FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-14-2010, 12:25 PM
"--[ UxBoD ]--"
 
Default Windows Replication Agreement Help

Hi,

We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.

Performing the full sync fails after about 30 seconds with a message in the error log:

[14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
[14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value

and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:

dc=domain,dc=com
|_ o=Internal
|___o=a0000
|____ou=Desktops
|_____uid=fred

We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.

Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.

Though for some reason the replication is traversing the whole of the internal AD tree. Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
--
Thanks, Phil
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-14-2010, 09:40 PM
Rich Megginson
 
Default Windows Replication Agreement Help

--[ UxBoD ]-- wrote:
> Hi,
>
> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
>
> Performing the full sync fails after about 30 seconds with a message in the error log:
>
> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
>
> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
>
> dc=domain,dc=com
> |_ o=Internal
> |___o=a0000
> |____ou=Desktops
> |_____uid=fred
>
> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
>
> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
>
> Though for some reason the replication is traversing the whole of the internal AD tree.
Because you set the AD subtree to be dc=domain,dc=com ?
> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
>
I think that's the way it was designed. Usually AD trees have a
CN=Users,DC=domain,DC=com where all of the user entries live, and
winsync is designed to work with that sort of structure.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2010, 08:15 AM
"John A. Sullivan III"
 
Default Windows Replication Agreement Help

On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
> --[ UxBoD ]-- wrote:
> > Hi,
> >
> > We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
> >
> > Performing the full sync fails after about 30 seconds with a message in the error log:
> >
> > [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
> > [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
> >
> > and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
> >
> > dc=domain,dc=com
> > |_ o=Internal
> > |___o=a0000
> > |____ou=Desktops
> > |_____uid=fred
> >
> > We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
> >
> > Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
> >
> > Though for some reason the replication is traversing the whole of the internal AD tree.
> Because you set the AD subtree to be dc=domain,dc=com ?
> > Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
> >
> I think that's the way it was designed. Usually AD trees have a
> CN=Users,DC=domain,DC=com where all of the user entries live, and
> winsync is designed to work with that sort of structure.
<snip>
Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
problem

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2010, 08:26 AM
"John A. Sullivan III"
 
Default Windows Replication Agreement Help

On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
> > --[ UxBoD ]-- wrote:
> > > Hi,
> > >
> > > We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
> > >
> > > Performing the full sync fails after about 30 seconds with a message in the error log:
> > >
> > > [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
> > > [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
> > >
> > > and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
> > >
> > > dc=domain,dc=com
> > > |_ o=Internal
> > > |___o=a0000
> > > |____ou=Desktops
> > > |_____uid=fred
> > >
> > > We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
> > >
> > > Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
> > >
> > > Though for some reason the replication is traversing the whole of the internal AD tree.
> > Because you set the AD subtree to be dc=domain,dc=com ?
> > > Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
> > >
> > I think that's the way it was designed. Usually AD trees have a
> > CN=Users,DC=domain,DC=com where all of the user entries live, and
> > winsync is designed to work with that sort of structure.
> <snip>
> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
> problem
<snip>
I also tried creating an ou in AD, e.g.,
ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building
Organizations under CNs but that also failed - John


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2010, 09:47 AM
"John A. Sullivan III"
 
Default Windows Replication Agreement Help

On Mon, 2010-07-19 at 04:26 -0400, John A. Sullivan III wrote:
> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
> > On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
> > > --[ UxBoD ]-- wrote:
> > > > Hi,
> > > >
> > > > We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
> > > >
> > > > Performing the full sync fails after about 30 seconds with a message in the error log:
> > > >
> > > > [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
> > > > [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
> > > >
> > > > and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
> > > >
> > > > dc=domain,dc=com
> > > > |_ o=Internal
> > > > |___o=a0000
> > > > |____ou=Desktops
> > > > |_____uid=fred
> > > >
> > > > We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
> > > >
> > > > Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
> > > >
> > > > Though for some reason the replication is traversing the whole of the internal AD tree.
> > > Because you set the AD subtree to be dc=domain,dc=com ?
> > > > Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
> > > >
> > > I think that's the way it was designed. Usually AD trees have a
> > > CN=Users,DC=domain,DC=com where all of the user entries live, and
> > > winsync is designed to work with that sort of structure.
> > <snip>
> > Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
> > at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
> > problem
> <snip>
> I also tried creating an ou in AD, e.g.,
> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building
> Organizations under CNs but that also failed - John
<snip>
Hmm .. .more inconsistent behavior. I thought it might be a schema
violation to put an O under a CN or O. I tried creating it under DC;
that did not work. I tried synching an OU instead of an O. That
appeared to work but only transferred one of five users. I wonder if it
is a 64 bit problem. The system where it is working is a 32 bit version
of Windows

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2010, 01:01 PM
Rich Megginson
 
Default Windows Replication Agreement Help

John A. Sullivan III wrote:
> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
>
>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
>>
>>> --[ UxBoD ]-- wrote:
>>>
>>>> Hi,
>>>>
>>>> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
>>>>
>>>> Performing the full sync fails after about 30 seconds with a message in the error log:
>>>>
>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
>>>>
>>>> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
>>>>
>>>> dc=domain,dc=com
>>>> |_ o=Internal
>>>> |___o=a0000
>>>> |____ou=Desktops
>>>> |_____uid=fred
>>>>
>>>> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
>>>>
>>>> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
>>>>
>>>> Though for some reason the replication is traversing the whole of the internal AD tree.
>>>>
>>> Because you set the AD subtree to be dc=domain,dc=com ?
>>>
>>>> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
>>>>
>>>>
>>> I think that's the way it was designed. Usually AD trees have a
>>> CN=Users,DC=domain,DC=com where all of the user entries live, and
>>> winsync is designed to work with that sort of structure.
>>>
>> <snip>
>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
>> problem
>>
> <snip>
> I also tried creating an ou in AD, e.g.,
> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building
> Organizations under CNs but that also failed - John
>
Not sure what you mean by "building Organizations" - but it shouldn't
matter if it is under a CN or not.
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2010, 01:03 PM
Rich Megginson
 
Default Windows Replication Agreement Help

John A. Sullivan III wrote:
> On Mon, 2010-07-19 at 04:26 -0400, John A. Sullivan III wrote:
>
>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
>>
>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
>>>
>>>> --[ UxBoD ]-- wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
>>>>>
>>>>> Performing the full sync fails after about 30 seconds with a message in the error log:
>>>>>
>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
>>>>>
>>>>> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
>>>>>
>>>>> dc=domain,dc=com
>>>>> |_ o=Internal
>>>>> |___o=a0000
>>>>> |____ou=Desktops
>>>>> |_____uid=fred
>>>>>
>>>>> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
>>>>>
>>>>> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
>>>>>
>>>>> Though for some reason the replication is traversing the whole of the internal AD tree.
>>>>>
>>>> Because you set the AD subtree to be dc=domain,dc=com ?
>>>>
>>>>> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
>>>>>
>>>>>
>>>> I think that's the way it was designed. Usually AD trees have a
>>>> CN=Users,DC=domain,DC=com where all of the user entries live, and
>>>> winsync is designed to work with that sort of structure.
>>>>
>>> <snip>
>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
>>> problem
>>>
>> <snip>
>> I also tried creating an ou in AD, e.g.,
>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building
>> Organizations under CNs but that also failed - John
>>
> <snip>
> Hmm .. .more inconsistent behavior. I thought it might be a schema
> violation to put an O under a CN or O.
No. Maybe some sort of naming violation, not a schema violation, but I
don't think AD enforces those anyway, so it shouldn't matter.
> I tried creating it under DC;
> that did not work. I tried synching an OU instead of an O. That
> appeared to work but only transferred one of five users. I wonder if it
> is a 64 bit problem. The system where it is working is a 32 bit version
> of Windows
>
I doubt it is a 64-bit issue. Try turning on the replication log level
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-19-2010, 01:28 PM
"John A. Sullivan III"
 
Default Windows Replication Agreement Help

On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote:
> John A. Sullivan III wrote:
> > On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
> >
> >> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
> >>
> >>> --[ UxBoD ]-- wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> We are setting up a new Windows 2K3 AD server and attempting to syncronise the users from our LDAP server version 8.1.0.
> >>>>
> >>>> Performing the full sync fails after about 30 seconds with a message in the error log:
> >>>>
> >>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type "ARecord" in entry "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com" failed: duplicate new value
> >>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to attribute type "dnsproperty" in entry "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com" failed: duplicate new value
> >>>>
> >>>> and none of the users or groups are sent to AD. I am guessing it may be how our LDAP server schema is setup as we use something like:
> >>>>
> >>>> dc=domain,dc=com
> >>>> |_ o=Internal
> >>>> |___o=a0000
> >>>> |____ou=Desktops
> >>>> |_____uid=fred
> >>>>
> >>>> We have set the Windows subtree to be dc=domain,dc=com and the replication subtree to be dc=domain,dc=com with a DS subtree of o=Internal,dc=domain,dc=com.
> >>>>
> >>>> Our understanding was that within AD Users & Groups GUI we should have seen a similar schema created.
> >>>>
> >>>> Though for some reason the replication is traversing the whole of the internal AD tree.
> >>>>
> >>> Because you set the AD subtree to be dc=domain,dc=com ?
> >>>
> >>>> Should we create a new Organisational Unit within AD called, for arguments sake, clients and set the Windows subtree to be ou=clients,dc=domain,dc=com so that it forces it to that branch ?
> >>>>
> >>>>
> >>> I think that's the way it was designed. Usually AD trees have a
> >>> CN=Users,DC=domain,DC=com where all of the user entries live, and
> >>> winsync is designed to work with that sort of structure.
> >>>
> >> <snip>
> >> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and synchronized
> >> at cn=users,dc=myad,dc=domain,dc=com but still have the exact same
> >> problem
> >>
> > <snip>
> > I also tried creating an ou in AD, e.g.,
> > ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like building
> > Organizations under CNs but that also failed - John
> >
> Not sure what you mean by "building Organizations" - but it shouldn't
> matter if it is under a CN or not.
<snip>
We're running 8.1. Based upon some of the change logs I've seen for
some of the more recent versions of 389, I wonder if this is just a
problem between 8.1 and Windows Server 2008. We are downgrading a
Domain Controller to 2003 to see if the problem goes away - John

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-20-2010, 02:46 PM
"--[ UxBoD ]--"
 
Default Windows Replication Agreement Help

----- Original Message -----
> On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote:
> > John A. Sullivan III wrote:
> > > On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
> > >
> > >> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
> > >>
> > >>> --[ UxBoD ]-- wrote:
> > >>>
> > >>>> Hi,
> > >>>>
> > >>>> We are setting up a new Windows 2K3 AD server and attempting to
> > >>>> syncronise the users from our LDAP server version 8.1.0.
> > >>>>
> > >>>> Performing the full sync fails after about 30 seconds with a
> > >>>> message in the error log:
> > >>>>
> > >>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type
> > >>>> "ARecord" in entry
> > >>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com"
> > >>>> failed: duplicate new value
> > >>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to
> > >>>> attribute type "dnsproperty" in entry
> > >>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com"
> > >>>> failed: duplicate new value
> > >>>>
> > >>>> and none of the users or groups are sent to AD. I am guessing
> > >>>> it may be how our LDAP server schema is setup as we use
> > >>>> something like:
> > >>>>
> > >>>> dc=domain,dc=com
> > >>>> |_ o=Internal
> > >>>> |___o=a0000
> > >>>> |____ou=Desktops
> > >>>> |_____uid=fred
> > >>>>
> > >>>> We have set the Windows subtree to be dc=domain,dc=com and the
> > >>>> replication subtree to be dc=domain,dc=com with a DS subtree of
> > >>>> o=Internal,dc=domain,dc=com.
> > >>>>
> > >>>> Our understanding was that within AD Users & Groups GUI we
> > >>>> should have seen a similar schema created.
> > >>>>
> > >>>> Though for some reason the replication is traversing the whole
> > >>>> of the internal AD tree.
> > >>>>
> > >>> Because you set the AD subtree to be dc=domain,dc=com ?
> > >>>
> > >>>> Should we create a new Organisational Unit within AD called,
> > >>>> for arguments sake, clients and set the Windows subtree to be
> > >>>> ou=clients,dc=domain,dc=com so that it forces it to that branch
> > >>>> ?
> > >>>>
> > >>>>
> > >>> I think that's the way it was designed. Usually AD trees have a
> > >>> CN=Users,DC=domain,DC=com where all of the user entries live,
> > >>> and
> > >>> winsync is designed to work with that sort of structure.
> > >>>
> > >> <snip>
> > >> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and
> > >> synchronized
> > >> at cn=users,dc=myad,dc=domain,dc=com but still have the exact
> > >> same
> > >> problem
> > >>
> > > <snip>
> > > I also tried creating an ou in AD, e.g.,
> > > ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like
> > > building
> > > Organizations under CNs but that also failed - John
> > >
> > Not sure what you mean by "building Organizations" - but it
> > shouldn't
> > matter if it is under a CN or not.
> <snip>
> We're running 8.1. Based upon some of the change logs I've seen for
> some of the more recent versions of 389, I wonder if this is just a
> problem between 8.1 and Windows Server 2008. We are downgrading a
> Domain Controller to 2003 to see if the problem goes away - John
>

The problem still exists on W2K3/32bit and we see the following error:

windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1

The user we are bind with in AD is a member of Domain Admins; do we need to add some other group or security membership ?
--
Thanks, Phil
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-20-2010, 03:14 PM
Rich Megginson
 
Default Windows Replication Agreement Help

--[ UxBoD ]-- wrote:
> ----- Original Message -----
>
>> On Mon, 2010-07-19 at 07:01 -0600, Rich Megginson wrote:
>>
>>> John A. Sullivan III wrote:
>>>
>>>> On Mon, 2010-07-19 at 04:15 -0400, John A. Sullivan III wrote:
>>>>
>>>>
>>>>> On Wed, 2010-07-14 at 15:40 -0600, Rich Megginson wrote:
>>>>>
>>>>>
>>>>>> --[ UxBoD ]-- wrote:
>>>>>>
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> We are setting up a new Windows 2K3 AD server and attempting to
>>>>>>> syncronise the users from our LDAP server version 8.1.0.
>>>>>>>
>>>>>>> Performing the full sync fails after about 30 seconds with a
>>>>>>> message in the error log:
>>>>>>>
>>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "^V" to attribute type
>>>>>>> "ARecord" in entry
>>>>>>> "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System, DC=domain,DC=com"
>>>>>>> failed: duplicate new value
>>>>>>> [14/Jul/2010:07:46:10 -0400] - add value "null or non-ASCII" to
>>>>>>> attribute type "dnsproperty" in entry
>>>>>>> "DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=do main,DC=com"
>>>>>>> failed: duplicate new value
>>>>>>>
>>>>>>> and none of the users or groups are sent to AD. I am guessing
>>>>>>> it may be how our LDAP server schema is setup as we use
>>>>>>> something like:
>>>>>>>
>>>>>>> dc=domain,dc=com
>>>>>>> |_ o=Internal
>>>>>>> |___o=a0000
>>>>>>> |____ou=Desktops
>>>>>>> |_____uid=fred
>>>>>>>
>>>>>>> We have set the Windows subtree to be dc=domain,dc=com and the
>>>>>>> replication subtree to be dc=domain,dc=com with a DS subtree of
>>>>>>> o=Internal,dc=domain,dc=com.
>>>>>>>
>>>>>>> Our understanding was that within AD Users & Groups GUI we
>>>>>>> should have seen a similar schema created.
>>>>>>>
>>>>>>> Though for some reason the replication is traversing the whole
>>>>>>> of the internal AD tree.
>>>>>>>
>>>>>>>
>>>>>> Because you set the AD subtree to be dc=domain,dc=com ?
>>>>>>
>>>>>>
>>>>>>> Should we create a new Organisational Unit within AD called,
>>>>>>> for arguments sake, clients and set the Windows subtree to be
>>>>>>> ou=clients,dc=domain,dc=com so that it forces it to that branch
>>>>>>> ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I think that's the way it was designed. Usually AD trees have a
>>>>>> CN=Users,DC=domain,DC=com where all of the user entries live,
>>>>>> and
>>>>>> winsync is designed to work with that sort of structure.
>>>>>>
>>>>>>
>>>>> <snip>
>>>>> Hmm . . . we've rooted AD in dc=myad,dc=domain,dc=com and
>>>>> synchronized
>>>>> at cn=users,dc=myad,dc=domain,dc=com but still have the exact
>>>>> same
>>>>> problem
>>>>>
>>>>>
>>>> <snip>
>>>> I also tried creating an ou in AD, e.g.,
>>>> ou=LDAPUSers,dc=myad,dc=domain,dc=com in case it did not like
>>>> building
>>>> Organizations under CNs but that also failed - John
>>>>
>>>>
>>> Not sure what you mean by "building Organizations" - but it
>>> shouldn't
>>> matter if it is under a CN or not.
>>>
>> <snip>
>> We're running 8.1. Based upon some of the change logs I've seen for
>> some of the more recent versions of 389, I wonder if this is just a
>> problem between 8.1 and Windows Server 2008. We are downgrading a
>> Domain Controller to 2003 to see if the problem goes away - John
>>
>>
>
> The problem still exists on W2K3/32bit and we see the following error:
>
> windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1
>
Enable the replication log level -
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> The user we are bind with in AD is a member of Domain Admins; do we need to add some other group or security membership ?
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 02:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org