Wikis - Page

Troubleshooting Synchronization in Identity Manager Installations

0 Likes







 "... provides very useful information for customers running the AD driver. Thumbs up!
--Jim Henderson, eDirectory and Identity Manager Product Specialist










NSure Identity Manager installations can sometimes be complex to troubleshoot. This article helps address eDirectory to Active Directory syncing, along with commonly seen error messages, examples, and their resolutions.



There are usually two servers at a minimum involved. NDS-to-NDS syncing implies
a similar set of troubleshooting steps, but different error messages and
complications.



Sample Setup



eDirServer and ADServer are our sample server names. The easiest one to test first is eDirServer. Use Rconsole (Rconip, Afreecon, whatever) to access eDirServer and look at the Dstrace screen. If DSTrace is not loaded, use a file like the following (EASYTRC.NCF) to turn it on:



dstrace
dstrace screen on
dstrace -all ldap dxml dvrs


You can do a Dstrace -ldap to get rid of those messages if they are getting in the way. You can also use Novell Remote Manager (NoRM) with iMonitor's DSTrace facility to watch the error messages in a more scrollable format.



As a further hint, always go to NoRM on a server at port 8008, because if your certificates are working, you will get redirected to port 8009 and HTTPS. If you do not, you will be instantly clued in that you have a certificate problem to be fixed before you go on.



Use iMonitor (for example, https://eDirServer.ccs.yorku.ca:8009/nds/trace). Then, look at the trace output (the difference from eDirServer's Dstrace is the ability to scroll).



Common Errors



Error 9006



This is the most common error you will see. Here are the details:



DriverName ST:
DirXML Log Event -------------------
Driver: \TreeName\acme\scs\DriverSetName\DriverName
Channel: Subscriber
Status: Retry
Message: Code(-9006) The driver returned a "retry" status indicating that the operation should be retried later. Detail from driver: No connection to remote loader



Likely Cause: The DirXML remote loader is not connecting. Usually you'll see this after the ADServer has rebooted to apply a Critical Update.



Solution: Check on the ADServer, via RDP or in person, at the Service called DirXML Loader. It is set to autoload, but make sure it does load. Sometimes it does not start after a server reboot.



The other common issue you will see is that the password on the 'RemoteLoaderUser' account gets changed in AD. You can reset it in AD, via the MMC, and try to restart the driver in iManager).



To control the AD Driver, use iManager on eDirServer at: https://eDirServer.acme.com/nps/iManager.html. Make sure you log in with an account that has sufficient priveleges and roles to manage the IDM Driver Sets. Then watch the trace to see what happens.



Errors 641 and 9139



Here are the details:



ENG ET:
DirXML Log Event -------------------
Status: Error
Message: Code(-9139) Unable to process DirXML sub-verb
DSVR_CHECK_OBJECT_PASSWORD because driver
\TreeName\acme\scs\DriverSetName\DriverName is not running.



Likely Cause: If you get a -641 error, then the driver is not syncing.



Solution: First, in iManager, in the Passwords section in the left column, do a Check Password Synchronization, and type the name of a user, such as .bob.scs.acme. Look at the trace output and watch for further messages.



LDAP 86/14 Error



Here are the details:



11:03:16 DriverName PT:
DirXML Log Event -------------------
Driver: \TreeName\acme\scs\DriverSetName\DriverName
Channel: Publisher
Status: Fatal
Message: <message>unable to authenticate to Active Directory</message>
<ldap-err ldap-rc="86" ldap-rc-name="LDAP_AUTH_UNKNOWN">
<client-err ldap-rc="14"/>
</ldap-err>

11:03:16 DriverName PT:
DirXML Log Event -------------------
Driver: \TreeName\acme\scs\DriverSetName\DriverName
Channel: Publisher
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that
the driver should be shut down. Detail from driver: <message>unable to
authenticate to Active Directory</message>
<ldap-err ldap-rc="86" ldap-rc-name="LDAP_AUTH_UNKNOWN">
<client-err ldap-rc="14"/>
</ldap-err>



Likely Cause: The passwords specified in the DirXML setup and on the AD account do not match. (The AD account is the account DirXML logs into AD as, in order to read/write to AD.) Usually, it is the "RemoteLoaderUser" account that has lost its password setting.



Solution: On ADServer, change the password to match what is in the driver settings.



9039 Error



This error is not a problem, as long as you see a success message at the end. Here are the details:




11:10:19 DriverName PT:
DirXML Log Event -------------------
Driver: \TreeName\acme\scs\DriverSetName\DriverName
Channel: Publisher
Object: CN=TestGroup,CN=Users,DC=ADServer,DC=acme,DC=com (acme\scs\TestGroup)
Status: Error
Message: Code(-9039) Element does not have a valid association.



Likely Cause: The group was renamed, but the original group was not associated.



Solution: Watch for the following messages to verify the operation succeeded:



DirXML Log Event -------------------
Driver: \TreeName\acme\scs\DriverSetName\DriverName
Channel: Publisher
Object: CN=TestGroup,CN=Users,DC=ADServer,DC=acme,DC=com
(yorku\scs\TestGroup)
Status: Success



8017 error (Operation Vetoed)



This error is also not a problem. Here are the details:



DirXML Log Event -------------------
Driver: \TreeName\acme\scs\DriverSetName\DriverName
Channel: Subscriber
Object: \TreeName\acme\otherOU\SillyGroupName
Status: Warning
Message: Code(-8017) Operation vetoed by object creation policy.



In this example we have a policy that vetoes object creations from eDirectory containers other than SCS. If the eDirectory server that is running the IDM engine (dirxml.nlm, .dlm, etc.) has a replica that contains more than the synchronized container, then you will see these errors any time an object is created anywhere else in the tree.

Labels:

How To-Best Practice
Comment List
Related
Recommended