Microsoft KB Archive/321510

= ADMA Does Not Re-Create Deleted Objects in Active Directory =

Article ID: 321510

Article Last Modified on 5/28/2003

-

APPLIES TO


 * Microsoft Metadirectory Services 2.2 Service Pack 1
 * Microsoft Metadirectory Services 2.2 Service Pack 1

-



This article was previously published under Q321510



SYMPTOMS
An new object may not be sent as an ADD request to Active Directory when the Active Directory Management Agent (ADMA) runs in delta mode. Although the object previously existed in both Active Directory and MMS, it may have been deleted since that time. Most recently, it has been re-provisioned by using TAMA in the Active Directory connector space, and because of this, is typically sent to Active Directory as an ADD request.



CAUSE
A problem in the Cdir_ad.dll file does not allow the ADD request to proceed if none of the specified attribute flow rules are relevant.

This problem is a result of the processes MMS uses to be as efficient as possible. During the attempt to minimize the number of transactions it sends to Active Directory, MMS examines the transaction logs and tries to combine all separate transactions for a particular Active Directory object into a single request to Active Directory. This process can significantly reduce the bandwidth requirements of the ADMA. However, it is occasionally necessary to force the flow of at least one attribute to successfully re-add the object to Active Directory.



RESOLUTION
To work around this problem, force a &quot;dummy&quot; attribute to always flow for the object classes that are affected by this problem. After you create this attribute flow rule, the construction template will be properly evaluated, and an ADD request will be successfully generated by the ADMA. For example, in the Advanced Attribute flow template of an ADMA, add the following: $cd.comment = &quot;My comment&quot; This modification results in the string &quot;My comment&quot; being applied to all objects in Active Directory that are joined to MMS objects in the metaverse on each run on the ADMA.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



Steps to Reproduce the Problem

 * 1) Create a new ADMA by using the default settings, discover an Active Directory forest by using a full synchronization, and then reset ADMA to delta mode.
 * 2) Use the Tutorial HD LDIF MA, reflect the LDIF contents into the metaverse.
 * 3) Create a TAMA MA to provision all of the LDIF MA objects into the ADMA connector space.
 * 4) Run TAMA.
 * 5) Run the ADMA, and then push all objects out to AD forest. Verify the results in Active Directory.
 * 6) Use the Users & Computers snap-in to delete selected user(s) from Active Directory.
 * 7) Use MMS Compass to delete corresponding Active Directory connector space objects (delete two times to completely remove objects from CS).
 * 8) Run TAMA to re-provision the missing users into the ADMA CS.
 * 9) In delta mode, run ADMA.

