need to fiddle with exclude attrs.
    > >> More below....
    > >>
    > >> "Andrew Stanford" <> wrote in
    > >> message news:...
    > >>
    > >> > I didn't think there would be this many problems with the schema as I
    > >> > have
    > >> > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    > >> >
    > >> > I then run the ADSchemaAnalyzer loading the ADAM instance as the
    > >> > "target
    > >> > schema" and the AD server as the "Base schema". I then check the "Mark
    > >> > non-present elements as included" menu option and then "Create LDIF
    > >> > File...".
    > >> >
    > >> > I load the resulting LDIF file into my ADAM instance. Shouldn't the
    > >> > ADAM &
    > >> > AD schemas be the same at this point? Is there an easier way to figure
    > >> > out
    > >> > the required "exclude" tags?
    > >>
    > >> What works for me is:
    > >>
    > >> Install an ADAM instance and create the naming context that you want in
    > >> it,
    > >> do not apply any LDIFs
    > >>
    > >> Run ADSchemaAnalyzer load the exchange extended schema from the DC
    > >> as the *target*, load the (minimal) ADAM schema as the base. Then check
    > >> the "Mark all non-present elements as included" menu option and then
    > >> "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
    > >>
    > >> Load the LDIF just created into the ADAM Schema
    > >>
    > >> Load MS-AdamSyncMetadata.LDF into the ADAM schema
    > >>
    > >> Create the ADAMSync XML file and assuming that it is only user objects
    > >> that
    > >> you want, use
    > >>
    > >>
    > >> <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter>
    > >> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    > >>
    > >>

    >
    >
    >
     
    Andrew Stanford, Jul 19, 2005
    #16
  17. Andrew Stanford

    Lee Flight Guest

    Hi

    Take a look at the ADAM Technical Reference

    http://www.microsoft.com/technet/pr...Ref/7cfc8997-bab2-4770-aff2-be424fd03cda.mspx

    and search for the section on

    Authentication in ADAM

    to see the options for authentication. When you authenticate using a
    domain account to an ADAM instance on an AD domain member
    server ADAM punts the authentication request to AD; ADAM is
    not a "caching" DC. As you will see from the link above options
    for local authentication are using Windows accounts in the server
    SAM or creating native ADAM users, for the latter if you need
    password synchronization with the domain accounts you will need
    a password synchronization tool which is likely to be more heavyweight
    than you would want to consider.

    Maybe before exploring any more it might be a good idea to write up
    your requirement, much as your 2nd and 3rd paragraph below, and post
    adsi.general newsgroup as although forms auth against an instance will
    work there are other considerations, outside my expertise (e.g. the lack
    of impersonation for ADAM principals) that might dictate your way
    forward.

    HTH
    Lee Flight

    "Andrew Stanford" <> wrote in
    message news:...
    > Sorry... missed a word there. I got my code to authenticate against ADAM.
    > However, it only seems to work when the ADAM server is connected to the
    > network.
    >
    > The idea is that we have an application, which will be taken out of the
    > office. Not an unusual idea presented like that, but we are taking a
    > server
    > and a team of users out of the office. So a team will have a 2003 server
    > running a ASP.net application. The team will access this using forms based
    > security, which will hopefully be able to authenticate them against the
    > ADAM
    > instance. A requirement is that they access the application using the
    > credentials that they use when in the office.
    >
    > So we are looking at populating an ADAM instance while they are still in
    > the
    > office, then using this for authentication while they are away.
    >
    > We have discovered that the authentication code does seem to need to be
    > connected to the network containing the AD, otherwise it fails. Is it
    > possible to authenticate against ADAM while the ADAM instance is not
    > connected to the AD network?
    > --
    > Regards,
    > Andrew Stanford
    >
    >
    > "Lee Flight" wrote:
    >
    >> Hi
    >>
    >> I think the problem with lockoutTime may be a bug. I will chase
    >> it up. As a workaround add lockoutTime as an <exclude> attribute
    >> in your XML configuration file and reapply the install.
    >>
    >> I'm confused by the statement "got my code to authenticate against"
    >> as ADAMSync cannot synch. passwords between AD and ADAM.
    >> If what you are saying is that you used a windows account from the
    >> domain that the ADAM server is a member of and authenticated OK
    >> then that's fine.
    >>
    >> Thanks
    >> Lee Flight
    >>
    >> "Andrew Stanford" <> wrote in
    >> message news:...
    >> > Hi,
    >> >
    >> > Finally... SUCCESS. I have managed to syncronize a Group from AD to my
    >> > ADAM
    >> > instance. I even got my code to authenticate against.
    >> >
    >> > So, just continuing on with my investigation of this technology... I
    >> > changed
    >> > a password in AD then tried to run the adamsync again to get the new
    >> > password
    >> > down into ADAM. The following is a dump from the command prompt;
    >> >
    >> > C:\WINDOWS\ADAM>adamsync /sync localhost:389
    >> > dc=btweb,dc=bakertilly,dc=net,dc=ad
    >> > am /log -
    >> > Adamsync.exe v1.0 (5.2.3790.1939)
    >> > Establishing connection to target server localhost:389.
    >> > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    >> > Saved configuration file.
    >> > ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    >> > Establishing connection to source server
    >> > btdccy.btweb.bakertilly.net:389.
    >> > Using file .?dam3A.tmp as a store for deferred dn-references.
    >> > Populating the schema cache
    >> > Populating the well known objects cache
    >> > Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    >> > Starting DirSync Search with object mode security.
    >> >
    >> > Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    >> > Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    >> > Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    >> > Modifying target object CN=Harding-Rolls
    >> > Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    >> > ly,DC=net.
    >> > Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    >> > Ldap error occured. ldap_modify_sW: Constraint Violation.
    >> > Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    >> > 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE),
    >> > data
    >> > 0,
    >> > Att 90296 (lockoutTime)
    >> > .
    >> > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    >> > Saved configuration file.
    >> >
    >> > Any ideas on this one.
    >> > --
    >> > Regards,
    >> > Andrew Stanford
    >> >
    >> >
    >> > "Lee Flight" wrote:
    >> >
    >> >> Hi
    >> >>
    >> >> sorry I had not picked up you want to sync from an Exchange extended
    >> >> AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    >> >> the schema in sync then you do not need to fiddle with exclude attrs.
    >> >> More below....
    >> >>
    >> >> "Andrew Stanford" <> wrote in
    >> >> message news:...
    >> >>
    >> >> > I didn't think there would be this many problems with the schema as
    >> >> > I
    >> >> > have
    >> >> > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    >> >> >
    >> >> > I then run the ADSchemaAnalyzer loading the ADAM instance as the
    >> >> > "target
    >> >> > schema" and the AD server as the "Base schema". I then check the
    >> >> > "Mark
    >> >> > non-present elements as included" menu option and then "Create LDIF
    >> >> > File...".
    >> >> >
    >> >> > I load the resulting LDIF file into my ADAM instance. Shouldn't the
    >> >> > ADAM &
    >> >> > AD schemas be the same at this point? Is there an easier way to
    >> >> > figure
    >> >> > out
    >> >> > the required "exclude" tags?
    >> >>
    >> >> What works for me is:
    >> >>
    >> >> Install an ADAM instance and create the naming context that you want
    >> >> in
    >> >> it,
    >> >> do not apply any LDIFs
    >> >>
    >> >> Run ADSchemaAnalyzer load the exchange extended schema from the DC
    >> >> as the *target*, load the (minimal) ADAM schema as the base. Then
    >> >> check
    >> >> the "Mark all non-present elements as included" menu option and then
    >> >> "Create LDIF File...". The resulting LDIF is around 3MB (2091
    >> >> entries)
    >> >>
    >> >> Load the LDIF just created into the ADAM Schema
    >> >>
    >> >> Load MS-AdamSyncMetadata.LDF into the ADAM schema
    >> >>
    >> >> Create the ADAMSync XML file and assuming that it is only user
    >> >> objects
    >> >> that
    >> >> you want, use
    >> >>
    >> >>
    >> >> <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter>
    >> >> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    >> >>
    >> >>

    >>
    >>
    >>
     
    Lee Flight, Jul 19, 2005
    #17
  18. Hi,


    Thanks for the link. It does clarify things. What I get is that any accounts
    bought into ADAM using ADAMSYNC are flagged inside the ADAM instance
    somewhere as Windows Principals. So if I want to do local authentication I
    need ADAM native accounts.

    You mentioned password synchronization... we have been also looking at
    Identity Integration Server as an alternative to ADAMSYNC to populate ADAM. I
    see that this isn't going to help us as the accounts are likely to be flagged
    as Windows Principals, but I guess what you might be saying is that it may be
    possible for us to populate ADAM with just the usernames from AD using ADSI,
    then use MIIS to sync the passwords.

    I will check out the ADSI.Genernal newsgroup.

