locked
ADAMSync Aging RRS feed

  • Question

  • I setup ADAMSync a few months back for a company to sync user accounts from 3 AD forests/8 domains into an LDS database as userProxy objects.  However I have not discovered that when users are being deleted in AD, they are not being removed from LDS.

    From reading I understand I need to configure aging in the ADAM XML config on my LDS server.

       <aging>    
        <frequency>0</frequency>    
        <num-objects>0</num-objects>   
       </aging> 

    What is the frequency?  Is this minutes, hours, days?

    I understand num-objects as the number of objects to be run each aging run.  For example if it is set to 100, only 100 objects will be aged, then the next 100 will be aged on the second run etc.

    I have approximatly 5500 users synced to this LDS database, what is a good value for the num-objects?

    Is there any documentation for this?

    Kind Regards,


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx4, Dip Network Engineering
    Perth, Western Australia

    Blog: http://clintboessen.blogspot.com/

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 29, 2011 6:25 AM

All replies

  • Hi Clint,

    I have not tried to setup that big a system so i have no best practice.

    But you can see the Adamsync Configuration File reference on this link, this will explain some of you question:

    http://technet.microsoft.com/en-us/library/cc783683(WS.10).aspx

    BR

    Rene

    Friday, July 29, 2011 8:06 AM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 2, 2011 8:36 AM
  • Thank you for your response Guys.  I have configured aging as follows:

      <schedule>           
       <aging>               
        <frequency>1</frequency>               
        <num-objects>0</num-objects>           
       </aging>           
       <schtasks-cmd></schtasks-cmd>       
      </schedule>

    I'm assuming num-objects if 0 means all objects.

    When I run a full sync against my instance with "adamsync /fs localhost:10001 "dc=myadampartition,dc=adam" it syncs correctly, however at the end of my log file I receive:

    Beginning aging run.


    Processing target entry <guid=d87207831b442347aa26ca0df20999e0>
    20110615043212.0Z was when we last saw CN=MyUser,OU=Divisional Contacts,OU=Contacts,DC=domain,DC=wan.

    Ldap error occured. ldap_get_next_page_s: Referral.

    Extended Info: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
        ref 1: 'gc._msdcs.WAN:3268'
    .

    Ldap error occured. ldap_get_next_page_s: Referral.

    Extended Info: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
        ref 1: 'gc._msdcs.WAN:3268'

     

    ADAMSync is working - just not cleaning up.  What I'm trying to achieve is for if an object gets deleted in active directory, it will also get deleted in the adam directory.


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx4, Dip Network Engineering
    Perth, Western Australia

    Blog: http://clintboessen.blogspot.com/

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 5, 2011 2:07 AM
  • Maybe adamsync queries for deleted objects, and needs permissions for that?  

     

    Change visibility in the directory...or lack there of (aka "what's the point of aging?")

    http://blogs.technet.com/b/efleis/archive/2006/10/28/change-visibility-in-the-directory-or-lack-there-of-aka-what-s-the-point-of-aging.aspx

     

    http://social.technet.microsoft.com/Forums/en-AU/winserverDS/thread/4e8f33d4-8f37-4f5b-88a8-aa693879342e

    What is the OS in question and version of ADAM/LDS you are using?

    Note that we don’t support merging multiple source domains into a single target LDS NC.

    Explanation:

    Frequency: http://technet.microsoft.com/en-us/library/cc737713(WS.10).aspx

    Num-objects: http://technet.microsoft.com/en-us/library/cc778153(WS.10).aspx (not a very good explanation )

    Let me know if this helps.

     


    Sumesh P - Microsoft Online Community Support
    Monday, August 8, 2011 5:06 PM
  • Hey Guys,

    I understand the concept of Aging now, I documented this on my blog to hopefully make this more clear.

    http://clintboessen.blogspot.com/2011/08/adamsync-aging.html

    I am still having issues with Aging however.  Below is my directory services topology, a description of the issue and what I have tried already to resolve it.  Hopefully you can help!

    Configuration overview:

    • My LDS Server is a member of subdomain.forest3.lan
    • My LDS Server has multiple instances "LDS Databases" for each Active Directory domain.  These instances are listening on 10001, 10002, 10003, 10004 etc...  There is a 1 to 1 relationship between a single domain and its corresponding LDS instance.
    • Each LDS Instance has only one application partition with the same distinguishedName mapping an Active Directory domain.  For example dc=forest2,dc=lan or dc=bu2,dc=forest1,dc=lan.
    • My ADAMSync configuration in each instance replicates the user class objects from Active Directory to "userProxy" class objects in each LDS Instance.  Objects are successfully replicating.
    • userProxy bind redirection is working successfully for all LDS Instances and the corresponding Active Directory domain (excluding forest4.lan due to no domain trusts existing).
    • There is no synchronization errors.  I have validated all attributes declared in my adamsync.xml file are successfully synchronizing to the corresponding userProxy object in LDS for each user account.
    • ADAMSync is successfully creating the same Organisational Unit structure matching that of LDS.
    • The base distinguishedName of each LDS instance matches the base distinguishedName of the Active Directory domain.
    • All child domains in forest1 synchronise using an ldapquery account located in the parent forest1.lan domain.  This is configured in the XML file <source-ad-account>ldapquery</source-ad-account> and <account-domain>forest1.lan</account-domain>.
    • forest2.lan synchronises using an account in forest2.lan
    • forest3.lan synchronises using an account in subdomain.forest3.lan.  No user accounts reside in the root domain forest3.lan.  This is configured as an "empty root domain".
    • forest4.lan synchronises using an account located in forest4.lan

    The following Active Directory accounts were setup to make this solution work:

    • subdomain.forest3.lan\LDSSVC.  This account is only a member of "domain users" in subdomain.forest3.lan.  This account has "Log on as service" rights assigned under "user rights assignments" on the LDS Server.  This account provides the security context under which LDS Instance runs as a service.  i.e. all LDS Services run as this account!
    • subdomain.forest3.lan\LDSBoss.  This account is only a member of "domain users" in subdomain.forest3.lan.  During the installation of each LDS Instance using the "Active Directory Lightweight Directory Services Setup Wizard" this account was specified as the Administrator of each instance.  This account has no access to the LDS Server itself, i.e. the account does not even have permissions to login to the LDS Server.  It only has "Administrative privilages" inside each LDS Instance.  All commands which manipulate LDAP data inside an LDS Instance such as ADAMSync must be run under the security context of this LDSBoss account.
    • forest1.lan\ldapquery.  This account is a member of "Domain Admins" and "Enterprise Admins"in the forest1.lan root domain.  It is specified in the ADAMSync.xml file for each child domain in the forest1.lan forest.  This account is used to perform LDAP Queries against the forest1.lan forest.  If this account is not a Domain Admin or Enterprise Admin, ADAMSync fails to run.
    • forest2.lan\ldapquery.  This account is a member of "Domain Admins" in the forest2.lan domain.  This is specified in the ADAMSync.xml file for the forest2.lan forest.  It is used for LDAP queries against forest2.lan
    • subdomain.forest3.lan\ldapquery.  This account is a member of "Domain Admins" in the subdomain.forest3.lan domain.  This is specified in the ADAMSync.xml file for the subdomain.forest3.lan forest.  It is used for LDAP queries against subdomain.forest3.lan
    • forest4.lan\ldapquery.  This account is a member of "Domain Admins" in the forest4.lan domain.  This is specified in the ADAMSync.xml file for the forest4.lan forest.  It is used for LDAP queries against forest4.lan

    Problem overview:

    I have configured Aging as follows for each instance:

    <schedule>           
       <aging>               
        <frequency>1</frequency>               
        <num-objects>0</num-objects>           
       </aging>           
       <schtasks-cmd></schtasks-cmd>       
      </schedule>

    From my reading, this configuration above means aging is enabled and will attempt to synchronise "all objects" everytime ADAMSync is run.

