ADMA Does Not Re-Create Deleted Objects in Active Directory (321510)


The information in this article applies to:

  • Microsoft Metadirectory Services 2.2
  • Microsoft Metadirectory Services 2.2 SP1
This article was previously published under Q321510

SYMPTOMS

An new object may not be sent as an ADD request to Active Directory when the Active Directory Management Agent (ADMA) runs in delta mode. Although the object previously existed in both Active Directory and MMS, it may have been deleted since that time. Most recently, it has been re-provisioned by using TAMA in the Active Directory connector space, and because of this, is typically sent to Active Directory as an ADD request.

CAUSE

A problem in the Cdir_ad.dll file does not allow the ADD request to proceed if none of the specified attribute flow rules are relevant.

This problem is a result of the processes MMS uses to be as efficient as possible. During the attempt to minimize the number of transactions it sends to Active Directory, MMS examines the transaction logs and tries to combine all separate transactions for a particular Active Directory object into a single request to Active Directory. This process can significantly reduce the bandwidth requirements of the ADMA. However, it is occasionally necessary to force the flow of at least one attribute to successfully re-add the object to Active Directory.

RESOLUTION

To work around this problem, force a "dummy" attribute to always flow for the object classes that are affected by this problem. After you create this attribute flow rule, the construction template will be properly evaluated, and an ADD request will be successfully generated by the ADMA. For example, in the Advanced Attribute flow template of an ADMA, add the following: 
  $cd.comment = "My comment"
This modification results in the string "My comment" being applied to all objects in Active Directory that are joined to MMS objects in the metaverse on each run on the ADMA.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Steps to Reproduce the Problem

