MORE INFORMATION
Active Directory synchronization issues fall into the
following categories:
Active Directory communication and environmental issues and Active Directory object issues that are independent of the Project Server database
The Active Directory synchronization component in Project Server
2003 does the following things, in this order:
- Contacts a global catalog in a specific Active Directory
forest.
- Performs a Lightweight Directory Access Protocol (LDAP)
query by using ActiveX Data Objects (ADO) to search for a specified Active
Directory group or organizational unit (OU).
- Uses Active Directory Service Interfaces (ADSI) to obtain a
reference to the group or to the OU to iterate through the members of the group
or the members of the OU. This includes nested groups and organizational
units.
These issues fall into the following categories:
Issues with contacting the global catalog
- When you synchronize Active Directory to a group cross
forest, do the following things:
- Use the full Fully Qualified Domain Name (FQDN) to
specify the group. For example, use the following FQDN to specify the group:
groupname@childdomain.rootdomain.com
- Make sure that the target domain in the remote forest
contains a copy of the global catalog for that forest.
- If your domain contains Microsoft Windows NT 4.0 backup
domain controllers (BDCs) and Microsoft Windows Server 2003 domain controllers,
you may be running the Windows Server 2003 Active Directory forest in Interim
Mode. Running the Windows Server 2003 Active Directory forest in Interim Mode
can prevent Project Server from accessing the global catalog.
- When you use either the full FQDN or the domain\username
format to specify a group, make sure that the target domain contains a copy of
the global catalog for your forest.
- Make sure that port 3268 is open between the computer that
is running Project Server 2003 and the domain controller that is hosting a copy
of the global catalog. Port 3268 is used for global catalog communication. If
your global catalog communication is encrypted by using Secure Sockets Layer
(SSL), make sure that port 3269 is open.
- Make sure that the network and security topology is
enabled for communication between Project Server and a domain controller that
is hosting a global catalog. For example, if the computer that is hosting
Project Server is a member of a workgroup, global catalog communication
fails.
Issues with a specific Active Directory group
- If the group that you are trying to synchronize has no
members, you receive a failed synchronization status. This is a known bug. To work around this
issue, make sure that the group that you are trying to synchronize has at least
one member.
- If the incorrect group is being synchronized, you may have
more than one group that matches the LDAP query that is used by Project Server.
To work around this behavior, you can try to use the full FQDN of the group.
Or, you can change the group name to make sure that the group name is unique
across your Active Directory forest.
- When you synchronize a group by selecting the
Update Now option, a group is not returned by the FetchGroup function in the Project Server 2003 Active Directory
synchronization component. Additionally, an error message is logged in the
Application log. The error message includes the text "FetchGroup:" followed by
a numeric value. Although the root cause for this issue has not yet been
determined, we believe that this issue is related to Microsoft Windows
SharePoint Services and Internet Information Services (IIS) configuration or
corruption. You can typically workaround this issue by creating a new Web site
and then using the EditSite tool to create a new "ProjectServer" virtual
directory under the new site.
- If only some of the group members are being returned, you
may be experiencing an LDAP policy limitation that is related to multivalue
attribute retrieval. In this scenario, Active Directory group attribute
"members" are the multivalue attribute.
For more information, click
the following article number to view the article in the Microsoft Knowledge
Base:
315071
How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
Issues with a specific Active Directory user
- Project Server requires all Active Directory users to have
their displayName property populated. Users who have empty displayName
properties are not synchronized with Project Server.
- References to some users may exist in a group's members attribute. However, these users may have been deleted from Active
Directory. In these situations, you may receive a "partial failure" error
message for a specific Active Directory synchronization process. Additionally,
the following error message is logged in the event log: "Accessing AD group " & GroupName & " failed partially
because group member - " & sMemberDN & " can't be resolved by
LDAP."Because the user no longer exists in Active Directory, the
error is fairly harmless and can be ignored. Contact your Active Directory
administrator to remove the reference to the non-existent user from the group's
members attribute.
