Objects from Active Directory Are Ignored When Running the Active Directory Management Agent (272768)

SYMPTOMS

After you import all of the objects from the Active Directory, certain organizational units, users, groups, or other directory objects are missing. When you set the logging level to 3, and run the affected Active Directory Management Agent (MA), the following information is recorded in the Operator's log:

DBG_03 091c 00/08/31 18:56:08.290 (AD-MA_dataFlowFromAdToMd) Object ignored
= CN=NCFour84,OU=test2,DC=mmstest,DC=com
DBG_03 091c 00/08/31 18:56:08.291 (AD-MA_dataFlowFromAdToMd) Object ignored
= CN=NCFour85,OU=test2,DC=mmstest,DC=com
DBG_03 091c 00/08/31 18:56:08.292 (AD-MA_dataFlowFromAdToMd) Object ignored
= CN=NCFour86,OU=test2,DC=mmstest,DC=com

CAUSE

All of the objects that are ignored have the proxiedObjectName attribute assigned. There is an attribute on the MA called msMMS-AdMaObjectImportExclusionAttrs that has a value of proxiedObjectName. The MA ignores any object that contains this attribute, and that is located in the Active Directory from which the MA is configured to take. The affected objects are not imported into Microsoft Metadirectory Services (MMS).

Every object that has been moved from one domain to another has a proxiedObjectName attribute because this problem occurs when you move an object from one Windows 2000 domain to another by using a program such as the MoveTree utility, Active Directory Migration tool (ADMT), or Visual Basic, Scripting Edition (VBScript).

RESOLUTION

To resolve this issue, follow these steps.

Step 1: Search for the Attribute, and Verify Its Existence and Value

Run the Ldp.exe tool.
On the Connections menu, click Connect.
In the Server box, type MMS Server Name.
In the Port box, type 389.

The Lightweight Directory Access Protocol (LDAP) port may be set to a different number. Be sure to check the Compass Client logon configuration.
On the Connections menu, click Bind.
In the User box, type MMS_application_machine_name@MMS_server_name.
In the Password box, type Administrator password.
Click to clear the Domain check box.
On the View menu, click Tree, and then expand the tree to view:
DsaName=Server,ou=Applications,ou=test,dc=us,dc=microsoft,dc=com
In the Ldp.exe tool, right-click an MA, and then click Search.
Click Options, and be sure the options are set as follows:
Attributes: msMMS-AdMaObjectImportExclusionAttrs
Set: Base Dn: MA DN
Filter: (objectclass=*)
Scope: Base
Click Run. You should see the following attribute and value on the resulting text:
msMMS-AdMaObjectImportExclusionAttrs: proxiedObjectName

Step 2: Add the "msMMS-AdMaObjectImportExclusionAttrs" Attribute

Right-click an MA, and then click Modify.

Note that base DN is populated with the correct Management Agent Distinguished Name (DN).
In the Edit Entry Attribute box, type msMMS-AdMaObjectImportExclusionAttrs.
In the Edit Entry Values box, type dummy

Assign a value that will never exist, or set a null value. Deleting the attribute will generate the error listed at the end of this article.
For Operation, click Replace.
Click Enter, and then click Run.

Step 3: Confirm the Success of the Update

In Ldp.exe, right-click an MA, and then click Search.
Click Options, and be sure that the options are set as follows:
Attributes: msMMS-AdMaObjectImportExclusionAttrs
Set: Base Dn: MA DN
Filter: (objectclass=*)
Scope: Base
Click Run.

The following errors will be generated after you run the Management Agent if you have deleted the msMMS-AdMaObjectImportExclusionAttrs attribute:

WRN_04 0660 00/09/02 13:25:44.007 (AD-MA_readMultiValAttrIntoSet) Couldn't get attr 'msMMS-AdMaObjectImportExclusionAttrs' on record [ma=AD1,DsaName=dirsynchex3,ou=MMS,dc=icl,dc=com] : 26003 - PLUGAPI_RC_ATTRIBUTE_NOT_PRESENT
ERR_02 0660 00/09/02 13:25:44.008 (AD-MA_dataFlowFromAdToMd) Couldn't get list of object exclusion attributes (msMMS-AdMaObjectImportExclusionAttrs) : 26003 - PLUGAPI_RC_ATTRIBUTE_NOT_PRESENT