locked
MIIS 2003 SP1 / ADAM connector / Error 80230910

    Question

  • Hi,

    When trying to establish a connection to an ADAM instance from a MIIS 2003 SP1, MIIS throw an error (very basic in fact) through a text box without any more information than a 80230910 error code.

    All the prerequisites upon the service account to use seems to be OK but it looks as the main point to check.

    Telnet connection on the 389 instance port had been done in order to check firewall rules.

    If someone got more informations, please advise.

    Please I know that SP1 is now largely out-of-date so don't push "upgrade first then come back after" solution just for it.

    Thank you for your help.

    JF LOMBARDO
    Wednesday, January 27, 2010 10:54 AM

Answers

  • Hi JF an Peter,

    I guess you are saying about this blog :  http://blogs.technet.com/jpilmblg/archive/2009/02/07/ilm2007fp1-ma-forest-80230910-top.aspx
    The author of the blog is the ILM/MIIS support team of Microsoft Japan.

    Yesterday I received contact from Peter, and I translated this page to English.
    I wish it become help of something for you. 

    Here is the translation.

    [ILM2007FP1] The error 80230910 occurs when you specify the forest name during creating an Active Directory MA. (You should not add an auxiliary class to Active Directory that inherits from any class other than the top class.)


    [Problem today]
    When you create an Active Directory MA, you see the dialog which shows only the error number "80230910" when you specify the forest name.
    (But telnet:389 access to the Domain Contoroller is available)

    [How to fix it]
    This problem occurs when there are any Auxiliary schemas in the Active Directory you wish to connect which not inherited from the top class. By the way, this behavior is not a failure but the expected one by design.
    Even if you disable this auxiliary classes, this error will occur when the ILM analyze its schemas as long as you do not apply KB952327.You have to apply KB952327 after disabling there schemas.
    Although in the following excerpts, they say the problem only occurs using an Active Directory MA, actually it occurs using any MAs connecting to Active Directory.

    Article ID: 952327 - Last Review: November 10, 2008 - Revision: 2.0
    A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
    http://support.microsoft.com/default.aspx?scid=952327

    (Hereafter, quotation)
    Active Directory Management Agent does not ignore defunct classes
    You add an auxiliary class to Active Directory that inherits from any class other than the top class. However, errors occur in ILM when you create an Active Directory MA or when you update the schema after you add the class.

    These errors occur even if the auxiliary class is marked as Inactive in the Active Directory schema. ILM build 3.3.1067.2 ignores defunct Active Directory classes.

    [Details]
    I want to explain the way I investigated its details.

    Badly, this error dialog does not include anything except the error code.
    While this dialog appears, I tried to take a dump using the Windbg utility. The result indicated that there was a occurrence of the following exception.




    0:013> !dae

    ( Snip )

    Number of exceptions of this type:        1
    Exception MethodTable: 07ae9b0c            <<
    Exception object: 01474198
    Exception type: Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError            <<
    Message: 80230910            <<
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80131500

    ( Snip )

    0:013> !dumpmt 07ae9b0c            <<
    EEClass: 07b2209c
    Module: 06eb35f8
    Name: Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError       <<
    mdToken: 02000002
    BaseSize: 0x48
    ComponentSize: 0x0
    Number of IFaces in IFaceMap: 2
    Slots in VTable: 18

    ( Snip )

    StackTrace (generated):
        SP       IP       Function
        0A6EEC50 0794F66A Microsoft.DirectoryServices.MetadirectoryServices.Schema.Schema.Create(System.String, Boolean)
        0A6EED68 0794F538 Microsoft.DirectoryServices.MetadirectoryServices.Schema.Schema.Create(System.String)
        0A6EED6C 0794EF02

    ( Snip )

    StackTraceString: <none>
    HResult: 80131500


    And I had looking for the lines around "Microsoft.DirectoryServices.MetadirectoryServices.Schema.Schema.Create (System.String, Boolean) " in the stack trace, I judged that there was a problem processing the schemas. After that I dumped all the objects remaining in the stack.