- Certain special characters in the displayName property for
specific users can cause synchronization failures for those users. The
following characters are replaced for a specific user's Active Directory
displayName property before the displayName property appears in the Project
Server database:
- List separator character
- If the list separator character is a comma, the
comma is replaced by a semicolon.
- If the list separator character is anything other
than a comma, the list separator character is replaced by a comma.
- Brackets
- Brackets are replaced by braces. That is, "[" and
"]" are replaced by "{" and "}" respectively.
Tools
The following tools are available to troubleshoot these issues:
To obtain the EditSite tool, visit the following Microsoft Web
site:
Project Server database issues that relate to Active Directory synchronization
The Active Directory synchronization component in Project Server
2003 uses the Project Data Service (PDS) to perform the following potential
actions during an Active Directory synchronization process:
- Updating a resource. This includes inactivating a
resource.
- Adding a new resource or a new Project Server
user.
- Adding an existing Project Server user to a Project Server
security group.
- Removing an existing Project Server user from a Project
Server security group.
Depending on the circumstances, one or more of these PDS actions
may fail. To isolate and capture more specific information about these
failures, you can use the Project Server 2003 SetTracing utility. By using the
SetTracing utility, you can obtain the following information from Project
Server:
- The exact PDS commands that are requested by the Active
Directory synchronization component.
- The replies from the PDS. The replies include error status
codes.
Use the SetTracing utility to increase the information capture
sensitivity level to 4 for application event log capture. Run an Active
Directory synchronization process, and then examine the application event log.
Information that appears immediately before error events and warning events
should include PDS request and reply information. The PDS reply information may
contain a numeric non-zero value in the <Status /> node. Use the PDS
error code reference to obtain more information about a specific status code.
To view the PDS error code reference, visit the following Microsoft Web site:
Known issues
- PDS ADD commands may fail if the displayName of a new user or resource
matches that of an existing Project Server user or resource. The Active
Directory displayName property maps to the User name property or to the Resource Name property in Project Server. Project Server requires that these
field values are unique throughout a single Project Server database.
- PDS ADD commands may fail if you have manually added a user to Project
Server but their Windows Account or User Name fields do not match those
properties in Active Directory. The Windows Account or User Name fields must
exactly match the User Name and Resource Name properties in Active Directory.
If they do not exactly match, an error status code of 2028 or 2029 may be
logged in the application event log.
Tools
The following tools are available to troubleshoot these issues:
- Application event log
- PDSTest Harness
- SetTracing
To obtain the SetTracing utility, visit the following Microsoft
Web site:
Active Directory synchronization component work and data flow misunderstandings
The Active Directory synchronization component in Project Server
2003 exhibits specific behavior that may not be intuitive or was not previously
well documented.
These issues fall into the following categories:
Clearing the AD GUID
An AD GUID should be cleared for a specific user when you want
that user to remain active even though they no longer belong to the Active
Directory group that is mapped to the Project Server Enterprise Resource Pool.
Clearing the AD GUID also prevents other Project Server users from being
removed from Project Server security groups if their Active Directory account
has been removed from an Active Directory group or from an OU mapping to a
specific Project Server security group.
Following is an example
Enterprise Resource Pool synchronization scenario that illustrates the use of
the "Clear User AD GUID" feature:
- User "John Doe" is a member of an Active Directory group
that is named "ERP (AD)".
- An administrator synchronizes the Project Server Enterprise
Resource Pool to the Active Directory group "ERP (AD)".
- "John Doe" is removed from "ERP (AD)".
- An administrator again synchronizes the Project Server
Enterprise Resource Pool to the Active Directory group "ERP (AD)".
- If John Doe's AD GUID had been cleared before the second
synchronization, he would not be inactivated.
Important After clearing an AD GUID, the AD GUID is automatically
re-inserted into the Project Server database in the following scenarios.Enterprise Resource Pool Active Directory synchronization processThe AD GUID is automatically re-inserted into the Project Server
database if the following conditions are true:
- The related user is not removed from the Active Directory
group mapping to the Enterprise Resource Pool.
- A subsequent Active Directory synchronization
occurs.
Project Server security group Active Directory synchronization processThe AD GUID is automatically re-inserted into the Project Server
database if the following condition is true:
- The Project Server user had gained a new Project Server
security group membership through a Project Server security group Active
Directory synchronization process.
For Enterprise Resources, the AD GUID is stored in the Project
Server database in the following locations:
- MSP_WEB_RESOURCES.WRES_AD_GUID
- MSP_RESOURCES.RES_AD_GUID
For Project Server users who are not also Enterprise Resources,
the AD GUID is stored in the Project Server database in the following location:
- MSP_WEB_RESOURCES.WRES_AD_GUID
Inactivation or activation of resources
A user is inactivated during an Enterprise Resource Pool Active
Directory synchronization process if the following conditions are true:
- The user already exists in the Enterprise Resource
Pool.
- The user is then removed from the Active Directory group
mapping to the Enterprise Resource Pool.
- A subsequent Enterprise Resource Pool Active Directory
synchronization process occurs.
Users are never reactivated during an Active Directory
synchronization process. Inactivation does not apply to Project Server security
group Active Directory synchronizations.
The active or inactive
status for a specific resource is stored in the Project Server database in the
following locations:
- MSP_WEB_RESOURCES.WRES_IS_ENABLED
- MSP_RESOURCES.RES_RTYPE (0 = active work resource, 1000 =
inactive work resource)
Interruptions to the Active Directory synchronization process
When an Active Directory synchronization process starts, the
MSP_WEB_ADMIN_AD. WADMIN_AD_ERESPOOL_UPDATE value is set to 1 for Enterprise
Resource Pool synchronizations. The MSP_WEB_ADMIN_AD. WADMIN_AD_GRP_UPDATE
value is set to 1 for Project Server security group synchronizations. When the
synchronization process has been completed, these values are set back to 0
(zero).
The purpose of these database modifications is to prevent
overlapping synchronization processes. For example, if a scheduled Active
Directory synchronization process starts, you do not want administrators to
also start the same process through Project Web Access because data integrity
could be compromised. When either of the previous values is set to 1, to
prevent overlapping synchronizations, the
Update Now option is
not available.
If, for any reason, an Active Directory synchronization
process is unexpectedly interrupted before it has been completed, the value for
WADMIN_AD_ERESPOOL_UPDATE or the value for WADMIN_AD_GRP_UPDATE may stay at 1.
This prevents subsequent synchronization processes. For example, this can occur
if IIS was reset or if IIS crashed during a synchronization process. To correct
the issue, set the values for those fields back to 0, and then
re-synchronize.
User metadata
The following fields can be updated during an Enterprise Resource
Pool Active Directory synchronization process:
- Resource Name
- Windows User Account
- E-mail Address
- Group
- AD GUID
A match between Active Directory users and Project Server
resources is first tried on the AD GUID and then on the Resource Name field in
Project Server and on the Display Name field in Active Directory. If a match is
made, and if the Active Directory user properties and the Project Server
resource properties are different, an update is tried through the
PDS.
The following table lists the Active Directory fields that map to
the Project Server resource fields.
