none
Synchro Error - Group An Object with DN Already Exists in Management Agent RRS feed

  • Question

  • Hello, 

    i have this error when i try a synchro in FIM MA , 

    An object DN  with DN already exists in Management Agent AD. 

    The object was imported by the AD connector but i don't find the DRE related to the object in the Metaverse. It's weird ??

    Any idea ?? 

    Thanks

    Thursday, June 12, 2014 9:36 AM

Answers

  • Agreed with Sylvian. Create Join rule that would identify the same group on both sides (Metaverse and AD MA) and then run Delta Import -> Full Synchronization on AD MA agent. (Delta should also work, but as you have changed agent's configuration, you should do FS at least once :) )

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by gentelman Thursday, June 12, 2014 3:03 PM
    Thursday, June 12, 2014 9:59 AM
  • Hello,

    The group in AD CS is still connected to an object in the metaverse?

    Generally, this error appears when you try to create an object in a CS but an other object exists with the same anchor (DN for AD). You need to join the group from AD to the Metaverse Object (If it's not present, disabled the provisioning by SR and run Full/Delta Synchro on FIM MA)

    Regards,


    Sylvain


    • Edited by Sylvain.c Thursday, June 12, 2014 11:01 AM
    • Marked as answer by gentelman Thursday, June 12, 2014 3:03 PM
    Thursday, June 12, 2014 9:47 AM

All replies

  • Hello,

    The group in AD CS is still connected to an object in the metaverse?

    Generally, this error appears when you try to create an object in a CS but an other object exists with the same anchor (DN for AD). You need to join the group from AD to the Metaverse Object (If it's not present, disabled the provisioning by SR and run Full/Delta Synchro on FIM MA)

    Regards,


    Sylvain


    • Edited by Sylvain.c Thursday, June 12, 2014 11:01 AM
    • Marked as answer by gentelman Thursday, June 12, 2014 3:03 PM
    Thursday, June 12, 2014 9:47 AM
  • Agreed with Sylvian. Create Join rule that would identify the same group on both sides (Metaverse and AD MA) and then run Delta Import -> Full Synchronization on AD MA agent. (Delta should also work, but as you have changed agent's configuration, you should do FS at least once :) )

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by gentelman Thursday, June 12, 2014 3:03 PM
    Thursday, June 12, 2014 9:59 AM
  • Thanks , the join rule was OK, it is a data problem and incoherence. 

    Thanks.

    Thursday, June 12, 2014 1:10 PM
  • Hi all,

    This thread is long done, but I didn't see any threads that dealt with an explanation for this error in my case.

    I received the same error, but mine was a bit of a unique case, I'd like to document it here to save anyone else massive headaches...

    My data source (a Mongo database) is basically all strings and json data, so from its internal perspective, there are no "references" or hard links to other objects within the database regarding how people relate to each other (manager reference, member of a group, etc.).  It's all just "string data".

    In the FIM MA setup for this data source, I defined the schema such that the fields within my data source are references from FIM's point of view.  So when it sees "managerId" in my data source, it knows that it's a reference to another worker in FIM.  This way everything's kept in sync and FIM can make sense of it.

    I started receiving this issue, the "DN already exists" for some objects that FIM wanted to provision into my data source..  I searched my database but these DN's certainly did not exist, so I was confused.

    The problem was that the DN existed in *other parts* of my Mongo database, referencing the "new" DN as a current member of a group, or the displayed owner of a group.  From FIM's perspective, there's already something in the data source referencing this DN it was about to create.

    The "DN already exists" can mean that you have dangling references in your data source pointing at this DN that FIM's supposed to provision.  FIM doesn't want to add your new user/group to your data source if there are already other references to it.  That could cause all sorts of issues, maybe too much access, it's not really the right person, etc.  So FIM just refuses to do it.

    In my case this meant looking at my Connector Space within FIM, and finding all the "placeholder" objects (I had about 30 that built up over time).  I then searched my data source and removed any "references" to the DN's that FIM considered placeholders.  I removed the DN from any "member", "managerId", "displayedOwnerId" etc.

    Once I cleared those out of my database, I was good to go.

    The background on why this even happend, was that I wasn't flowing nulls from the sync engine to my datasource.  So when a user didn't exist anymore in FIM, FIM wouldn't bother going into my data source to blow that reference out because it wasn't allowed to send null's.  So references to these DN's started stacking up.  And since everything's a string from mongo's perspective (in my case) - Mongo was never complaining about referential integrity and dangling references.

    Hope this helps someone!

    Matt
    • Edited by m_a_tt Wednesday, March 22, 2017 8:52 PM grammar
    Wednesday, March 22, 2017 4:44 PM