locked
COMException error "The server is not operational"

    Question

  • I am trying to run a full sync, and it keeps erroring out (5K errors), all with the following stack trace message.

    System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.

       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_AdsObject()
       at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
       at System.DirectoryServices.DirectorySearcher.FindOne()
       at MVExtension.MVExtensionObject.CheckUniquenessInAD(String attributeName, String searchCriteria)
       at MVExtension.MVExtensionObject.GetUniqueCn(MVEntry mventry)
       at MVExtension.MVExtensionObject.ProvisionAD(MVEntry mventry)
       at MVExtension.MVExtensionObject.Provision(MVEntry mventry)

    I had the admin check the DNS entries, and the DBA says the system is running fine with no errors.  The network guy said that he sees the account for MIIS authenticating across the network every few seconds.  I assume this is to the SQL server back end.

    Is it normal for the account to authenticate that often?

    Note:  The run time is approximately a day and a half before it errors out and there are only 80K identities.

    Thursday, October 12, 2006 3:57 PM

Answers

  • Jared,

    It appears you have code in your provisioning DLL that is querying AD for each object to be provisioined to see if the new name is unique in AD (CheckUniquenessInAD()). This is resulting in the many queries to AD (once per provisioned object), and the code seems to be failing. It is bad practice to go outside of MIIS to query state. As you can see, it results in unexpected errors in MIIS when the external system has failures. In addition, there is no guarantee that the name will remain unique between the time you create it on the CS export image, and the time the object is actually exported to AD.

    I recommend eliminating this call, and finding another way to generate likely unique names, then handle the exceptions if/when they occur.

    Thursday, October 12, 2006 4:34 PM

All replies

  • Jared,

    It appears you have code in your provisioning DLL that is querying AD for each object to be provisioined to see if the new name is unique in AD (CheckUniquenessInAD()). This is resulting in the many queries to AD (once per provisioned object), and the code seems to be failing. It is bad practice to go outside of MIIS to query state. As you can see, it results in unexpected errors in MIIS when the external system has failures. In addition, there is no guarantee that the name will remain unique between the time you create it on the CS export image, and the time the object is actually exported to AD.

    I recommend eliminating this call, and finding another way to generate likely unique names, then handle the exceptions if/when they occur.

    Thursday, October 12, 2006 4:34 PM
  • This looks like custom provisioning code that is trying to check against the directory for unique CN while provisioning.

    In your code, you probably have a string that represents your Active Directory (or a specific DC) that is the root of the search.

    ie: "LDAP://dc=company,dc=com" or "LDAP://mydc.company.com:389/dc=company,dc=com"

    Check to ensure that that string is still valid (maybe dc decomissioned or unresolvable).

     

    -Rob

    http://www.nulli.com

     

     

    Thursday, October 12, 2006 4:39 PM
  • I agree with Bruce, it is a bad practice to try to do this from inside MIIS..

    There is no way to guarentee that the account is unique because your creating records in the connectorspace...

    You would need to search the connectorspace also...

     Also the method Bruce described is the method to get this accomplished...

     

    HTH,

    Joe

    Thursday, October 12, 2006 5:16 PM
  • Hi bruce,

    I have a similar problem, my application is running on iis 6, it's working fine, but sometimes a call to FindAll throws the ComException "the server is not operational", I tried to change the LDAP path to an exact IP and it workd localy, but when I try it from other computers it's throw ComException "An operation error occured".

    I'm trying to fix it 4 3 weeks and found nothing.

    I didn't understand exactly what U explain and what is the best practice (mayb it's only 4 miis), it's looks like a simple cal to the DirectorySercher.

    if U know how 2 solve it, I'll be thankfull.

    Asaf

    Sunday, December 31, 2006 1:32 PM
  • Hi bruce/Asaf,

    I am facing the similar problem in my application while i am using FindOne() method for executing the Directory Search (ie DirectorySearch search = new DirectorySearch(entry);

    SearchResult rs = search.Findone() throws error as " the Server is not Operational"

    Plz any one help is greatful to me

     

    Regards,

    pavan

    Wednesday, November 17, 2010 5:20 AM
  • If you hook your question to an old existing post, you'll not get the proper attention to you issue.
    Please open a new thread with some more background information on your setup.

    What is your appllication about?
    Are you writing code in an ILM extension? (Is not a good practice to execute out-of-band LDAP calls in your ILM code.)
    Did you debug your code?
    Did you check the proper parameters are passed to the function to open the connection?

    Kind regards,
    Peter


    Peter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be)

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.]
    Wednesday, November 17, 2010 11:42 AM
  • Peter, the problem with starting a new thread is that is really screws users like me. This was a useful thread covering exactly the same issue I am having. But then I got to your post and nothing more. So it seems he took your advice and started a new thread. Trouble is, I have no way of finding that new thread.

     

    I would suggest that in this situation if you decided to start a new thread (and I don't argue with Peter's logic on this), to be a good forum citizen you should come back to the original thread and leave one last post where you state that you started a new thread, and that the subject line is "xyz". That way us readers can continue following the discussion on this problem.

     

     

    Thursday, February 10, 2011 8:58 PM
  • On Thu, 10 Feb 2011 20:58:59 +0000, Bradley.Ward wrote:

    Trouble is, I have no way of finding that new thread.

    You do have a relatively easy way to find any new thread. Simply click on
    the author's name in the post (in this case PavanTest) which will take you
    to his profile. From there you can find the new thread if there is indeed
    one, and in this case there wasn't one.

    In this particular case, the original thread had been dead for 4 years
    before PavanTest posted his question in November.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    As of next week, passwords will be entered in Morse code.

    Thursday, February 10, 2011 9:37 PM