    0:013> !dso
    OS Thread Id: 0xf7c (13)
    ESP/REG  Object   Name
    0916f340 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f38c 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3a0 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3a4 013f796c System.Threading.ContextCallback
    0916f3d0 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3d8 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3e0 013f796c System.Threading.ContextCallback
    0916f434 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f4cc 025d8040 System.String            <<
      <dsml xmlns="http://www.dsml.org/DSML" xmlns:m="http://www.microsoft.com/MMS/DSML"><directory-schema><attribute-type id="A0"            <<

    ( Snip )

    0:013> !do 025d8040            <<
    Name: System.String
    MethodTable: 790fa3e0
    EEClass: 790fa340
    Size: 1965032(0x1dfbe8) bytes
    GC Generation: 3
     (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
    String:
      <dsml xmlns="http://www.dsml.org/DSML" xmlns:m="http://www.microsoft.com/MMS/DSML"><directory-schema><attribute-type id="A0"

    ( Snip )

    single-value="true"><name>pKIExpirationPeriod</name><syntax>1.3.6.1.4.1.1466.115.121.1.40</syntax></attribute-type><attribute-type id
    Fields:
          MT    Field   Offset                 Type VT     Attr    Value Name
    790fed1c  4000096        4         System.Int32  1 instance   982508 m_arrayLength            <<
    790fed1c  4000097        8         System.Int32  1 instance   982507 m_stringLength
    790fbefc  4000098        c          System.Char  1 instance        d m_firstChar            <<
    790fa3e0  4000099       10        System.String  0   shared   static Empty
        >> Domain:Value  00149868:790d6584 <<
    79124670  400009a       14        System.Char[]  0   shared   static WhitespaceChars
        >> Domain:Value  00149868:013d13e4 <<


    Only looking this, it would seem to lack of data, and you can not judge whether it is a really lack of data or any restrictions on the debugger's display.
    So I dumped from the address that add to the object data address and offset c.


    0:013> du 025d8040+c            <<
    025d804c  "..  <dsml xmlns="http://www.dsml"
    025d808c  ".org/DSML" xmlns:m="http://www.m"
    025d80cc  "icrosoft.com/MMS/DSML"><director"

    ( Snip )


    The data is unicode, so actually the data is two bytes.
    Because the value of m_arrayLength is entire length of the object, "( the address of the object data + offset c + 982508( the value of m_arrayLength ) ) x 2" is the terminal of the data.


    0:013> ? 025d8040+c+0n982508*2
    Evaluate expression: 41647140 = 027b7c24            <<


    You can see 027b7c24 is the terminal of the data from the calculation above.
    Let's see shortly before( about -8 lines ) the terminal, you may find the closure of the entire tag using "</dsml>".


    0:013> du 027b7c04
    027b7c04  "hema></dsml>.. "            <<


    You can reconstruct the xml file of all the schema dumping from the beginning to the end of the object data.
    (Of course, you must remove the double quotes and the address columns from the dump.)

    Unfortunately, in this case our customer did not give us any information about the extended schema, so I parsed the XML schema in this way.
    Then I found the following auxiliary classes.( The class name is not the actual name.)


    - <class Id="TEST3" superior="#TEST1" type="auxiliary">
      <name> testauxclass </name> <name> testauxclass </ name>


    The class "TEST3" is the auxiliary class inherited from the class named "TEST1". And what the "TEST1" is ...


    - <class id="TEST1" superior="#TEST2" type="structural">
      <name>person</name>



    There is the auxiliary class named "testauxclass" inherited from "person". I tried to find any article about the class, but I did not find anything.
    Therefore, I asked our customer whether it was a custom schemam, and it was actually a extended schema.

    On the other hand, I found another following auxiliary class.


    - <class Id="TEST3d" superior="# TEST2 "type="auxiliary">
      <name>testObj</name> <name> testObj </ name>


    This class was inherited from "TEST2". And what the "TEST2" is inherited from?


    - <class Id="TEST2" type="abstract">
      <name> top </name> <name> top </ name>


    It is inherited from "top".
    From these results, I judged the problem was caused by the "testauxclass". 


    Naohiro FUjie ( MVP ILM / http://idmlab.eidentity.jp )
    Friday, January 29, 2010 12:09 AM

All replies

  • Could you let us know what is in the system's event log?

    Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM
    Wednesday, January 27, 2010 11:18 AM
  • It seems that no error has been throwned to the system's event log nor to the application event log.

    The only thing we got was an "Identity Manager" error boc with written "80230910" error code and a OK button.
    Wednesday, January 27, 2010 12:06 PM
  • A couple things come to mind.

    If you have your ADAM instance named in a way that is close enough to an actual AD instance and they are all on 389, unpredictable things happen.  Usually ADAM installs on port 50000 or 50001 for this reason, so I would verify that you don't have any AD/ADAM conflicts hanging around and make sure that your IP/DNS/port configurations for everything on both servers is as expected.

    After that, I would create a new MA, with no attribute flows and no extension DLL and see if that one can connect to the ADAM instance.  It is possible to break an MA rather thoroughly and with strange results if an MA is configured improperly. 

    Let me know how that works out,
    Aaron Sankey, Avanade
    Wednesday, January 27, 2010 5:42 PM
  • Jean-François,

    are you able to connect the ADAM instance with LDAP client tools (like lpd.exe or ADAM adsiedit)?
    Are you able to explore the LDAP structure?

    Kind regards,
    Peter
    Peter Geelen - Sr. Consultant IDA (http://www.traxion.com)
    Wednesday, January 27, 2010 7:34 PM
  • JF,

    Did you change the schema or did you add an auxiliary class to ADAM that inherits from any class other than the top class?

    Kind regards,
    Peter


    Peter Geelen - Sr. Consultant IDA (http://www.traxion.com)
    Wednesday, January 27, 2010 7:59 PM
  • Hi Peter,

    thanks for your inputs and your time.

    There is no promblem with other tools to acces the ADAM instance.

    We run a decompilation of the message box and the process that leads to these error and by reverse engineering we suceed to track the error to some schema error as described on the chinese / japanese page where you may also have found some information regarding your second question.

    We notified client to check the schema because he extended the schema...

    Stay tuned.

    JF
    Thursday, January 28, 2010 3:28 PM
  • Hi JF an Peter,

    I guess you are saying about this blog :  http://blogs.technet.com/jpilmblg/archive/2009/02/07/ilm2007fp1-ma-forest-80230910-top.aspx
    The author of the blog is the ILM/MIIS support team of Microsoft Japan.

    Yesterday I received contact from Peter, and I translated this page to English.
    I wish it become help of something for you. 

    Here is the translation.

    [ILM2007FP1] The error 80230910 occurs when you specify the forest name during creating an Active Directory MA. (You should not add an auxiliary class to Active Directory that inherits from any class other than the top class.)


    [Problem today]
    When you create an Active Directory MA, you see the dialog which shows only the error number "80230910" when you specify the forest name.
    (But telnet:389 access to the Domain Contoroller is available)

    [How to fix it]
    This problem occurs when there are any Auxiliary schemas in the Active Directory you wish to connect which not inherited from the top class. By the way, this behavior is not a failure but the expected one by design.
    Even if you disable this auxiliary classes, this error will occur when the ILM analyze its schemas as long as you do not apply KB952327.You have to apply KB952327 after disabling there schemas.
    Although in the following excerpts, they say the problem only occurs using an Active Directory MA, actually it occurs using any MAs connecting to Active Directory.

    Article ID: 952327 - Last Review: November 10, 2008 - Revision: 2.0
    A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
    http://support.microsoft.com/default.aspx?scid=952327

    (Hereafter, quotation)
    Active Directory Management Agent does not ignore defunct classes
    You add an auxiliary class to Active Directory that inherits from any class other than the top class. However, errors occur in ILM when you create an Active Directory MA or when you update the schema after you add the class.

    These errors occur even if the auxiliary class is marked as Inactive in the Active Directory schema. ILM build 3.3.1067.2 ignores defunct Active Directory classes.

    [Details]
    I want to explain the way I investigated its details.

    Badly, this error dialog does not include anything except the error code.
    While this dialog appears, I tried to take a dump using the Windbg utility. The result indicated that there was a occurrence of the following exception.




    0:013> !dae

    ( Snip )

    Number of exceptions of this type:        1
    Exception MethodTable: 07ae9b0c            <<
    Exception object: 01474198
    Exception type: Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError            <<
    Message: 80230910            <<
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80131500

    ( Snip )

    0:013> !dumpmt 07ae9b0c            <<
    EEClass: 07b2209c
    Module: 06eb35f8
    Name: Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError       <<
    mdToken: 02000002
    BaseSize: 0x48
    ComponentSize: 0x0
    Number of IFaces in IFaceMap: 2
    Slots in VTable: 18

    ( Snip )

    StackTrace (generated):
        SP       IP       Function
        0A6EEC50 0794F66A Microsoft.DirectoryServices.MetadirectoryServices.Schema.Schema.Create(System.String, Boolean)
        0A6EED68 0794F538 Microsoft.DirectoryServices.MetadirectoryServices.Schema.Schema.Create(System.String)
        0A6EED6C 0794EF02

    ( Snip )

    StackTraceString: <none>
    HResult: 80131500


    And I had looking for the lines around "Microsoft.DirectoryServices.MetadirectoryServices.Schema.Schema.Create (System.String, Boolean) " in the stack trace, I judged that there was a problem processing the schemas. After that I dumped all the objects remaining in the stack.


    0:013> !dso
    OS Thread Id: 0xf7c (13)
    ESP/REG  Object   Name
    0916f340 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f38c 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3a0 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3a4 013f796c System.Threading.ContextCallback
    0916f3d0 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3d8 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f3e0 013f796c System.Threading.ContextCallback
    0916f434 01474198 Microsoft.DirectoryServices.MetadirectoryServices.Schema.SchemaError
    0916f4cc 025d8040 System.String            <<
      <dsml xmlns="http://www.dsml.org/DSML" xmlns:m="http://www.microsoft.com/MMS/DSML"><directory-schema><attribute-type id="A0"            <<

    ( Snip )

    0:013> !do 025d8040            <<
    Name: System.String
    MethodTable: 790fa3e0
    EEClass: 790fa340
    Size: 1965032(0x1dfbe8) bytes
    GC Generation: 3
     (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
    String:
      <dsml xmlns="http://www.dsml.org/DSML" xmlns:m="http://www.microsoft.com/MMS/DSML"><directory-schema><attribute-type id="A0"

    ( Snip )

    single-value="true"><name>pKIExpirationPeriod</name><syntax>1.3.6.1.4.1.1466.115.121.1.40</syntax></attribute-type><attribute-type id
    Fields:
          MT    Field   Offset                 Type VT     Attr    Value Name
    790fed1c  4000096        4         System.Int32  1 instance   982508 m_arrayLength            <<
    790fed1c  4000097        8         System.Int32  1 instance   982507 m_stringLength
    790fbefc  4000098        c          System.Char  1 instance        d m_firstChar            <<
    790fa3e0  4000099       10        System.String  0   shared   static Empty
        >> Domain:Value  00149868:790d6584 <<
    79124670  400009a       14        System.Char[]  0   shared   static WhitespaceChars
        >> Domain:Value  00149868:013d13e4 <<


    Only looking this, it would seem to lack of data, and you can not judge whether it is a really lack of data or any restrictions on the debugger's display.
    So I dumped from the address that add to the object data address and offset c.


    0:013> du 025d8040+c            <<
    025d804c  "..  <dsml xmlns="http://www.dsml"
    025d808c  ".org/DSML" xmlns:m="http://www.m"
    025d80cc  "icrosoft.com/MMS/DSML"><director"

    ( Snip )


    The data is unicode, so actually the data is two bytes.
    Because the value of m_arrayLength is entire length of the object, "( the address of the object data + offset c + 982508( the value of m_arrayLength ) ) x 2" is the terminal of the data.


    0:013> ? 025d8040+c+0n982508*2
    Evaluate expression: 41647140 = 027b7c24            <<


    You can see 027b7c24 is the terminal of the data from the calculation above.
    Let's see shortly before( about -8 lines ) the terminal, you may find the closure of the entire tag using "</dsml>".


    0:013> du 027b7c04
    027b7c04  "hema></dsml>.. "            <<


    You can reconstruct the xml file of all the schema dumping from the beginning to the end of the object data.
    (Of course, you must remove the double quotes and the address columns from the dump.)

    Unfortunately, in this case our customer did not give us any information about the extended schema, so I parsed the XML schema in this way.
    Then I found the following auxiliary classes.( The class name is not the actual name.)


    - <class Id="TEST3" superior="#TEST1" type="auxiliary">
      <name> testauxclass </name> <name> testauxclass </ name>


    The class "TEST3" is the auxiliary class inherited from the class named "TEST1". And what the "TEST1" is ...


    - <class id="TEST1" superior="#TEST2" type="structural">
      <name>person</name>



    There is the auxiliary class named "testauxclass" inherited from "person". I tried to find any article about the class, but I did not find anything.
    Therefore, I asked our customer whether it was a custom schemam, and it was actually a extended schema.

    On the other hand, I found another following auxiliary class.


    - <class Id="TEST3d" superior="# TEST2 "type="auxiliary">
      <name>testObj</name> <name> testObj </ name>


    This class was inherited from "TEST2". And what the "TEST2" is inherited from?


    - <class Id="TEST2" type="abstract">
      <name> top </name> <name> top </ name>


    It is inherited from "top".
    From these results, I judged the problem was caused by the "testauxclass". 


    Naohiro FUjie ( MVP ILM / http://idmlab.eidentity.jp )
    Friday, January 29, 2010 12:09 AM
  • Thnaks a lot FUJIE san for this precisions
    Friday, January 29, 2010 9:38 AM
  • Hi Guys,

    FUJIE san and Peter wre right. The client confirms some badly delcared class in the schema of his ADAM instance.

    Thanks a lot for the input.

    JF
    Monday, February 1, 2010 9:15 AM