Microsoft KB Archive/303182

= MMS 2.2 Secondary Attribute Flow Can Set the TTL Value to 0 =

Article ID: 303182

Article Last Modified on 6/17/2005

-

APPLIES TO


 * Microsoft Metadirectory Services 2.2 Service Pack 1
 * Microsoft Metadirectory Services 2.2 Service Pack 1

-



This article was previously published under Q303182



SYMPTOMS
After you run the Active Directory management agent (MA) by using the Microsoft Metadirectory Services (MMS) 2.2 Secondary Attribute Flow script, disconnected objects may be deleted in Active Directory even though you have configured the following attribute on Active Directory MA:

msMMS-TimeToLive = -1

However, when you viewing all attributes on connector entries, the following attribute value exists:

msMMS-TimeToLive = 0

For additional information about the msMMS-TimeToLive attribute, click the article number below to view the article in the Microsoft Knowledge Base:

299392 Understanding the MsMMS-TimeToLive Attribute



CAUSE
This issue occurs because setting an individual connector object Time-to- Live (TTL) value overrides the global MA value. This individual connector value could have been inadvertently set by using the MMS 2.2 Active Directory MA Secondary Flow script. The MMS 2.2 Secondary Flow script writes the msMMS-TimeToLive = 0 attribute if the following conditions exist for an object:
 * The object has the msMMS-ManagedByProfile attribute set to True.
 * The Connector Space creatorName attribute is not equal to the Metaverse creatorsName attribute. This occurs if you join a Connector Space entry to an existing Metaverse entry.
 * The $mv.msMMS-managedByMA attribute is not equal to the MA under which the object is being placed. This can occur if you incorrectly set this string value or the value does not exist. In either case, a contact object is created in Active Directory instead of a user object.

The following code sample from the MMS 2.2 Secondary Attribute Flow script sets the $cs.msMMS-TimeToLive attribute on individual connector objects as described above: if $exists (&quot;$cs.msMMS-ManagedByProfile&quot;) = TRUE then if $cs.creatorsName ! $mv.creatorsName then if $exist($multi_valued(&quot;$MA&quot;, $mv.msMMS-managedByMA)) ! TRUE then # This is an Interforest Replica Entry, thus set the time # to live to 0 on these entries $cs.msMMS-TimeToLive = 0 $v_interforestReplicaEntry = TRUE else $v_interforestReplicaEntry = $NULL endif endif endif NOTE: When you upgrade to MMS 2.2 Service Pack 1 (SP1), the existing MA templates and scripts are not upgraded. However, any newly created MAs use the new templates and scripts because the DSGates folder templates are overwritten during the upgrade process. This behavior is by design to avoid overwriting custom code in existing MAs.



RESOLUTION
Once this attribute is set on a Connector Space object, you must run an attribute flow rule or an external script to remove the attribute. You can resolve this issue by using one of the following methods.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Method 1: Configure the Attribute Flow to Remove the Attribute
 Click the MA in which you want to set this attribute. Click Attribute Flow. Click the Advanced Flow Script tab.  Add code to the script if you need to assign different values to different objects. The following sample code illustrates how to code the Advanced Attribute Flow script to test for this attribute, and if it exists, remove the msMMS-TimeToLive attribute from the object: If $exists ($cs.msMMS-TimeToLive) = T      then $cs.msMMS-TimeToLive = $null endif  Click OK to save the changes.
 * 1) This condition tests to determine if the object contains the attribute.
 * 1) If the above condition is met then remove the TTL attribute value.

Method 2: Use a Visual Basic Script to Remove the Attribute
If you want to avoid running the MA to make the code change, you can use the following sample Microsoft Visual Basic Scripting Edition script to connect to your MMS server and remove the attribute value. If you use this sample code, you muse edit the first five lines of the code to account for your specific MMS server information. You can paste the sample code into a text file, edit the server-specific lines, and then save the file as Ttlremoval.vbs: 'Set FQDN of the server strServerName = &quot;ServerName&quot; 'LDAP port of the MMS server may not be 389; set as appropriate strPort = 389 'User name must be in SMTP form, such as user@server.domain.com strUsername = &quot;MMS UserName&quot; 'Set password strPassword = &quot;MMS Pasword&quot; 'Hover over container in Compass client for DN of container under MA<BR/> 'For example: strObjectDN = &quot;OU=New Users,NC=microsoft.com,ma=ADMA,DsaName=MMSServer,ou=Application,dc=microsoft,dc=com&quot;

strADsPath = &quot;LDAP://&quot; & strServerName If strPort = 0 Or strPort = 389 Then strADsPath = strADsPath & &quot;/&quot; Else strADsPath = strADsPath & &quot;:&quot; & CStr(strPort) & &quot;/&quot; End If

strADsPath = strADsPath & strObjectDN lnAuthType = 0 'Simple bind<BR/> 'Create Connection and Command objects

Set oNSP = GetObject(&quot;LDAP:&quot;) Set oConn = CreateObject(&quot;ADODB.Connection&quot;) oConn.Provider = &quot;ADsDSOObject&quot; oConn.Properties(&quot;User ID&quot;) = strUsername oConn.Properties(&quot;Password&quot;) = strPassword oConn.Properties(&quot;Encrypt Password&quot;) = False oConn.Open &quot;ADs&quot; 'zcExcludedAliasThing strQuery = &quot;<&quot; & strADsPath & &quot;>;(&(objectclass=Top)(msMMS-TimeToLive=0));objectclass,ADsPath;subtree&quot;

Set oRS = oConn.Execute(strQuery) wscript.echo &quot;Processing &quot;, oRS.recordcount, &quot; records...&quot; On error resume next While Not oRS.EOF '   Wscript.echo oRS.Fields(&quot;ADsPath&quot;).Value 'Add code to bind to each object here and set the msmmstime-tolive 'Set oNSP = GetObject(&quot;LDAP:&quot;) Set oADs = oNSP.OpenDSObject(oRS.Fields(&quot;ADsPath&quot;).Value, strUsername, strPassword, lnAuthType) '      vmsMMStimetolive = oRS.Fields(&quot;msMMS-TimeToLive&quot;).Value ' We can use either IADsPropetyValue or IADsPropertyValue2 ' Only IADsPropertyValue is a coClass lnPropType = 3 ' ADSTYPE_CASE_IGNORE_STRING Set oPropVal = CreateObject(&quot;PropertyValue&quot;) Set oPropVal2 = oPropVal oPropVal2.PutObjectProperty lnPropType, &quot;0&quot; Set oPropEntry = CreateObject(&quot;PropertyEntry&quot;) oPropEntry.Values = Array(oPropVal2) oPropEntry.Name = &quot;msmms-timetolive&quot; oPropEntry.ControlCode = 1 ' ADS_PROPERTY_CLEAR oPropEntry.ADsType = lnPropType Set oPropList = oADs oPropList.PutPropertyItem oPropEntry Set oADs = oPropList oADs.SetInfo

'Clean up       Set oADs = Nothing 'Set oNSP = Nothing 'End If

oRS.MoveNext Wend oRS.Close Set oRS = Nothing oConn.Close Set oConn = Nothing Set oNSP = Nothing Wscript.echo &quot;DONE&quot;

<div class="moreinformation_section">

MORE INFORMATION
After you remove the msMMS-TimeToLive value, you should update your SP1 scripts for all of your Active Directory MAs. For additional information about migrating scripts, click the article number below to view the article in the Microsoft Knowledge Base:

303533 Recommended Practices for Upgrading to Microsoft Metadirectory Services 2.2 Service Pack 1

Additional query words: zoomit adma admas

Keywords: kbenv kbprb KB303182

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.