    --
    Regards,
    Andrew Stanford


    "Lee Flight" wrote:

    > Hi
    >
    > Take a look at the ADAM Technical Reference
    >
    > http://www.microsoft.com/technet/pr...Ref/7cfc8997-bab2-4770-aff2-be424fd03cda.mspx
    >
    > and search for the section on
    >
    > Authentication in ADAM
    >
    > to see the options for authentication. When you authenticate using a
    > domain account to an ADAM instance on an AD domain member
    > server ADAM punts the authentication request to AD; ADAM is
    > not a "caching" DC. As you will see from the link above options
    > for local authentication are using Windows accounts in the server
    > SAM or creating native ADAM users, for the latter if you need
    > password synchronization with the domain accounts you will need
    > a password synchronization tool which is likely to be more heavyweight
    > than you would want to consider.
    >
    > Maybe before exploring any more it might be a good idea to write up
    > your requirement, much as your 2nd and 3rd paragraph below, and post
    > adsi.general newsgroup as although forms auth against an instance will
    > work there are other considerations, outside my expertise (e.g. the lack
    > of impersonation for ADAM principals) that might dictate your way
    > forward.
    >
    > HTH
    > Lee Flight
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    > > Sorry... missed a word there. I got my code to authenticate against ADAM.
    > > However, it only seems to work when the ADAM server is connected to the
    > > network.
    > >
    > > The idea is that we have an application, which will be taken out of the
    > > office. Not an unusual idea presented like that, but we are taking a
    > > server
    > > and a team of users out of the office. So a team will have a 2003 server
    > > running a ASP.net application. The team will access this using forms based
    > > security, which will hopefully be able to authenticate them against the
    > > ADAM
    > > instance. A requirement is that they access the application using the
    > > credentials that they use when in the office.
    > >
    > > So we are looking at populating an ADAM instance while they are still in
    > > the
    > > office, then using this for authentication while they are away.
    > >
    > > We have discovered that the authentication code does seem to need to be
    > > connected to the network containing the AD, otherwise it fails. Is it
    > > possible to authenticate against ADAM while the ADAM instance is not
    > > connected to the AD network?
    > > --
    > > Regards,
    > > Andrew Stanford
    > >
    > >
    > > "Lee Flight" wrote:
    > >
    > >> Hi
    > >>
    > >> I think the problem with lockoutTime may be a bug. I will chase
    > >> it up. As a workaround add lockoutTime as an <exclude> attribute
    > >> in your XML configuration file and reapply the install.
    > >>
    > >> I'm confused by the statement "got my code to authenticate against"
    > >> as ADAMSync cannot synch. passwords between AD and ADAM.
    > >> If what you are saying is that you used a windows account from the
    > >> domain that the ADAM server is a member of and authenticated OK
    > >> then that's fine.
    > >>
    > >> Thanks
    > >> Lee Flight
    > >>
    > >> "Andrew Stanford" <> wrote in
    > >> message news:...
    > >> > Hi,
    > >> >
    > >> > Finally... SUCCESS. I have managed to syncronize a Group from AD to my
    > >> > ADAM
    > >> > instance. I even got my code to authenticate against.
    > >> >
    > >> > So, just continuing on with my investigation of this technology... I
    > >> > changed
    > >> > a password in AD then tried to run the adamsync again to get the new
    > >> > password
    > >> > down into ADAM. The following is a dump from the command prompt;
    > >> >
    > >> > C:\WINDOWS\ADAM>adamsync /sync localhost:389
    > >> > dc=btweb,dc=bakertilly,dc=net,dc=ad
    > >> > am /log -
    > >> > Adamsync.exe v1.0 (5.2.3790.1939)
    > >> > Establishing connection to target server localhost:389.
    > >> > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > >> > Saved configuration file.
    > >> > ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
    > >> > Establishing connection to source server
    > >> > btdccy.btweb.bakertilly.net:389.
    > >> > Using file .?dam3A.tmp as a store for deferred dn-references.
    > >> > Populating the schema cache
    > >> > Populating the well known objects cache
    > >> > Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
    > >> > Starting DirSync Search with object mode security.
    > >> >
    > >> > Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
    > >> > Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
    > >> > Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
    > >> > Modifying target object CN=Harding-Rolls
    > >> > Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
    > >> > ly,DC=net.
    > >> > Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
    > >> > Ldap error occured. ldap_modify_sW: Constraint Violation.
    > >> > Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
    > >> > 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE),
    > >> > data
    > >> > 0,
    > >> > Att 90296 (lockoutTime)
    > >> > .
    > >> > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
    > >> > Saved configuration file.
    > >> >
    > >> > Any ideas on this one.
    > >> > --
    > >> > Regards,
    > >> > Andrew Stanford
    > >> >
    > >> >
    > >> > "Lee Flight" wrote:
    > >> >
    > >> >> Hi
    > >> >>
    > >> >> sorry I had not picked up you want to sync from an Exchange extended
    > >> >> AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
    > >> >> the schema in sync then you do not need to fiddle with exclude attrs.
    > >> >> More below....
    > >> >>
    > >> >> "Andrew Stanford" <> wrote in
    > >> >> message news:...
    > >> >>
    > >> >> > I didn't think there would be this many problems with the schema as
    > >> >> > I
    > >> >> > have
    > >> >> > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
    > >> >> >
    > >> >> > I then run the ADSchemaAnalyzer loading the ADAM instance as the
    > >> >> > "target
    > >> >> > schema" and the AD server as the "Base schema". I then check the
    > >> >> > "Mark
    > >> >> > non-present elements as included" menu option and then "Create LDIF
    > >> >> > File...".
    > >> >> >
    > >> >> > I load the resulting LDIF file into my ADAM instance. Shouldn't the
    > >> >> > ADAM &
    > >> >> > AD schemas be the same at this point? Is there an easier way to
    > >> >> > figure
    > >> >> > out
    > >> >> > the required "exclude" tags?
    > >> >>
    > >> >> What works for me is:
    > >> >>
    > >> >> Install an ADAM instance and create the naming context that you want
    > >> >> in
    > >> >> it,
    > >> >> do not apply any LDIFs
    > >> >>
    > >> >> Run ADSchemaAnalyzer load the exchange extended schema from the DC
    > >> >> as the *target*, load the (minimal) ADAM schema as the base. Then
    > >> >> check
    > >> >> the "Mark all non-present elements as included" menu option and then
    > >> >> "Create LDIF File...". The resulting LDIF is around 3MB (2091
    > >> >> entries)
    > >> >>
    > >> >> Load the LDIF just created into the ADAM Schema
    > >> >>
    > >> >> Load MS-AdamSyncMetadata.LDF into the ADAM schema
    > >> >>
    > >> >> Create the ADAMSync XML file and assuming that it is only user
    > >> >> objects
    > >> >> that
    > >> >> you want, use
    > >> >>
    > >> >>
    > >> >> <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter>
    > >> >> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
     
