Noriko,
*Did you use the same version of 389-ds-base against AD on 2008 R2 and 2012
R2?*
*389-Directory/1.3.4.8 <
http://1.3.4.8> B2016.063.1654*
*Please share the output frpm this command line "rpm -q 389-ds-base"?*
*I compiled 389 manually once the package in apt repo is too old for me
(I'm using ubuntu 14.04 LTS). What specific info do you need?*
*ds-base is 1.3.4.8*
*Does this error message follow some other detailed error messages? Such
as ...*
*YOUR_AGREEMENT_NAMEFailed to send %s operation: LDAP error (ERROR_CODE)
ERROR_MESSAGE*
*or *
*YOUR_AGREEMENT: Received error [%s] when attempting to %s entry [%s]:
Please correct the attribute specified in the error message. Refer to the
Windows Active Directory docs for more information.*
*If not, could you enable the replication log level and share the error log
with us?*
*After enable replication log level:*
*[17/May/2016:09:13:18 -0300] - Attempting to add entry cn=Benedito
Maia,ou=pop-go,ou=POPS,ou=EXTERNOS,ou=RNP,dc=homolog,dc=rnp to AD for local
entry
uid=benedito.maia,ou=pop-go,ou=POPS,ou=EXTERNOS,ou=RNP,dc=homolog,dc=rnp*
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): Received result code 32
(0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best
match of: 'OU=POPS,OU=EXTERNOS,OU=RNP,DC=homolog,DC=rnp' ) for add
operation *
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): windows_process_total_add:
Cannot replay add operation.*
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): Beginning linger on the
connection*
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): windows_tot_run: failed to
obtain data to send to the consumer; LDAP error - 1*
*Once I do not have the same OU structure on both side (for testing
purposes), I created "**ou=pop-go,ou=POPS,ou=EXTERNOS,ou=RNP,dc=homolog,dc=rnp"
on AD side and started to get error in another OU that I have on 389 side
but not in AD.*
*Is that the expected behavior?*
*PS: In my production environment we use this strategy that what we dont
want to be replicated, just not create the OU structure and works fine. I
never found a better way to do that like a "exclude list".*
*Could you also share your Windows Sync agreement? Do you happen to have 2
Directory Servers -- one for 2008R2 and another for 2012R2, could you
provide both?*
*Here's my sync agreement:*
*dn: cn=AD - DF-GTI-DC01,cn=replica,cn=dc\3Dhomolog\2Cdc\3Drnp,cn=mapping
tree,*
* cn=config*
*objectClass: top*
*objectClass: nsDSWindowsReplicationAgreement*
*description: Sync with HOMOLOG DF-GTI-DC01*
*cn: AD - DF-GTI-DC01*
*nsds7WindowsReplicaSubtree: dc=homolog,dc=rnp*
*nsds7DirectoryReplicaSubtree: dc=homolog,dc=rnp*
*nsds7NewWinUserSyncEnabled: on*
*nsds7NewWinGroupSyncEnabled: on*
*nsds7WindowsDomain: homolog.rnp*
*nsDS5ReplicaRoot: dc=homolog,dc=rnp*
*nsDS5ReplicaHost: gti-df-dc01.homolog.rnp*
*nsDS5ReplicaPort: 636*
*nsDS5ReplicaBindDN: CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES*
* ,DC=homolog,DC=rnp*
*nsDS5ReplicaTransportInfo: SSL*
*nsDS5ReplicaBindMethod: SIMPLE*
*nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG*
* RERBNEJDUXhNVEZoWmpjMVlTMDVaakkyTXpBNA0KTnkwNVl6RmxOV1UwWXkxaVpHWTBaVEkwWkFBQ*
* 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ0FNQytucnM5R09Pbm*
* IrTGc5Q1BURw==}y3eiY+wIKrDUOvz08JXugA==*
*nsds7DirsyncCookie::
TVNEUwMAAABTrjoAO7DRAQAAAAAAAAAAWAAAAMJLBQAAAAAAAAAAAAAAA*
* ADCSwUAAAAAAOaoLC8LQH5DrKGkZbG6hSgBAAAAAAAAAAMAAAAAAAAAUFu8Kzif9UKPjH3e1siBWw*
* A5AQAAAAAA5qgsLwtAfkOsoaRlsbqFKMNLBQAAAAAAdqnRrgBktU6JZXBssjxeIesdBQAAAAAA*
*nsds5replicareapactive: 0*
*nsds5replicaLastUpdateStart: 20160517125737Z*
*nsds5replicaLastUpdateEnd: 20160517125737Z*
*nsds5replicaChangesSentSinceStartup:*
*nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
upd*
* ate started*
*nsds5replicaUpdateInProgress: FALSE*
*nsds5replicaLastInitStart: 20160517124301Z*
*nsds5replicaLastInitEnd: 20160517125236Z*
*nsds5replicaLastInitStatus: 1 connection error: operation failure - Total
upda*
* te aborted*
*In this testing environment, I just have 2012 r2 (I upgraded all DCs to
2012). Right now, I don't have any 2008 r2 to test. *
*In my production environment I have:*
*389-ds-base 1.3.2.19 + Windows 2008 r2*
On Mon, May 16, 2016 at 6:02 PM, Noriko Hosoi <nhosoi(a)redhat.com> wrote:
On 05/16/2016 01:01 PM, Alberto Viana wrote:
I'm trying to setup a new scenario with 389 and AD 2012 R2 (So far I'm
using with AD 2008 R2 and everything works fine).
Did you use the same version of 389-ds-base against AD on 2008 R2 and 2012
R2?
389-Directory/1.3.4.8 B2016.063.1654
Please share the output frpm this command line "rpm -q 389-ds-base"?
Windows 2012 R2 64bits
Both 2008 R2 and 2012 R2 are supported.
:
After configure the AD replication and Initiate a full sync, it starts to
do some entries and I got the following error:
[16/May/2016:16:36:47 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): windows_process_total_add:
Cannot replay add operation.
Does this error message follow some other detailed error messages? Such
as ...
YOUR_AGREEMENT_NAMEFailed to send %s operation: LDAP error (ERROR_CODE)
ERROR_MESSAGE
or
YOUR_AGREEMENT: Received error [%s] when attempting to %s entry [%s]:
Please correct the attribute specified in the error message. Refer to the
Windows Active Directory docs for more information.
If not, could you enable the replication log level and share the error log
with us?
And after that:
[16/May/2016:16:36:47 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): Replica has no update vector.
It has never been initialized.
[16/May/2016:16:36:47 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): Replica has no update vector.
It has never been initialized.
[16/May/2016:16:36:51 -0300] NSMMReplicationPlugin - windows sync -
agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): Replica has no update vector.
It has never been initialized.
I found a really old ticket that seems to be related to same error:
https://fedorahosted.org/389/ticket/47589
This is a regression only affected 389-ds-base-1.3.1.x. So, 1.3.4.x does
not need the patch.
but with win2008r2 and fixed.
According to this link ->
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
2012 R2 is supported, is that true?
Could you also share your Windows Sync agreement? Do you happen to have 2
Directory Servers -- one for 2008R2 and another for 2012R2, could you
provide both?
Any clues?
--
389-users mailing
list389-users@lists.fedoraproject.orghttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org