    Currently Aging is working for subdomain.forest3.lan.  This is the only domain it is working for.  All other domains return this error in the ADAMSync Log:

    Beginning aging run.

    Processing target entry <guid=d87207831b442347aa26ca0df20999e0>
    20110615043212.0Z was when we last saw CN=User1,OU=Divisional Contacts,OU=Contacts,DC=bu1,DC=forest1,DC=lan.
    Ldap error occured. ldap_get_next_page_s: Referral.
    Extended Info: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
     ref 1: 'gc._msdcs.forest1.lan:3268'
    .
    Ldap error occured. ldap_get_next_page_s: Referral.
    Extended Info: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
     ref 1: 'gc._msdcs.forest1.lan:3268'
    .
    Saving Configuration File on DC=bu1,DC=forest1,DC=lan
    Saved configuration file.

    My Diagnostics:

    I focused on the subdomain.forest3.lan as this was the only LDS Instance where synchronisation was working correctly.  What is different about the subdomain.forest3.lan domain which may contribute to Aging working successfully?

    • The LDS Server is a member of subdomain.forest3.lan.  This makes it unique.
    • The ADAMSync.exe process is run under the security context of subdomain.forest3.lan\LDSBoss for performing synchronisation for all LDS Instances.  This is because the LDSBoss account is the only account with administrative permissions inside each LDS Instance.
    • The LDS Instances themselves are running under the security context of an account residing in the subdomain.forest3.lan domain called LDSSVC.

    I thought to myself, why don't I try running the ADAMSync process for a domain such as bu1.forest1.lan using an account within bu1.forest1.lan?  To do this I would need to ensure a user account within bu1.forest1.lan has "administrative permissions" inside bu1.forest1.lan's corresponding LDS Instance.  I noticed that the "Active Directory Lightweight Directory Services Setup Wizard" added the LDSBoss account to the Administrators group under the roles container on the configuration partition of each instrance created.  The Administrators group from the configuration partition was then nested in the application partition containing the userProxy objects which reflect the corresponding Active Directory user objects under each instance.

    I went and added an account from bu1.forest1.lan to the Administrators role group in the configuration partition for the corresponding LDS Instance created to reflect the bu1.forest1.lan domain.  When attempting to run ADAMSync, ADAMSync crashed.

    Error occured fetching internationalized message number -2146893813. Error code: 317

     

    I then attempted to add a user account from subdomain.forest3.lan to the Administrators role group in the configuration partition for the LDS Instance corresponding to the domain bu1.forest1.lan.  This account was called subdomain.forest3.lan\boessenc_admin.  This "should work" as it is the exact same configuration as the LDSBoss account right?

     

    Here I added the subdomain.forest3.lan\boessenc_admin to the Administrators group in the Configuration Partition of my LDS Instance containing the application partition for bu1.forest1.lan:

     

     

    When I run ADAMSync under the security context of LDSBoss, the account I installed the LDS Instance with, the Sync works as expected.  I verified in the instance's application partition that the content synced successfully.  If I sync under another account, I also get the following error:

     

    Error occured fetching internationalized message number -2146893813. Error code: 317

     

     

    Problem signature:
      Problem Event Name: APPCRASH
      Application Name: adamsync.exe
      Application Version: 6.1.7600.16385
      Application Timestamp: 4a5bc94c
      Fault Module Name: ntdll.dll
      Fault Module Version: 6.1.7600.16695
      Fault Module Timestamp: 4cc7b325
      Exception Code: c0000005
      Exception Offset: 0000000000023b12
      OS Version: 6.1.7600.2.0.0.272.7
      Locale ID: 3081
      Additional Information 1: dba5
      Additional Information 2: dba5cead4302f0c0fa066ea618a55f8f
      Additional Information 3: f135
      Additional Information 4: f135fc65c6fa056fecabbbdf82720b5f

    Specifying LDSBoss in the installation wizard must have done something else other then just adding the user account to the Administrators group in the configuration partition.

    I verified I could login to the LDS Instance using subdomain.forest3.lan\boessenc_admin and manipulate objects demonstrating "Administrative Access".

    Is anyone able to assist me?  I have synchronisation working correctly!  All I want is "if a user gets deleted in AD, it also gets removed from the LDS Instance".  There is no documentation on the Internet around this!


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx4, Dip Network Engineering
    Perth, Western Australia

    Blog: http://clintboessen.blogspot.com/

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 8, 2011 5:04 AM
  • Hi Guys,

    I have a resolution for why ADAMSync.exe crashed above.  I documented this on my blog... please see:

    http://clintboessen.blogspot.com/2011/09/adamsync-error-2146893813-error-code.html

    Having this fixed I tried to run ADAMSync.exe under the credentials of another account in another domain.  No success, same error around the Aging:

    Beginning aging run.

    Processing target entry <guid=d87207831b442347aa26ca0df20999e0>
    20110615043212.0Z was when we last saw CN=User1,OU=Divisional Contacts,OU=Contacts,DC=bu1,DC=forest1,DC=lan.
    Ldap error occured. ldap_get_next_page_s: Referral.
    Extended Info: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
     ref 1: 'gc._msdcs.forest1.lan:3268'
    .
    Ldap error occured. ldap_get_next_page_s: Referral.
    Extended Info: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
     ref 1: 'gc._msdcs.forest1.lan:3268'
    .
    Saving Configuration File on DC=bu1,DC=forest1,DC=lan
    Saved configuration file.

    Should I find a resolution here I will share my findings with you.

    Kind Regards,


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx4, Dip Network Engineering
    Perth, Western Australia

    Blog: http://clintboessen.blogspot.com/

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 15, 2011 5:23 AM
  • Hi Clint,

    aging in ADAMSync had a number of problems in WS03, some of which were fixed but I generally recommend that customers do not use aging. Blog posts that are still around from that time need to be treated with caution.

    To get a deletion in AD to delete in AD LDS via ADAMSync does not generally required aging. By default in WS03SP1 and later a standard authenticated user account should be able to see deletes without any special permissions if you are running ADAMSync in security-mode "object".

    A common problem breaks sync of deletes is having a filter in your XML file that references an attribute that is not preserved on delete, this has become less of a problem as later versions of AD DS preserve more attributes. What do you have in your filter?

    Moving an AD user move to another OU where ADAMsync account does not have permission to see the OU that the user has been moved to is a case where aging would be required in principal, it may be that if a trust scenario the visibility of deleted objects does not cross the trust, I have not checked recently. Within your configuration if aging is not configured in AD LDS and you make a deletion in the joined domain (subdomain.forest3.lan) do you see a sync of deletion (I know you do if you have aging configured as you reported)?

    Thanks

     Lee Flight

     

    Friday, September 16, 2011 8:30 AM
  • Hi!

    I've same issue with Clint.

    Processing target entry <guid=8749e8c2940cd342bd954c711056730a>
    20130419121726.0Z was when we last saw CN=Gorbatova Zhanna,OU=Ћв¤Ґ« ®аЈ ­Ё§ жЁЁ Ё ўҐ¤Ґ­Ёп а бзҐв®ў,OU=„ҐЇ ав ¬Ґ­в Є ав®з­®Ј® Їа®жҐббЁ­Ј  Ё ў§ Ё¬®а бзҐв®ў,OU=!QIPS,OU=Departments,OU=Users,OU=RIC,DC=lds,DC=giwi,DC=dom.
    Ldap error occured. ldap_get_next_page_s: Referral. 
    Extended Info: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
    	ref 1: 'gc._msdcs.giwi.local:3268'
    .
    Ldap error occured. ldap_get_next_page_s: Referral. 
    Extended Info: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
    	ref 1: 'gc._msdcs.giwi.local:3268'


    In our environment we use LDS to authenticates users (we use proxyusersfull class) from 3 local domains which included in 2 forests in front of third party web application.

    We sync 3 different domains OU from 3 accounting domains by ldap filter in xml config to one lds app partition. Only one app partition is our goal, couse web-app can use only one search DN. We use for sync EntAdmin. That attr we sync with LDS, you can see through first xml config:

    <?xml version="1.0"?>
    <doc> 
    <configuration> 
    <!-- Sync File Description --> 
    <description>USRP ADAMSync Configuration</description> 
    <security-mode>object</security-mode> 
    <!-- source-ad-name = fqdn of the domain controller -->
     <source-ad-name>usrp.giwi.local</source-ad-name> 
    <!-- source-ad-partition = root AD domain partition -->
     <source-ad-partition>dc=usrp,dc=giwi,dc=local</source-ad-partition>
    <!-- source-ad-account = use this to specify an account to connect to AD -->
    <!-- if not used, the current user will be used -->
    <source-ad-account>Administrator</source-ad-account> 
    <account-domain>giwi.local</account-domain>
    <!-- target-dn = target ADAM OU -->
     <target-dn>dc=lds,dc=giwi,dc=dom</target-dn> 
    <query> 
    <!-- base-dn = should be the root AD partition if you want all users -->
     <base-dn>dc=usrp,dc=giwi,dc=local</base-dn>
    <!-- object-filter = standard ldap query format, this will grab all users -->
    <!-- need to review results to see if you should modify this filter -->
     <object-filter>(&amp;(|(userAccountControl=512)(userAccountControl=544)(userAccountControl=66048)(userAccountControl=262656))(memberOf=CN=USRP-Mango-Users,OU=Groups,OU=USRP,DC=usrp,DC=giwi,DC=local)(mail=*))</object-filter> 
    <attributes> 
    <!-- include=userproxy requires objectSID to link back to the AD account --> 
        <include>objectSID</include>
        <include>sAMAccountName</include>
        <include>mail</include>
        <include>department</include>
        <include>telephoneNumber</include>
        <include>mobile</include>
        <include>manager</include>
        <include>title</include>
        <include>givenName</include>
        <include>sn</include>
        <include>cn</include>
        <include>description</include>
        <include>company</include>
        <include>department</include>
        <include>homePhone</include>
        <include>facsimileTelephoneNumber</include>
        <include>physicalDeliveryOfficeName</include>
        <include>memberOf</include>
        <include>userPrincipalName</include>
        <include>objectGuid</include> 
        <include>objectClass</include> 
        <include>usnChanged</include> 
        <include>usNCreated</include> 
        <include>whenChanged</include> 
        <include>whenCreated</include>
    </attributes> 
    </query> 
    <!-- map for user-to-userproxy object types -->
    <user-proxy>
        <source-object-class>user</source-object-class>
        <target-object-class>userProxyFull</target-object-class>
    </user-proxy> 
    <schedule> 
    <aging> 
    <frequency>1</frequency> 
    <num-objects>0</num-objects> 
    </aging> 
    <schtasks-cmd></schtasks-cmd> 
    </schedule> 
    </configuration> 
    <synchronizer-state> 
    <dirsync-cookie></dirsync-cookie> 
    <status></status> 
    <authoritative-adam-instance></authoritative-adam-instance> 
    <configuration-file-guid></configuration-file-guid> 
    <last-sync-attempt-time></last-sync-attempt-time> 
    <last-sync-success-time></last-sync-success-time> 
    <last-sync-error-time></last-sync-error-time> 
    <last-sync-error-string></last-sync-error-string> 
    <consecutive-sync-failures></consecutive-sync-failures> 
    <user-credentials></user-credentials> 
    <runs-since-last-object-update></runs-since-last-object-update> 
    <runs-since-last-full-sync></runs-since-last-full-sync> 
    </synchronizer-state>
    </doc>

    Second:

    <?xml version="1.0"?> <doc> <configuration> <!-- Sync File Description --> <description>RIC ADAMSync Configuration</description> <security-mode>object</security-mode> <!-- source-ad-name = fqdn of the domain controller --> <source-ad-name>ric.giwi.local</source-ad-name> <!-- source-ad-partition = root AD domain partition --> <source-ad-partition>dc=ric,dc=giwi,dc=local</source-ad-partition> <!-- source-ad-account = use this to specify an account to connect to AD --> <!-- if not used, the current user will be used --> <source-ad-account>Administrator</source-ad-account> <account-domain>giwi.local</account-domain> <!-- target-dn = target ADAM OU --> <target-dn>dc=lds,dc=giwi,dc=dom</target-dn> <query> <!-- base-dn = should be the root AD partition if you want all users --> <base-dn>dc=ric,dc=giwi,dc=local</base-dn> <!-- object-filter = standard ldap query format, this will grab all users --> <!-- need to review results to see if you should modify this filter --> <object-filter>(&amp;(|(userAccountControl=512)(userAccountControl=544)(userAccountControl=66048)(userAccountControl=262656))(memberOf=CN=RIC-Mango-Users,OU=Groups,OU=RIC,DC=ric,DC=giwi,DC=local)(mail=*))</object-filter> <attributes> <!-- include=userproxy requires objectSID to link back to the AD account --> <include>objectSID</include> <include>sAMAccountName</include> <include>mail</include> <include>department</include> <include>telephoneNumber</include> <include>mobile</include> <include>manager</include> <include>title</include> <include>givenName</include> <include>sn</include> <include>cn</include> <include>description</include> <include>company</include> <include>department</include> <include>homePhone</include> <include>facsimileTelephoneNumber</include> <include>physicalDeliveryOfficeName</include> <include>memberOf</include> <include>userPrincipalName</include> <include>objectGuid</include> <include>objectClass</include> <include>usnChanged</include> <include>usNCreated</include> <include>whenChanged</include> <include>whenCreated</include> </attributes> </query> <!-- map for user-to-userproxy object types --> <user-proxy> <source-object-class>user</source-object-class> <target-object-class>userProxyFull</target-object-class> </user-proxy> <schedule> <aging> <frequency>1</frequency> <num-objects>0</num-objects> </aging> <schtasks-cmd></schtasks-cmd> </schedule> </configuration> <synchronizer-state> <dirsync-cookie></dirsync-cookie> <status></status> <authoritative-adam-instance></authoritative-adam-instance> <configuration-file-guid></configuration-file-guid> <last-sync-attempt-time></last-sync-attempt-time> <last-sync-success-time></last-sync-success-time> <last-sync-error-time></last-sync-error-time> <last-sync-error-string></last-sync-error-string> <consecutive-sync-failures></consecutive-sync-failures> <user-credentials></user-credentials> <runs-since-last-object-update></runs-since-last-object-update> <runs-since-last-full-sync></runs-since-last-full-sync> </synchronizer-state> </doc>

    So, our LDS structure looks like:

    DC=lds,DC=giwi,DC=dom

    ----OU=RIC,DC=lds,DC=giwi,DC=dom

    ----OU=USRP,DC=lds,DC=giwi,DC=dom

    When we was configuring lds we use Clint's blog as refference, so we've solve many errors that he's explained there. Thank Clint, for that!

    But one error we can't solve. So help is appreciated.

    Our LDS only instance base on dedicated windows server 2012, all other domains/forests promouted to win2008r2 levels.









    Friday, April 19, 2013 2:21 PM