    Andrew Stanford, Jul 19, 2005
    #18
  19. Andrew Stanford

    Lee Flight Guest

    Hi

    inline below...

    "Andrew Stanford" <> wrote in
    message news:...

    > Thanks for the link. It does clarify things. What I get is that any
    > accounts
    > bought into ADAM using ADAMSYNC are flagged inside the ADAM instance
    > somewhere as Windows Principals.


    User objects in AD pulled by ADAMSync will get instantiated as native
    ADAM user objects (as defined by the user classSchema object that you
    imported into your ADAM schema). In fact, in the R2 version you could
    map them to userProxy objects but that is not the default. So you should
    have a native ADAM user for each AD users i.e. an ADAM user object
    whose attributes have been sync'ed from AD but which will need
    passwords setting if you want to authenticate against them. Of course
    you might not want to authenticate against them you might just want them
    as a catalog of your AD users, although I'm not clear whether you even
    need that information depends on your application's requirement.

    > So if I want to do local authentication I
    > need ADAM native accounts.


    or Windows users local to the ADAM server

    > You mentioned password synchronization... we have been also looking at
    > Identity Integration Server as an alternative to ADAMSYNC to populate
    > ADAM. I
    > see that this isn't going to help us as the accounts are likely to be
    > flagged
    > as Windows Principals,


    They will not be Windows Principals, see above. Windows Principals
    are domain accounts defined in your AD, your ADAMSync'ed objects
    are shadows of the domain accounts - ADAM user objects that have
    some attributes that are the same as the domain accounts, think of
    the ADAM objects as a catalog of the AD objects.

    > but I guess what you might be saying is that it may be
    > possible for us to populate ADAM with just the usernames from AD using
    > ADSI,
    > then use MIIS to sync the passwords.


    If you use MIIS/IIFP then it will sync the objects but with greater
    flexibility
    than ADAMSync; the MIIS/IIFP password synch mechanism is based
    on intercepting password when a password is *changed* in AD as existing
    passwords cannot be extracted from AD.

    Lee Flight
     
    Lee Flight, Jul 19, 2005
    #19
  20. Hi,

    Thanks again for all your help. Sorry if I am not quite getting this right.

    It sounds like you are saying that the passwords are not bought down by
    adamsync (or MIIS) and I need to use some product to sync the passwords
    separately, but MIIS won't do the trick as it only synchronizes changes as
    they happen.

    If ADAMSync is bringing accounts into ADAM as native accounts... reading the
    technical doc it seems that it normally they will do a simple LDAP bind to
    ADAM and have no need to access AD or local windows accounts. It only seems
    to need to need this if ADAM recognises it as a windows principal. I wonder,
    when is an account considered a Windows principal?

    I am trying to authenticate using the .NET code;
    DirectoryEntry de = new DirectoryEntry(Domain,User,Pass)

    ....and as ADAM doesn't have the password, is it then passing it to AD to
    authenticate?

    --
    Regards,
    Andrew Stanford


    "Lee Flight" wrote:

    > Hi
    >
    > inline below...
    >
    > "Andrew Stanford" <> wrote in
    > message news:...
    >
    > > Thanks for the link. It does clarify things. What I get is that any
    > > accounts
    > > bought into ADAM using ADAMSYNC are flagged inside the ADAM instance
    > > somewhere as Windows Principals.

    >
    > User objects in AD pulled by ADAMSync will get instantiated as native
    > ADAM user objects (as defined by the user classSchema object that you
    > imported into your ADAM schema). In fact, in the R2 version you could
    > map them to userProxy objects but that is not the default. So you should
    > have a native ADAM user for each AD users i.e. an ADAM user object
    > whose attributes have been sync'ed from AD but which will need
    > passwords setting if you want to authenticate against them. Of course
    > you might not want to authenticate against them you might just want them
    > as a catalog of your AD users, although I'm not clear whether you even
    > need that information depends on your application's requirement.
    >
    > > So if I want to do local authentication I
    > > need ADAM native accounts.

    >
    > or Windows users local to the ADAM server
    >
    > > You mentioned password synchronization... we have been also looking at
    > > Identity Integration Server as an alternative to ADAMSYNC to populate
    > > ADAM. I
    > > see that this isn't going to help us as the accounts are likely to be
    > > flagged
    > > as Windows Principals,

    >
    > They will not be Windows Principals, see above. Windows Principals
    > are domain accounts defined in your AD, your ADAMSync'ed objects
    > are shadows of the domain accounts - ADAM user objects that have
    > some attributes that are the same as the domain accounts, think of
    > the ADAM objects as a catalog of the AD objects.
    >
    > > but I guess what you might be saying is that it may be
    > > possible for us to populate ADAM with just the usernames from AD using
    > > ADSI,
    > > then use MIIS to sync the passwords.

    >
    > If you use MIIS/IIFP then it will sync the objects but with greater
    > flexibility
    > than ADAMSync; the MIIS/IIFP password synch mechanism is based
    > on intercepting password when a password is *changed* in AD as existing
    > passwords cannot be extracted from AD.
    >
    > Lee Flight
    >
    >
    >
     
    Andrew Stanford, Jul 20, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pete H.

    Load Balancing Service or driver fails to load on server reboot

    Pete H., Jun 22, 2004, in forum: Windows Small Business Server
    Replies:
    7
    Views:
    377
    Christopher Ames MSFT
    Jun 24, 2004
  2. Eoin Mooney

    ADAM : Performances differences between AD and ADAM

    Eoin Mooney, Dec 17, 2003, in forum: Active Directory
    Replies:
    3
    Views:
    591
    Eric Fleischman [MSFT]
    Dec 18, 2003
  3. ADAM & ADAM-ADSIEdit.msc

    , Feb 18, 2004, in forum: Active Directory
    Replies:
    1
    Views:
    547
    Dmitri Gavrilov [MSFT]
    Feb 20, 2004
  4. Michael Herman \(Parallelspace\)

    ADAM: MS AD Schema Documentation Programs fails to connect an MS ADAM instance

    Michael Herman \(Parallelspace\), Oct 17, 2004, in forum: Active Directory
    Replies:
    2
    Views:
    542
    Michael Herman \(Parallelspace\)
    Oct 17, 2004
  5. Max2006
    Replies:
    2
    Views:
    209
    Joson Zhou
    Dec 24, 2008
Loading...

Share This Page