Error: Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector RRS feed

  • Question

  • Hi,

    I have managed to add a new attribute in the existing SyncRule (users provisioned to AD). When I tried to run the FullImport and FullSync or DeltaSync options for FIMService MA, I am getting the below error

    Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The DN must be set before calling CSEntry.CommitNewConnector

    The new attribute which is added in the SyncRule was,

    FIM Attribute => AD

    JobTitle => Title

    can anyone help?


    Thursday, February 25, 2016 5:32 AM

All replies

  • In the same Sync rule do you have a DN mapping out to AD that is a Initial flow only?  If so, then run a full import by itself. Then run a full sync. The run profiles that combine an import and a sync in a single step are deprecated.


    Jeff Ingalls

    Thursday, February 25, 2016 7:29 PM
  • Hi Jeff,

    I can't find any DN mapping out to AD in that SyncRule. Do I need to create a new one for DN? If so, how do I do the mapping from FIM Attribute to AD? What is the impact?

    However in our design documentation, there is a DN mapping in the 'Import Attribute Flow' section of this Rule.Are they meant by 'Inbound Attribute Flow' section or something else? IF so, I can't find any dn mapping in the 'Inbound Attribute Flow' also.

    Where else I can check this 'dn' mapping?


    Friday, February 26, 2016 5:33 AM
  • Let's take a step back.  My understanding is you want to provision a user account that is created in the FIM Portal out to Active Directory. Is that correct?

    To do this, we need to have an AD outbound sync rule.  The sync rule is outbound because the data will be flowing out from the Metaverse to the AD connector space.

    In the AD outbound sync rule, you should have an attribute flow that is initial outbound only for dn:

    Source should be something like this: 

    Source --> Destination

    "CN=" + employeeID + ",OU=CorpUsers,DC=contoso,DC=com"    ---> dn

    Initial outbound only is checked to tell the sync rule to only do it upon provisioning.

    See also this article:


    Jeff Ingalls

    Friday, February 26, 2016 5:34 PM
  • Hi Jeff,

    After setting up the 'dn' as initial flow in the Outbound Attribute Flow of 'Users are provisioned to Active Directory' sync rule, I ran the Full Import and then Full Sync for FimService MA.

    I have got 2 different kind of error in Full Sync after the end of FimService MA.

    Error1: extension-dll-exception

    Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'Users are provisioned to Active Directory'. Details: Object reference not set to an instance of an object.
       at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)

    Error2:  sync-rule-flow-provisioning-failed

    Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: An object with DN "CN=..............." already exists in management agent "Active Directory".

    Please advise what to and where to check and fix this error.


    Sunday, February 28, 2016 10:48 PM
  • Error 2 is saying you've already provisioned the object with the same DN out to AD. Error 1 looks like you still have a mapping problem, possibly with displayName as Peter Stapf pointed out in a different thread that you are on.  Go through the article below as it has, step by step, all the attribute mappings you need. The articles were created so that you can learn and understand the product:


    Jeff Ingalls

    Monday, February 29, 2016 4:21 PM