none
FIM User not being provisioned to AD RRS feed

  • General discussion

  • Hi,

    I am importing users from Oracle Data Source and exporting them to AD. It gives me error in validation "Required Attribute CN is missing". When i search for the connectors in FIM for the users i see the following information, please suggest.

    Two Obj for the ADMA and once disconnected

    Plz suggest


    Thanks & Regards~ Deepak Arora

    Tuesday, November 13, 2012 8:23 PM

All replies

  • Can you show us a screenshot of the Export in Progress tab for the pending AD Export?

    My first guess would be that you are trying to set the CN value to something different than what has been specified in your DN.


    MCTS: Forefront Identity Manager 2010, Configuring

    Wednesday, November 14, 2012 3:01 AM
  • The screenshots shows a preview during synchronization, if the object is not yet exported the behavior is expected (the sync deleted a object and provisions a new object).

    Are you setting the CN value explicitly? What happens during 'export'?


    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Wednesday, November 14, 2012 8:13 AM
  • Please find below the requested screenshot

    


    Thanks & Regards~ Deepak Arora

    Wednesday, November 14, 2012 3:57 PM
  • You should post the configuration of your "Active Directory User Synchronization Rule".
    In particular, the outbound flow configuration.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Wednesday, November 14, 2012 6:00 PM
  • Hi,

    does your MA account has appropriate permissions on organization unit where you try to create an account?

    Do you try to set unicodePwd attribute? If so, does password match AD password policy?

    Wednesday, November 14, 2012 10:33 PM
  • On Wed, 14 Nov 2012 22:33:52 +0000, Pavel Lipanov wrote:

    does your MA account has appropriate permissions on organization unit where you try to create an account?

    Do you try to set unicodePwd attribute? If so, does password match AD password policy?

    If the problem were any of the ones you suggest, the error would not be
    that the object is missing the CN attribute.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    My girlfriend always laughs during sex - no matter what she's reading.
    - Steve Jobs (Founder: Apple Computers)

    Wednesday, November 14, 2012 10:39 PM
  • Yes the A/c is having permissions and users were being provisioned it was all working fine for last one month, i don't know what has happened to it for last 2 days, we have not made any change to the configuration still......... :(

    Thanks & Regards~ Deepak Arora


    • Edited by DeepakArora Wednesday, November 14, 2012 11:02 PM
    Wednesday, November 14, 2012 11:02 PM
  • The error 'Required Attribute CN is missing' can be misleading. What is the actual export error(also shown on the export error tab) for this object? This can often happen when an object is meant to be de-provisioned but encounters a different error keeping this from happening.
    Thursday, November 15, 2012 4:33 AM

  • Thanks & Regards~ Deepak Arora

    Thursday, November 15, 2012 3:35 PM
  • Paul Wijntjes I am setting the Value of DN in Sync rule from manually.

    Thanks & Regards~ Deepak Arora

    Thursday, November 15, 2012 3:51 PM
  • DeepakArora, have you looked into Application event log at the server? Is this error applicable to all new accounts which are synchronizing or to those twos only?

    Paul Adare, I had the same error recently twice. The error message is misleading.  In my cases resolutions were: appropriate rights on AD OU (to all descendant objects) and correct unicodePwd.

    Friday, November 16, 2012 7:59 AM
  • In your preview the DN value is 'deleted' as final version, this cannot be correct.

    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    Friday, November 16, 2012 9:05 AM
  • Yes Pavel Lipanov, I do have the rights on the OU.  and it is the case with every new account that is being created.........

    Thanks & Regards~ Deepak Arora

    Friday, November 16, 2012 9:41 AM