MMS 2.2 Secondary Attribute Flow Can Set the TTL Value to 0 (303182)


The information in this article applies to:

  • Microsoft Metadirectory Services 2.2
  • Microsoft Metadirectory Services 2.2 SP1
This article was previously published under Q303182

SYMPTOMS

After you run the Active Directory management agent (MA) by using the Microsoft Metadirectory Services (MMS) 2.2 Secondary Attribute Flow script, disconnected objects may be deleted in Active Directory even though you have configured the following attribute on Active Directory MA:

msMMS-TimeToLive = -1

However, when you viewing all attributes on connector entries, the following attribute value exists:

msMMS-TimeToLive = 0

For additional information about the msMMS-TimeToLive attribute, click the article number below to view the article in the Microsoft Knowledge Base:

299392 Understanding the MsMMS-TimeToLive Attribute

CAUSE

This issue occurs because setting an individual connector object Time-to- Live (TTL) value overrides the global MA value. This individual connector value could have been inadvertently set by using the MMS 2.2 Active Directory MA Secondary Flow script. The MMS 2.2 Secondary Flow script writes the msMMS-TimeToLive = 0 attribute if the following conditions exist for an object:
  • The object has the msMMS-ManagedByProfile attribute set to True.
  • The Connector Space creatorName attribute is not equal to the Metaverse creatorsName attribute. This occurs if you join a Connector Space entry to an existing Metaverse entry.
  • The $mv.msMMS-managedByMA attribute is not equal to the MA under which the object is being placed. This can occur if you incorrectly set this string value or the value does not exist. In either case, a contact object is created in Active Directory instead of a user object.
The following code sample from the MMS 2.2 Secondary Attribute Flow script sets the $cs.msMMS-TimeToLive attribute on individual connector objects as described above: 
if $exists ("$cs.msMMS-ManagedByProfile") = TRUE
     then
   if $cs.creatorsName ! $mv.creatorsName
     then
   if $exist($multi_valued("$MA()", $mv.msMMS-managedByMA)) ! TRUE
     then
   # This is an Interforest Replica Entry, thus set the time
   # to live to 0 on these entries
   $cs.msMMS-TimeToLive = 0
   $v_interforestReplicaEntry = TRUE
     else
   $v_interforestReplicaEntry = $NULL
   endif
  endif
endif
NOTE: When you upgrade to MMS 2.2 Service Pack 1 (SP1), the existing MA templates and scripts are not upgraded. However, any newly created MAs use the new templates and scripts because the DSGates folder templates are overwritten during the upgrade process. This behavior is by design to avoid overwriting custom code in existing MAs.

RESOLUTION

Once this attribute is set on a Connector Space object, you must run an attribute flow rule or an external script to remove the attribute. You can resolve this issue by using one of the following methods.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Method 1: Configure the Attribute Flow to Remove the Attribute

  1. Click the MA in which you want to set this attribute.
  2. Click Attribute Flow.
  3. Click the Advanced Flow Script tab.
  4. Add code to the script if you need to assign different values to different objects. The following sample code illustrates how to code the Advanced Attribute Flow script to test for this attribute, and if it exists, remove the msMMS-TimeToLive attribute from the object:
    #This condition tests to determine if the object contains the attribute.
   If $exists ($cs.msMMS-TimeToLive) = T
       then
#If the above condition is met then remove the TTL attribute value.
       $cs.msMMS-TimeToLive = $null
   endif
  5. Click OK to save the changes.

Method 2: Use a Visual Basic Script to Remove the Attribute

If you want to avoid running the MA to make the code change, you can use the following sample Microsoft Visual Basic Scripting Edition script to connect to your MMS server and remove the attribute value. If you use this sample code, you muse edit the first five lines of the code to account for your specific MMS server information. You can paste the sample code into a text file, edit the server-specific lines, and then save the file as Ttlremoval.vbs: 
'Set FQDN of the server
strServerName = "ServerName"
'LDAP port of the MMS server may not be 389; set as appropriate
strPort = 389
'User name must be in SMTP form, such as user@server.domain.com
strUsername = "MMS UserName"
'Set password
strPassword = "MMS Pasword"
'Hover over container in Compass client for DN of container under MA<BR/>
'For example:
strObjectDN = "OU=New Users,NC=microsoft.com,ma=ADMA,DsaName=MMSServer,ou=Application,dc=microsoft,dc=com"

strADsPath = "LDAP://" & strServerName
If strPort = 0 Or strPort = 389 Then
   strADsPath = strADsPath & "/"
Else
   strADsPath = strADsPath & ":" & CStr(strPort) & "/"
End If

strADsPath = strADsPath & strObjectDN
lnAuthType = 0  'Simple bind<BR/>
'Create Connection and Command objects

Set oNSP = GetObject("LDAP:")
Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADsDSOObject"
oConn.Properties("User ID") = strUsername
oConn.Properties("Password") = strPassword
oConn.Properties("Encrypt Password") = False
oConn.Open "ADs"
'zcExcludedAliasThing
strQuery = "<" & strADsPath & ">;(&(objectclass=Top)(msMMS-TimeToLive=0));objectclass,ADsPath;subtree"

Set oRS = oConn.Execute(strQuery)
wscript.echo "Processing ", oRS.recordcount, " records..."
On error resume next
While Not oRS.EOF
'    Wscript.echo oRS.Fields("ADsPath").Value
'Add code to bind to each object here and set the msmmstime-tolive
        'Set oNSP = GetObject("LDAP:")
        Set oADs = oNSP.OpenDSObject(oRS.Fields("ADsPath").Value, strUsername, strPassword, lnAuthType)
 '       vmsMMStimetolive = oRS.Fields("msMMS-TimeToLive").Value
        ' We can use either IADsPropetyValue or IADsPropertyValue2
        ' Only IADsPropertyValue is a coClass
        lnPropType = 3 ' ADSTYPE_CASE_IGNORE_STRING
        Set oPropVal = CreateObject("PropertyValue")
        Set oPropVal2 = oPropVal
        oPropVal2.PutObjectProperty lnPropType, "0"
        Set oPropEntry = CreateObject("PropertyEntry")
        oPropEntry.Values = Array(oPropVal2)
        oPropEntry.Name = "msmms-timetolive"
        oPropEntry.ControlCode = 1 ' ADS_PROPERTY_CLEAR
        oPropEntry.ADsType = lnPropType
        
        Set oPropList = oADs
        oPropList.PutPropertyItem oPropEntry
        Set oADs = oPropList
        oADs.SetInfo

        'Clean up
        Set oADs = Nothing
        'Set oNSP = Nothing
       'End If

    oRS.MoveNext
Wend
oRS.Close
Set oRS = Nothing
oConn.Close
Set oConn = Nothing
Set oNSP = Nothing
Wscript.echo "DONE"

MORE INFORMATION

After you remove the msMMS-TimeToLive value, you should update your SP1 scripts for all of your Active Directory MAs. For additional information about migrating scripts, click the article number below to view the article in the Microsoft Knowledge Base:

303533 Recommended Practices for Upgrading to Microsoft Metadirectory Services 2.2 Service Pack 1

Modification Type:MajorLast Reviewed:6/17/2005
Keywords:kbenv kbprb KB303182
©2004 Microsoft Corporation. All rights reserved.