locked
ADLDS Single User Fails to Sync from Active Directory RRS feed

  • Question

  • I'm not sure where exactly to post this question so I'm starting here.

    I have a multi-forest ADLDS setup to support Jabber. Scheduled tasks to sync all forests have been working flawlessly for months. A new user was added a week or so ago and now the sync logs show this:

    Ldap error occured. ldap_add_sWC: Constraint Violation. 
    
    Extended Info: 000021C8: AtrErr: DSID-03200BE8, #1:
    	0: 000021C8: DSID-03200BE8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)

    Based on info found from other posts I've verified there is no extra white space or characters in any of the AD attributes of the problem user. There is also no duplicate userPrincipalName.

    If I move the problem user to an OU outside of the base DN the sync completes perfectly.

    I'm at a loss of why this user is throwing an error. I can find nothing unusual in any of the account's attributes. Any help appreciated.

    Tuesday, August 25, 2020 3:55 PM

Answers

  • I resolved this problem by using LDP to search and find the entry holding the duplicate userPrincipalName and then used PowerShell to delete the entry. A subsequent sync of the AD LDS server completed with no error.

    LDP Query: (&(userPrincipalName=acountname@contoso.com))

    Provided this CN: 

    CN=0b8495fd-1d73-4b57-b4ce-a4e9da71addd,OU=User Accounts,DC=forest1,DC=multiforest1

    In PowerShell I used this command to confirm:

    Get-ADObject -Filter {userPrincipalName -eq "accountname@contoso.com"} -SearchBase "DC=forest1,DC=multiforest1" -Server "ServerName:389"

    Next I ran the same line again but piped the result into | Remove-ADObject

    Get-ADObject -Filter {userPrincipalName -eq "accountname@contoso.com"} -SearchBase "DC=forest1,DC=multiforest1" -Server "ServerName:389" | Remove-ADObject

    I confirmed the entry was gone using the LDP query and then did a full sync.

    I hope this helps somebody sometime.

    • Marked as answer by Thunderpup Wednesday, August 26, 2020 4:45 PM
    Wednesday, August 26, 2020 4:45 PM

All replies

  • Event viewer is reporting a duplicate userPrincipalName in the ADLDS log. So far, I've not been able to find it. Searching via LDAP is not my strong suite. Hopefully will have this resolved soon.
    Wednesday, August 26, 2020 2:21 PM
  • I resolved this problem by using LDP to search and find the entry holding the duplicate userPrincipalName and then used PowerShell to delete the entry. A subsequent sync of the AD LDS server completed with no error.

    LDP Query: (&(userPrincipalName=acountname@contoso.com))

    Provided this CN: 

    CN=0b8495fd-1d73-4b57-b4ce-a4e9da71addd,OU=User Accounts,DC=forest1,DC=multiforest1

    In PowerShell I used this command to confirm:

    Get-ADObject -Filter {userPrincipalName -eq "accountname@contoso.com"} -SearchBase "DC=forest1,DC=multiforest1" -Server "ServerName:389"

    Next I ran the same line again but piped the result into | Remove-ADObject

    Get-ADObject -Filter {userPrincipalName -eq "accountname@contoso.com"} -SearchBase "DC=forest1,DC=multiforest1" -Server "ServerName:389" | Remove-ADObject

    I confirmed the entry was gone using the LDP query and then did a full sync.

    I hope this helps somebody sometime.

    • Marked as answer by Thunderpup Wednesday, August 26, 2020 4:45 PM
    Wednesday, August 26, 2020 4:45 PM