Multiple Connectors on Management Agent / extension-unexpected-attribute-value
-
16 พฤษภาคม 2555 17:52
ILM 2007, Ent 3.3.118.0
A few times a day, we will get the following type of sync error and correct it with this procedure below.
The error will hit on the AD MA: Delta Import - Delta Synch, and again on AD MA: Delta Synch.
Error: extension-unexpected-attribute-value
Synchronization step: Provisioning
Extension name: MVExtension.dll
Extension rule: provisioning
Last import change: very recent date/time
Last export change: none listed
Object state: Normal DisconnectorStack trace:
Microsoft.MetadirectoryServices.UnexpectedDataException: Multiple Connectors on Management Agent
at Mms_Metaverse.MVExtensionObject.Microsoft.MetadirectoryServices.IMVSynchronization.Provision(MVEntry mventry)The process we've been given to correct is open the Synchronization Error, then on the Connector Space Object Properties dialog box, click the Preview button. Leave preview mode a Full synchronization. Click the Generate Preview button. (Will get a status: Synchronization successful). Click the Commit Preview button, close out. That always corrects the issue.
When viewing the Preview, I see under Connector Updates, 2 entries listed (that's the multiple connectors I take it).
At the top of the Connector Space Object Properties dialog box, listed is for example:
Distinguished Name: cn=someuserA,ou=other,ou=people,dc=domain,dc=edu
In the listed Preview Connector Updates, listed will be:
cn=someuserA,ou=dept,ou=college,ou=people,dc=domain,dc=edu AD MA auto-deleted Successful
cn=someuserA,ou=dept,ou=college,ou=people,dc=domain,dc=edu AD MA renamed SuccessfulLooking at the Renamed Connector Update, the Export Attribute Flow, we'll see a few Final Values changing:
department, company, sn, givenName (these have blank Initial Values)
userPrincipalName (this only changes from "someuserA@DOMAIN.EDU" to "someuserA@domain.edu"Key values that remain unchanged:
displayName, employeeID, sAMAccountNameFrom reading other forum posts, these accounts are not users with multiple identities (as I understand). It feels like it's something happening when an account is getting moved to a different OU.
Thank you for your time and direction (no ILM pros here...)
-Joe
-Joe
ตอบทั้งหมด
-
17 พฤษภาคม 2555 14:26
Based on the fact that you see the error on a delta sync, a full sync corrects it, and the error is thrown by your MVExtension code it would seem that a new connector had been queued up by your provisioning code, but then that account was imported and joined to the existing metaverse object independently of the queued export. At that moment you have two connectors. A full sync will remove the pending export connector automatically and leave it to your provisioning code to queue up another connector if one is needed, but a delta sync will not.
Your provisioning code generally will not queue up a duplicate connector if the generated DN is already in the connector space. However, if the DN your code generates is different from the DN that was imported from AD for the same sAMAccountName/UPN, a duplicate connector is queued for export and you wouldn't see the error until you tried to export it and AD said that account already existed. That is why you see the error only when an account is moved to another OU.
My solution to this kind of problem recently, now that I'm moving away from regular (nightly/weekly) full synchronizations in ILM, is to have a piece of code in my MVExtension that will deprovision a connector that doesn't have a value for an attribute that comes only from the connected data source if multiple connectors are detected. In other words, if a connector space object has an objectGUID, whenCreated or similar AD-generated attribute value, it is the "real" connector. If it does not, it is a duplicate that can be removed if there is more than one connector.
Chris
- ทำเครื่องหมายเป็นคำตอบโดย JoeGasper 18 พฤษภาคม 2555 17:25
-
18 พฤษภาคม 2555 17:35Thank you, Chris.
Now to find a consultant...-Joe
.png)
