locked
Why Active Directory Management Agent throws cd-error "The specified group type is invalid" when exporting Universal Security Groups with members from other domains

    Question

  • I have an AD MA connecting to one forest with more than one domain. When I export a security universal group containing members (users) from other domains than the one the group is in, it throws an export error:

    Error: cd-error
    Connected data source error: "The specified group type is invalid"

    Creating the same group directly in AD (via dsa.msc) works fine with adding members from other domains! So the same changes that fail trough the MA can be done directly in AD.
    The group type and scope is correct no doubts about that as the group gets created correctly if no members are outside the domain. The error also happens if I just add a member outside the domain of the group to an already existing group.

    The group scope is always Universal. I have tried more combinations of domains and all seem to behave the same.
    I am using FIM 2010 and the configuration is done acording to the technet guide. I am also provisioning for Exchange 2010 with this MA.

    Tuesday, January 04, 2011 8:48 AM

Answers

  • Also:

    1. make sure you are targetting a GC with your MA

    2. all reference attribute (members) are available and calculated correctly

    Paul.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    • Marked as answer by Norbert D Monday, February 21, 2011 11:09 AM
    Wednesday, February 09, 2011 7:58 PM

All replies

  • hi Norbert,

    how did you configure the scope of the AD MA, aka domain partitions to be discovered / managed by the MA? Only the domain partition that should contain the universal group? Or all domain partitions containing the universal group and group members?


    /Matthias
    Tuesday, January 04, 2011 1:03 PM
  • Norbert,

     

    Make sure the groupType attribute in the AD MA is being set to the appropriate value for Universal groups during export/provisioning. I would think you get this error because the groupType attribute is set to a value for either domain local or global group, which would make adding a user from another domian in same forest an invalid operation.

     

    According to http://support.microsoft.com/kb/969194, the value for Universal security group, for example, is 0x80000008 (-2147483640)

     

    It is 8 for Universal Distribution groups.

    Wednesday, January 05, 2011 3:48 AM
  • Hi Matthias,

    I have all the needed partitions of course (containing the users and the destination for the groups), otherwise I would not be able to add the membership. All added members are in the CS.

    Wednesday, February 09, 2011 1:37 PM
  • Hi Glenn,

    The group type/scope are correct, I think I mention that in the first post, it is not such a trivial thing, there have been looking at this issue some experienced ILM consultants already.

    I can see the group type/scope in AD and it is Security Universal or Distribution Universal (fails for both) if I have only users from the domain on the groups the export works fine. If I add another user from another domain it fails as described.

    Error: cd-error
    Connected data source error: "The specified group type is invalid"

    There is no "Connected data source error code" which makes me think that the promlem is in the MA.
    It also works fine if I add the member directly in AD.

    Wednesday, February 09, 2011 1:44 PM
  • Also:

    1. make sure you are targetting a GC with your MA

    2. all reference attribute (members) are available and calculated correctly

    Paul.


    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    • Marked as answer by Norbert D Monday, February 21, 2011 11:09 AM
    Wednesday, February 09, 2011 7:58 PM
  • Hi Paul,

    This was actually the issue:

    The domain controller of one of the domains, the MA was connecting to, didn't have the Global Catalog.

    The Error message was misleading. Better error messages would definitely make life much easier.

    Many thanks!

    Monday, February 21, 2011 11:17 AM