  1. Create a new ADMA by using the default settings, discover an Active Directory forest by using a full synchronization, and then reset ADMA to delta mode.
  2. Use the Tutorial HD LDIF MA, reflect the LDIF contents into the metaverse.
  3. Create a TAMA MA to provision all of the LDIF MA objects into the ADMA connector space.
  4. Run TAMA.
  5. Run the ADMA, and then push all objects out to AD forest. Verify the results in Active Directory.
  6. Use the Users & Computers snap-in to delete selected user(s) from Active Directory.
  7. Use MMS Compass to delete corresponding Active Directory connector space objects (delete two times to completely remove objects from CS).
  8. Run TAMA to re-provision the missing users into the ADMA CS.
  9. In delta mode, run ADMA.
The missing objects (in the example logs the name is Test User) are not sent out as new. An edited version of the Dslib.log file follows. Note the [del|new] near the end of the log. Apparently the synchronization engine changes its interpretation and never evaluates the construction template, only the attribute flow rules. However, because there are no rules that are relevant to this situation, nothing is sent out to Active Directory. 
>>>>>> construction of zcDsiAliasThingConstruction 
02/04/15 12:05:10.803 >> set $v_ncName = [dc,DC=win2kforest,DC=ca]
02/04/15 12:05:10.803 >> set $v_ncRelName = [CN=Test User\0aDEL:28221f95-
09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,]
02/04/15 12:05:10.813 >> line #10 - unsatisfied condition [=Deleted Objects,
 = CN=Configuration,]
02/04/15 12:05:10.813 >> line #14 - end of condition
02/04/15 12:05:10.813 >> set $v_ncName = [dc.win2kforest.ca]
02/04/15 12:05:10.813 >> set $v_ncName = [dc.win2kforest.ca]
02/04/15 12:05:10.813 >> line #21 - unsatisfied condition [76 = 0]
02/04/15 12:05:10.813 >> set $csp.dn = [CN=Test User\0aDEL:28221f95-09e2-
4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.ca,ma=ADMA 
Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,
dc=ca]
02/04/15 12:05:10.823 >> line #27 - end of condition
02/04/15 12:05:10.823 >> set $csp.objectClass =  [zcAliasThing].
02/04/15 12:05:10.823 >> set $csp.zcExcludedWantsChildren = [Y]
02/04/15 12:05:10.823 >> set $csp.zcProprietaryTransportMailbox = [CN=Test User\0aDEL:28221f95-09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,DC=
dc,DC=win2kforest,DC=ca]
02/04/15 12:05:10.823 >> line #48 - satisfied condition [CN=Test User0aDEL:28221f95-0 ! CN=Schema,CN=Configuration,DC=]
02/04/15 12:05:10.823 >> line #51 - unsatisfied condition [76 = 0]
02/04/15 12:05:10.823 >> line #58 - end of condition
02/04/15 12:05:10.823 >> line #59 - end of condition
02/04/15 12:05:10.823 >> line #61 - unsatisfied condition [F = T]
02/04/15 12:05:10.833 >> line #64 - end of condition
02/04/15 12:05:10.833 >>>
02/04/15 12:05:10.833 
>>>>>> construction of zcDsiConstruction 
02/04/15 12:05:10.833 >> line #3 - satisfied condition [ ! zcAliasThing]
02/04/15 12:05:10.833 >> set $mvp.dn = [CN=Test User\0aDEL:28221f95-09e2-
4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,DC=dc,DC=win2kforest,DC=ca]
02/04/15 12:05:10.833 >> line #10 - end of condition
02/04/15 12:05:10.833 >> line #16 - unsatisfied condition [Top,person,organizat
ionalPerson,contact = Top,organizationalUnit]
02/04/15 12:05:10.833 >> line #20 - unsatisfied condition [Top,person,organizat
ionalPerson,contact = Top,builtinDomain]
02/04/15 12:05:10.833 >> line #24 - unsatisfied condition [Top,person,organizat
ionalPerson,contact = Top,Configuration]
02/04/15 12:05:10.833 >> line #28 - unsatisfied condition [Top,person,organizat
ionalPerson,contact = Top,container]
02/04/15 12:05:10.833 >> line #31 - end of condition
02/04/15 12:05:10.833 >> line #32 - end of condition
02/04/15 12:05:10.833 >> line #33 - end of condition
02/04/15 12:05:10.833 >> line #34 - end of condition
02/04/15 12:05:10.843 >> line #106 - unsatisfied condition [Top,person,
organizationalPerson,contact = Top,person,organizationalPerson,user]
02/04/15 12:05:10.843 >> line #119 - satisfied condition [Top,person,organizati
onalPerson,contact = Top,person,organizationalPerson,contact]
02/04/15 12:05:10.843 >> set $mvp.objectClass =  [zcPerson].
02/04/15 12:05:10.843 >> line #227 - end of condition
02/04/15 12:05:10.843 >> line #228 - end of condition
02/04/15 12:05:10.843 >> line #232 - satisfied condition [ ! TRUE]
02/04/15 12:05:10.843 >> apply import function I_MEMBER ("") with [$cd.
member] 
02/04/15 12:05:10.843 >> line #235 - end of condition
02/04/15 12:05:10.843 >>>
02/04/15 12:05:10.843     Exclusion 50 not met [$cd.name] = [Domain Controllers
]
02/04/15 12:05:10.843     Exclusion 51 not met [$cd.name] = [Computers]
02/04/15 12:05:10.843     Exclusion 52 not met [$cd.name] = [Deleted Objects]
02/04/15 12:05:10.853     Exclusion 53 not met [$cd.name] = [ForeignSecurityPri
ncipals]
02/04/15 12:05:10.853     Exclusion 54 not met [$replace("$cd.dn", "CN=
System,DC=", "")] ! [$cd.dn]
02/04/15 12:05:10.853     Exclusion 55 not met [$cd.name] = [Extended-Rights]
02/04/15 12:05:10.853     Exclusion 56 not met [$cd.name] = [WellKnown 
Security Principals]
02/04/15 12:05:10.853     Exclusion 57 not met [$replace("$cd.dn", "CN=
DisplaySpecifiers,CN=Configuration,", "")] ! [$cd.dn]
02/04/15 12:05:10.853     Exclusion 58 not met [$replace("$cd.dn", "CN=
Services,CN=Configuration,", "")] ! [$cd.dn]
02/04/15 12:05:10.853     Exclusion 59 not met [$cd.msExchHideFromAddressLists]
 = [TRUE]
02/04/15 12:05:10.853     Exclusion 60 not met [$cd.msMMS-AdMaDomainTrustAccoun
t] = [1]
02/04/15 12:05:10.853 >> set $csp.objectGUID = [binary dump: 951f2228 e209e84f 
b548a96f 6aaebe5f]
02/04/15 12:05:10.863 CS anchor [binary dump: 951f2228 e209e84f b548a96f 
6aaebe5f]
02/04/15 12:05:10.863 
02/04/15 12:05:10.863     DN = CN=Test User\0aDEL:28221f95-09e2-4fe8-b548-
a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.ca,ma=ADMA Win2kforest 
Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca
02/04/15 12:05:10.863     OC = zcAliasThing,Top
02/04/15 12:05:10.863     zcMAAnchorDN = CN=Test User\0aDEL:28221f95-09e2-
4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.ca,ma=ADMA 
Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,
dc=ca
02/04/15 12:05:10.863     objectGUID = binary dump: 951f2228 e209e84f b548a96f 
6aaebe5f
02/04/15 12:05:10.863     structuralObjectClass = zcAliasThing
02/04/15 12:05:10.863     zcProprietaryTransportMailbox = CN=Test User0aDEL:28221f95-09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,DC=dc,DC=
win2kforest,DC=ca
02/04/15 12:05:10.863     zcExcludedWantsChildren = Y
02/04/15 12:05:10.863 1012-DELETION UNNECESSARY[00]: CN=Test User\0aDEL:
28221f95-09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.
ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,
dc=win2kforest,dc=ca
02/04/15 12:05:10.903 
Analysing transaction batch
.
.
.
....
02/04/15 12:05:10.963 TRAN[5364] : Modify [Mon Apr 15 11:02:15 2002] CN=
Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=
win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca
02/04/15 12:05:10.963 TRAN[5365] : Modify [Mon Apr 15 11:02:15 2002] cn=
Test User,ou=Claims,dc=dc,dc=win2kforest,dc=ca
.
.
.
....
02/04/15 12:05:26.385 TRAN[7380] : Modify [Mon Apr 15 11:49:02 2002] CN=
Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=
win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca
02/04/15 12:05:26.395 IRRELEVANT[7381] : Modify [Mon Apr 15 11:49:02 2002]
 cn=Test User,ou=Claims,dc=dc,dc=win2kforest,dc=ca
02/04/15 12:05:26.395 TRAN[7382] : Delete [Mon Apr 15 11:49:08 2002] CN=
Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=
win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca
.
.
.
....
02/04/15 12:05:26.415 TRAN[7388] : Create [Mon Apr 15 11:53:42 2002] CN=
Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=
win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca
02/04/15 12:05:26.415 IRRELEVANT[7389] : Modify [Mon Apr 15 11:53:42 2002]
 cn=Test User,ou=Claims,dc=dc,dc=win2kforest,dc=ca
.
.
.
....
02/04/15 12:05:26.505 0002-[del|new] CN=Test User,ou=Claims,NC=dc.win2kforest.
ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,
dc=win2kforest,dc=ca
02/04/15 12:05:26.505 
>>>>>> construction of msMMs-SecondaryAttributeFlowScript 
02/04/15 12:05:26.515 >> line #3 - satisfied condition [F = FALSE]
02/04/15 12:05:26.515 >> set $cd.dn = [CN=Test User,ou=Claims,DC=dc,DC=
win2kforest,DC=ca]
02/04/15 12:05:26.515 >> line #12 - end of condition
02/04/15 12:05:26.515 >> line #16 - unsatisfied condition [T = FALSE]
02/04/15 12:05:26.515 >> line #19 - end of condition
02/04/15 12:05:26.515 >> line #21 - satisfied condition [T = TRUE]
02/04/15 12:05:26.515 >> set $v_dn = [CN=Test User,ou=Claims,DC=dc,DC=
win2kforest,DC=ca]
02/04/15 12:05:26.515 Skip assignment [2.16.128.113533.1.308 = $cd.dn]
02/04/15 12:05:26.515 >> line #29 - end of condition
Modification Type:MajorLast Reviewed:5/28/2003
Keywords:kbbug kbenv KB321510
©2002 Microsoft Corporation. All rights reserved.