Deleting Provisioned Object Deletes Source Object (319977)

MORE INFORMATION

This behavior was observed at a site where two forests were synchronizing users as contacts for use by Microsoft Exchange 2000.

Example Scenario

Active Directory reflects an object into the metaverse, and this object is then provisioned into the connector space of another reflector MA. If the administrator deletes the downstream connector space object, the following items are also deleted:

• The metaverse object.
• The Active Directory connector space object.
• The Active Directory connector space object.
• The source object from the Active Directory connected directory.

When an object is provisioned by TAMA, it is marked with the msMMS-ManagedByProfile attribute set to TRUE. This makes it possible for the metaverse to maintain control of the object's creation and deletion. This means that the metaverse becomes the authoritative source, and it "owns" the object.

If TAMA has been mistakenly run against the source MA and has created objects for the target MA, both connector space objects are marked with the msMMS-ManagedByProfile attribute. If an object is deleted from the connector spaces or the metaverse, the associated connected directory objects are also deleted although the intent may have been to only remove a provisioned entry.

If you see this behavior the msMMS-ManagedByProfile attribute must be nulled out for the source MA. You can do so by either reloading all of the source objects into Microsoft Metadirectory Services (MMS), or by setting the attribute to NULL in the Advanced Attribute Flow rules. For example: