Re: ADAM full sync needed every 30 days??????

Tech-Archive recommends: Fix windows errors by optimizing your registry

Actually it happens on both, manual and scheduled task. But the scheduled
task appears to be pulling in data, where the manual doesn't even fire
off...just err's out as stated previously.

We had only had successful logon attempts being audited. I've since toggled
the failures as well.




"Lee Flight" wrote:

Hi

do you get one of those errors per manual sync attempt?

Thanks
Lee Flight

"kage13" <kage13@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:288DFA17-F0D6-4417-92F1-A1C573BC6759@xxxxxxxxxxxxxxxx
Lee,

After turning up the diag logging, all the events listed were wither 1138
or
1139, stating that an ldap_search was entered and ended.
However, I did find one different event that still came across as an
Informative entry:
Event Type: Information
Event Source: ADAM [name] LDAP
Event Category: LDAP Interface
Event ID: 1535
Date: 3/20/2008
Time: 11:27:22 AM
User: <adamserver>\Administrator
Computer: <adamserver>
Description:
Internal event: The LDAP server returned an error.

Additional Data
Error value:
00002089: UpdErr: DSID-031B0CBD, problem 5012 (DIR_ERROR), data 2

Other than this, I got nothing.


"Lee Flight" wrote:

Hi

so the /sync works OK after you have performed a full sync?
More inline below...


"kage13" <kage13@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B8836919-1066-4424-ADAC-BBE2CAE05CC0@xxxxxxxxxxxxxxxx

C:\WINDOWS\ADAM>adamsync /sync localhost:389 "dc=domain,dc=com"
Warning: The current authoritative ADAM instance is <adamserver>:389.

That warning is likely because your ADAM instance is a member of a
configuration (replica) set, the recommendation is always to sync to the
same ADAM instance.

Ldap error occured.
C:\WINDOWS\ADAM>adamsync /sync <adamserver>:389 "dc=domain,dc=com"
Ldap error occured.
C:\WINDOWS\ADAM>adamsync /ces <adamserver>:389
Listing configuration files:
---------------------------
Last Sync Attempt Time: 20080320125740.0Z
Last Sync Success Time: 20080320125753.0Z
Last Sync Error Time: 20080320125753.0Z
Last Sync Error String: Ldap error occured. Done.

If you are in a position where the /sync fails perhaps you could try
bumping
diagnostics on the ADAM instance...
Assuming that your ADAM instance has service name ADAM_instance1 then
under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_instance1\Diagnos­tics

Edit the value
16 LDAP Interface Events
and set it to 5

and then run the /sync. Check ADAM instance event log for errors.
*Remember* to reset the registry value to 0 when done.

When I mentioned the account status, it is the
msds-user-account-control-computed attribute. This is set to not
expire
or
lock since it is the 'bind' account used for the sync's. This account
also
is not a member of the domain, nor is the adam server.

So this is a standalone ADAM server? Presumably the sync has stored
credentials
for an account that has access to your AD? The account that you run the
scheduled task
with is a windows account local to the ADAM server that has Admin rights
on
the ADAM instance?

With regards to the full sync, I did not use passprompt, merely swapped
/sync with /fs and away it went successfully.

Very odd maybe it's a bug with the cookie mechanism but it's hard for me
to
join that with the 30 day window.

Lee Flight






.

Relevant Pages

  • Re: ADAM full sync needed every 30 days??????
    ... the local admin account is running the scheduled task. ... so the /sync works OK after you have performed a full sync? ... same ADAM instance. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM full sync needed every 30 days??????
    ... BTW, you may catch the failing operation if you enable LDAP auditing for \Administrator, through an inheritable SACL on the NC head. ... You should enable failure audits for all operations, for this account. ... performing the sync is unable to move an object. ... The current authoritative ADAM instance is ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM full sync needed every 30 days??????
    ... so the /sync works OK after you have performed a full sync? ... same ADAM instance. ... lock since it is the 'bind' account used for the sync's. ... So this is a standalone ADAM server? ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM full sync needed every 30 days??????
    ... Event Source: ADAM LDAP ... so the /sync works OK after you have performed a full sync? ... same ADAM instance. ... lock since it is the 'bind' account used for the sync's. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error running ADAMsync
    ... domain and using just an ordinary user account in the domain to do the sync ... You should get ADAMSync attempting ... context on the ADAM instance and then recreating it, ... >> Lee Flight ...
    (microsoft.public.windows.server.active_directory)