The missing objects (in the example logs the name is Test User) are not sent out as new. An edited version of the Dslib.log file follows. Note the [del|new] near the end of the log. Apparently the synchronization engine changes its interpretation and never evaluates the construction template, only the attribute flow rules. However, because there are no rules that are relevant to this situation, nothing is sent out to Active Directory. >>>>>> construction of zcDsiAliasThingConstruction 02/04/15 12:05:10.803 >> set $v_ncName = [dc,DC=win2kforest,DC=ca] 02/04/15 12:05:10.803 >> set $v_ncRelName = [CN=Test User\0aDEL:28221f95- 09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,] 02/04/15 12:05:10.813 >> line #10 - unsatisfied condition [=Deleted Objects, = CN=Configuration,] 02/04/15 12:05:10.813 >> line #14 - end of condition 02/04/15 12:05:10.813 >> set $v_ncName = [dc.win2kforest.ca] 02/04/15 12:05:10.813 >> set $v_ncName = [dc.win2kforest.ca] 02/04/15 12:05:10.813 >> line #21 - unsatisfied condition [76 = 0] 02/04/15 12:05:10.813 >> set $csp.dn = [CN=Test User\0aDEL:28221f95-09e2- 4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest, dc=ca] 02/04/15 12:05:10.823 >> line #27 - end of condition 02/04/15 12:05:10.823 >> set $csp.objectClass = [zcAliasThing]. 02/04/15 12:05:10.823 >> set $csp.zcExcludedWantsChildren = [Y] 02/04/15 12:05:10.823 >> set $csp.zcProprietaryTransportMailbox = [CN=Test User\0aDEL:28221f95-09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,DC= dc,DC=win2kforest,DC=ca] 02/04/15 12:05:10.823 >> line #48 - satisfied condition [CN=Test User0aDEL:28221f95-0 ! CN=Schema,CN=Configuration,DC=] 02/04/15 12:05:10.823 >> line #51 - unsatisfied condition [76 = 0] 02/04/15 12:05:10.823 >> line #58 - end of condition 02/04/15 12:05:10.823 >> line #59 - end of condition 02/04/15 12:05:10.823 >> line #61 - unsatisfied condition [F = T] 02/04/15 12:05:10.833 >> line #64 - end of condition 02/04/15 12:05:10.833 >>> 02/04/15 12:05:10.833 >>>>>> construction of zcDsiConstruction 02/04/15 12:05:10.833 >> line #3 - satisfied condition [ ! zcAliasThing] 02/04/15 12:05:10.833 >> set $mvp.dn = [CN=Test User\0aDEL:28221f95-09e2- 4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,DC=dc,DC=win2kforest,DC=ca] 02/04/15 12:05:10.833 >> line #10 - end of condition 02/04/15 12:05:10.833 >> line #16 - unsatisfied condition [Top,person,organizat ionalPerson,contact = Top,organizationalUnit] 02/04/15 12:05:10.833 >> line #20 - unsatisfied condition [Top,person,organizat ionalPerson,contact = Top,builtinDomain] 02/04/15 12:05:10.833 >> line #24 - unsatisfied condition [Top,person,organizat ionalPerson,contact = Top,Configuration] 02/04/15 12:05:10.833 >> line #28 - unsatisfied condition [Top,person,organizat ionalPerson,contact = Top,container] 02/04/15 12:05:10.833 >> line #31 - end of condition 02/04/15 12:05:10.833 >> line #32 - end of condition 02/04/15 12:05:10.833 >> line #33 - end of condition 02/04/15 12:05:10.833 >> line #34 - end of condition 02/04/15 12:05:10.843 >> line #106 - unsatisfied condition [Top,person, organizationalPerson,contact = Top,person,organizationalPerson,user] 02/04/15 12:05:10.843 >> line #119 - satisfied condition [Top,person,organizati onalPerson,contact = Top,person,organizationalPerson,contact] 02/04/15 12:05:10.843 >> set $mvp.objectClass = [zcPerson]. 02/04/15 12:05:10.843 >> line #227 - end of condition 02/04/15 12:05:10.843 >> line #228 - end of condition 02/04/15 12:05:10.843 >> line #232 - satisfied condition [ ! TRUE] 02/04/15 12:05:10.843 >> apply import function I_MEMBER (&quot;&quot;) with [$cd. member] 02/04/15 12:05:10.843 >> line #235 - end of condition 02/04/15 12:05:10.843 >>> 02/04/15 12:05:10.843    Exclusion 50 not met [$cd.name] = [Domain Controllers ] 02/04/15 12:05:10.843    Exclusion 51 not met [$cd.name] = [Computers] 02/04/15 12:05:10.843    Exclusion 52 not met [$cd.name] = [Deleted Objects] 02/04/15 12:05:10.853    Exclusion 53 not met [$cd.name] = [ForeignSecurityPri ncipals] 02/04/15 12:05:10.853    Exclusion 54 not met [$replace(&quot;$cd.dn&quot;, &quot;CN= System,DC=&quot;, &quot;&quot;)] ! [$cd.dn] 02/04/15 12:05:10.853    Exclusion 55 not met [$cd.name] = [Extended-Rights] 02/04/15 12:05:10.853    Exclusion 56 not met [$cd.name] = [WellKnown Security Principals] 02/04/15 12:05:10.853    Exclusion 57 not met [$replace(&quot;$cd.dn&quot;, &quot;CN= DisplaySpecifiers,CN=Configuration,&quot;, &quot;&quot;)] ! [$cd.dn] 02/04/15 12:05:10.853    Exclusion 58 not met [$replace(&quot;$cd.dn&quot;, &quot;CN= Services,CN=Configuration,&quot;, &quot;&quot;)] ! [$cd.dn] 02/04/15 12:05:10.853    Exclusion 59 not met [$cd.msExchHideFromAddressLists] = [TRUE] 02/04/15 12:05:10.853    Exclusion 60 not met [$cd.msMMS-AdMaDomainTrustAccoun t] = [1] 02/04/15 12:05:10.853 >> set $csp.objectGUID = [binary dump: 951f2228 e209e84f b548a96f 6aaebe5f] 02/04/15 12:05:10.863 CS anchor [binary dump: 951f2228 e209e84f b548a96f 6aaebe5f] 02/04/15 12:05:10.863 02/04/15 12:05:10.863    DN = CN=Test User\0aDEL:28221f95-09e2-4fe8-b548- a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca 02/04/15 12:05:10.863    OC = zcAliasThing,Top 02/04/15 12:05:10.863    zcMAAnchorDN = CN=Test User\0aDEL:28221f95-09e2- 4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest, dc=ca 02/04/15 12:05:10.863    objectGUID = binary dump: 951f2228 e209e84f b548a96f 6aaebe5f 02/04/15 12:05:10.863    structuralObjectClass = zcAliasThing 02/04/15 12:05:10.863    zcProprietaryTransportMailbox = CN=Test User0aDEL:28221f95-09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,DC=dc,DC= win2kforest,DC=ca 02/04/15 12:05:10.863    zcExcludedWantsChildren = Y 02/04/15 12:05:10.863 1012-DELETION UNNECESSARY[00]: CN=Test User\0aDEL: 28221f95-09e2-4fe8-b548-a96f6aaebe5f,CN=Deleted Objects,NC=dc.win2kforest. ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc, dc=win2kforest,dc=ca 02/04/15 12:05:10.903 Analysing transaction batch . . . .... 02/04/15 12:05:10.963 TRAN[5364] : Modify [Mon Apr 15 11:02:15 2002] CN= Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName= win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca 02/04/15 12:05:10.963 TRAN[5365] : Modify [Mon Apr 15 11:02:15 2002] cn= Test User,ou=Claims,dc=dc,dc=win2kforest,dc=ca . . . .... 02/04/15 12:05:26.385 TRAN[7380] : Modify [Mon Apr 15 11:49:02 2002] CN= Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName= win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca 02/04/15 12:05:26.395 IRRELEVANT[7381] : Modify [Mon Apr 15 11:49:02 2002] cn=Test User,ou=Claims,dc=dc,dc=win2kforest,dc=ca 02/04/15 12:05:26.395 TRAN[7382] : Delete [Mon Apr 15 11:49:08 2002] CN= Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName= win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca . . . .... 02/04/15 12:05:26.415 TRAN[7388] : Create [Mon Apr 15 11:53:42 2002] CN= Test User,ou=Claims,NC=dc.win2kforest.ca,ma=ADMA Win2kforest Tester,DsaName= win2kadvsrv,ou=Applications,dc=dc,dc=win2kforest,dc=ca 02/04/15 12:05:26.415 IRRELEVANT[7389] : Modify [Mon Apr 15 11:53:42 2002] cn=Test User,ou=Claims,dc=dc,dc=win2kforest,dc=ca . . . .... 02/04/15 12:05:26.505 0002-[del|new] CN=Test User,ou=Claims,NC=dc.win2kforest. ca,ma=ADMA Win2kforest Tester,DsaName=win2kadvsrv,ou=Applications,dc=dc, dc=win2kforest,dc=ca 02/04/15 12:05:26.505 >>>>>> construction of msMMs-SecondaryAttributeFlowScript 02/04/15 12:05:26.515 >> line #3 - satisfied condition [F = FALSE] 02/04/15 12:05:26.515 >> set $cd.dn = [CN=Test User,ou=Claims,DC=dc,DC= win2kforest,DC=ca] 02/04/15 12:05:26.515 >> line #12 - end of condition 02/04/15 12:05:26.515 >> line #16 - unsatisfied condition [T = FALSE] 02/04/15 12:05:26.515 >> line #19 - end of condition 02/04/15 12:05:26.515 >> line #21 - satisfied condition [T = TRUE] 02/04/15 12:05:26.515 >> set $v_dn = [CN=Test User,ou=Claims,DC=dc,DC= win2kforest,DC=ca] 02/04/15 12:05:26.515 Skip assignment [2.16.128.113533.1.308 = $cd.dn] 02/04/15 12:05:26.515 >> line #29 - end of condition

Additional query words: zoomit

Keywords: kbbug kbenv KB321510

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.