| Active Directory Property | Project Resource Property (Enterprise Resource Pool) | Project Server User Property |
| Display Name (UserObject.displayName or
UserObject.fullName) | Resource Name
(MSP_RESOURCES.RES_NAME) | User Name (MSP_WEB_RESOURCES.RES_NAME) |
| Windows User Account (domain\sAMAccountName) | Windows
User Account (MSP_TEXT_FIELDS. TEXT_FIELD_ID = 205521207) | Windows User
Account (MSP_WEB_RESOURCES. WRES_NT_ACCOUNT) |
| E-mail Address (UserObject. EmailAddress) | E-mail
Address (MSP_TEXT_FIELDS. TEXT_FIELD_ID = 205520931) | E-mail Address
(MSP_WEB_RESOURCES. WRES_EMAIL) |
| Department (UserObject.Department) | Group
(MSP_TEXT_FIELDS. TEXT_FIELD_ID = 205520899) | N/A (No schema
allowance) |
| AD GUID (UserObject.Guid) | <No UI>
(MSP_RESOURCES. RES_AD_GUID) | <No UI> (MSP_WEB_RESOURCES.
WRES_AD_GUID) |
Note that metadata updates do not occur for Project Server
users during a Project Server security group Active Directory synchronization
process. There is one exception to this. The AD GUID can be re-inserted during
a Project Server security group Active Directory synchronization process if the
following conditions are true:
- The Project Server user's AD GUID had previously been
cleared.
- The Project Server user had gained a new Project Server
security group membership through a Project Server security group Active
Directory synchronization process.
You receive an "AD Res Pool Sync - failed to open the Ent. Res" error message when you perform an Active Directory synchronization against the Enterprise Resource Pool
When
you perform an Active Directory synchronization against the Enterprise Resource
Pool,
you may receive the following error message:
AD Res Pool Sync - failed to open the Ent. Res.
This
problem may occur if the enterprise resource was checked out when the
Enterprise Resource Pool Active Directory synchronization process runs. To
resolve the problem, you can force a check-in of the Enterprise Resource Pool
project.
Important If you check in an enterprise resource that is checked out, the
user who has the enterprise resource checked out will not be able to save
changes to the database.
To check in the Enterprise Resource Pool
project, follow these steps:
- On the Project Web Access Admin page, click Manage
enterprise features under Actions.
- Under Enterprise options, click
Check in enterprise projects.
Note Only users who are assigned the "Check In My Projects" global
permission can access the Check in enterprise projects
link. - On the Check in enterprise projects page, click the
Enterprise Resource Pool project, and then click
Check-In.
Active Directory synchronization security issues
The Active Directory synchronization component in Project Server
2003 must run in some kind of security context. The details of this security
context are briefly covered in this section. This includes accounts,
permissions, and security caveats.
These issues fall into the
following categories:
Active Directory synchronization context accounts and security requirements
Different security accounts are used depending on whether you are
scheduling an Active Directory synchronization process or initiating an Active
Directory synchronization process by selecting the
Update Now
option in Project Web Access. When you select the
Update Now
option in Internet Explorer, IIS hosts the process that handles the Active
Directory synchronization. The security account that is used depends on your
IIS file security permissions for the following files:
- /Admin/SyncPool.asp for Enterprise Resource Pool
synchronizations
- /Admin/SyncGrp.asp for Project Server security group
synchronizations
For each of these files, you should have only the
Integrated Windows Authentication option selected for IIS file
security permissions. This makes sure that the currently logged-on Windows
user's credentials are used for the synchronization process. This includes
contacting the global catalog and running ADSI commands through LDAP.
When you schedule Active Directory synchronizations, the logon
account that is specified for the Project Server Scheduled Process Service is
used to perform the synchronization. By default, this logon account is the
Local System account.
These accounts must be able to create an
instance of the /BIN/PjSvrADC.dll file, contact the global catalog, and read
all relevant Active Directory objects that are related to the synchronization.
This includes OUs, groups, users, and so on.
Active Directory object-level security
To synchronize to a specific group or OU, the context account that
is used to perform an Active Directory synchronization must be able to read all
relevant Active Directory objects. These objects include groups, OUs, nested
groups, and all member users. For information about context accounts, see the
"
Active Directory synchronization context
accounts and security requirements" section.
To check
individual Active Directory object permissions, use the ADSI Edit tool that is
available in the Windows Server 2003 installation media.
Tools
The following tool is available to troubleshoot these issues: