PS2010 - AD sync failure RRS feed

  • Question

  • Hi there,

    we are currently testing a migration to PS2010 from PS2007 at one of our customers. So far everything works - except the AD sync for Resource pool and for Security Groups.

    We are getting the following error: 'A resource could not be updated during Project Server Active Directory Synchronization.Error: AdminNTAccountNotFound' for a number of users.

    The same AD groups are still used in the productive environment on PS2007 and there all AD syncs are marked as "Success" whereas the same groups report "Partial Fail" in PS2010. This makes me think that perhaps some behaviour in the AD sync has been changed by Microsoft from 2007 to 2010.

    Characteristics of the users causing the error: The users' accounts have been changed.
    This happens because of the following - if an user leaves the company, the account is at first not deactivated, but marked with a "D-" in front of the actual account name. A few weeks later, the accounts are deleted. Now the failure occurs for all users which have been changed to the "D-"account.

    Is it possible that the syntax "D-" is interrupting Project's sync? Any ideas on how to fix this error? Living with it is not an option as real sync problems might be overseen.

    Thanks for your suggestions.

    Friday, January 6, 2012 12:11 PM

All replies

  • I've had the same issue.  As you noted, it's caused by inactive AD accounts
    in one of the sync groups.  As far as I can tell, 2010 displays Partial Fail
    when that happens, and seems to stop going to any other groups to sync. 
    I never had that issue in 2007, either because it never happened, or 2007
    was a bit more resilient.
    I am pretty sure it's a bug.  The only solution I've found is to remove the
    deactivated accounts from the AD group.

    Andrew Lavinsky [MVP] Blog: Twitter: @alavinsky
    Friday, January 6, 2012 12:55 PM
  • Yes you have noticed partial failure is due to name change. Since PWA AD sync querires Global Catalog server for read Display name, Windows Account,ADGUID.

    In this kind of scenario general practice is to remove the user and AD group and select prevent user from AD sync in PWA user properties.


    Friday, January 6, 2012 7:46 PM
  • Hi,

    to remove the users would mean to change a company wide process for users leaving the company - don't think we can do that.

    So we will open a call with Microsoft, for me it's a bug - especially as 2007 has no problem with account changes and the customer's AD administration.

    Thanks for your opinion!


    Sunday, January 8, 2012 6:08 PM
  • Agree with you on filing it as a bug....just a quick question though to follow up on a hunch.  Do you know if those deactivated users ever sync'd with Project Server, or was the first sync the one where they already were deactivated?
    Andrew Lavinsky [MVP] Blog: Twitter: @alavinsky
    Sunday, January 8, 2012 6:32 PM
  • Hi Andrew,

    as far as I can see the users were active Project users and thus should have been previously sync'd successfully.


    Monday, January 9, 2012 8:10 AM
  • Hi,

     Please check whether global catalog is defined properly on that PWA application can fetch information from AD for Respective Users.



    Wednesday, April 25, 2012 6:48 AM