none
Understanding the root cause of duplicate-object errors RRS feed

  • Question

  • I'm putting together one management agent in a web of intricate identity management for a current project - mostly my part deals with synchronizing between a custom application and AD users / OUs.

    I'm running into duplicate-object errors when doing confirming imports, and I haven't been able to find any clear answers to some of my most basic questions. Without knowing more, I'm basically pushing buttons in the hope that magically I will be blessed with an error-less run. So! Here are a few questions.

    1 - When you get a duplicate-object error, is that error because the object is duplicated in the connector space or the metaverse?

    2 - If it is, in fact, duplicated in the metaverse (which is the only one that seems to make sense) why does a Full Import (Stage Only) (which I believe only imports to the connector space, and does not send the records to the metaverse) throw duplicate-object errors, and not a sync?

    3 - For the really general case of wanting to import objects to the connector space in an additive fashion (I.E., add new records where they did not exist, update the attributes of ones that do exist, delete ones that no longer exist) - I'm simply setting the record's ObjectModificationType as 'Add' and all the attribute changes (including the anchor) as 'Add.' 

    Is that correct? I'm having no issues with one record type using the same set of change types, but the other is giving me fits. Both are joined on existing metaverse objects created by other management agents, but I've deleted those metaverse objects, attempted to import, and still had no success. 

    Yes - there are other custom management agents involved, and provisioning rules etc - but turning them all off, disabling provisioning, deleting the metaverse, etc - has no bearing on the end result. 

    Friday, February 1, 2013 8:33 PM

Answers

  • Gadloaf,

    Errors during import: you need to look at MA level.

    When you get a duplicate-error during import, it might indicate that there is an issue with your anchor definition on the management agent.
    The anchor on the MA is used to define the object uniquely.
    It can be one or a combination of more attributes.

    The anchor definition on the MA is not always the same as the unique key in the target platform.

    Instead of just pushing buttons, it might be more useful to get a better look at the situation first.
    Please describe the technical setup a bit more.
    Which MA do you get these duplicate-errors on?
    What is the error message in detail?
    How did you define the anchor? What is the unique key in the target platform?

    Kind regards,
    Peter


    Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.

    Monday, February 4, 2013 8:37 AM
    Moderator
  • Gadloaf,

    Additionally, if you need more insights in FIM error codes, check here:

    Management Agent Run Error Codes
    http://technet.microsoft.com/en-us/library/jj590332(v=ws.10).aspx 

    "<error-type> of <ma-object-error>" Contains a description of the discovery error
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms695993(v=vs.100).aspx

    "duplicate-object

    Returned on full imports by either a file management agent or a database management agent. It indicates that an object with the same anchor was already reported to the synchronization engine during this run."

    You can also check:

    Dealing with OpenLDAP XMA 1.1: Avoiding duplicate-object errors and bad csentry object type
    http://blogs.technet.com/b/juanand/archive/2009/04/30/dealing-with-openldap-xma-1-1-avoiding-duplicate-object-errors-and-bad-csentry-object-type.aspx

    We will need more details to help you out.
    Kind regards,
    Peter


    Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.

    Monday, February 4, 2013 8:49 AM
    Moderator

All replies

  • Gadloaf,

    Errors during import: you need to look at MA level.

    When you get a duplicate-error during import, it might indicate that there is an issue with your anchor definition on the management agent.
    The anchor on the MA is used to define the object uniquely.
    It can be one or a combination of more attributes.

    The anchor definition on the MA is not always the same as the unique key in the target platform.

    Instead of just pushing buttons, it might be more useful to get a better look at the situation first.
    Please describe the technical setup a bit more.
    Which MA do you get these duplicate-errors on?
    What is the error message in detail?
    How did you define the anchor? What is the unique key in the target platform?

    Kind regards,
    Peter


    Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.

    Monday, February 4, 2013 8:37 AM
    Moderator
  • Gadloaf,

    Additionally, if you need more insights in FIM error codes, check here:

    Management Agent Run Error Codes
    http://technet.microsoft.com/en-us/library/jj590332(v=ws.10).aspx 

    "<error-type> of <ma-object-error>" Contains a description of the discovery error
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms695993(v=vs.100).aspx

    "duplicate-object

    Returned on full imports by either a file management agent or a database management agent. It indicates that an object with the same anchor was already reported to the synchronization engine during this run."

    You can also check:

    Dealing with OpenLDAP XMA 1.1: Avoiding duplicate-object errors and bad csentry object type
    http://blogs.technet.com/b/juanand/archive/2009/04/30/dealing-with-openldap-xma-1-1-avoiding-duplicate-object-errors-and-bad-csentry-object-type.aspx

    We will need more details to help you out.
    Kind regards,
    Peter


    Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

    [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.

    Monday, February 4, 2013 8:49 AM
    Moderator
  • Hi Peter,

    Thanks for your response. 

    This is a custom Management Agent - where the target platform is essentially a web application that stores users / groups in a MySQL database. The tables that define a user and a group (one for each) have a primary key constraint on an incremental integer ID field. I've mapped some of the fields of this database to the connector-space objects. The records of the database are not directly exposed - I call a REST interface for CRUD operations on them.

    So for the 'group' object type, this is the connector schema definition:

    SchemaType group= SchemaType.Create(GroupType.ObjectName, false);
    group.Attributes.Add(SchemaAttribute.CreateAnchorAttribute(GroupType.GroupID, AttributeType.Integer, AttributeOperation.ImportExport));
    group.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute(GroupType.Enabled, AttributeType.Boolean));
    group.Attributes.Add(SchemaAttribute.CreateSingleValuedAttribute(GroupType.GroupName, AttributeType.String));

    where 'GroupType' is just a container object for fixed strings.

    GroupID is marked as the anchor attribute (it's a single value anchor) and it is mapped to the primary key in the database of the target:

    groupid int(10) unsigned primary key

    As you may know, the duplicate-object error offers very little information besides a DN. It does not specify whether this DN is the original object or the duplicate, nor does it point to what the record is a duplicate of.

    I log the records of the objects I'm importing, and there are no duplicate group IDs within a single import. I can import just 1 object and get a duplicate-object error, as well. Even after deleting the connector space. Thus my confusion.



    Monday, February 4, 2013 2:40 PM
  • Out of curiosity, do any of your Group and User objects have the same primary key value, e.g., user.id = 1, and in a separate table, group.id = 1?  I've never tried this scenario, but it's certainly plausible that FIM doesn't implicitly consider object type to be part of the anchor.  I'd probably wager that FIM wouldn't accept it, much as it wouldn't accept two equivalent LDAP DNs with different object types, without waiting around to find out the objectClass.

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Monday, February 4, 2013 8:19 PM