Hi, I'm trying to sync user objects from AD1 to AD2, but I get numerous errors saying 'An object with DN xxxx already exists in management agent AD2'. I've checked the entire AD2, but these DN's don't exist. The DN is constructed using the userPrincipalName attribute, I've also checked for existing objects with the same userPrincipalName, but theses are also non-existent. I'm using FIM version 4.0.3576.2. Are there some other possible causes for this error? Thanks, Enrico

The error refers to the connector space of AD2. In this connector space, you already have an object with that DN. It is possible that the dupe has not been exported to AD2 yet. See "Troubleshoot sync-rule-flow-provisioning-failed: An object with DN already exists in management agent" for more details on this. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, thanks again for your swift respons. I've done a search on the AD2 connector space for some of these DN's, but couldn't find them in the connector space. (also did a search on an existing object, to check that I used the correct syntax :) ) Are there other known causes for this error? Cheers, Enrico

Does the DN quoted look like what you expect? Ie is it CN=name,OU=...,dc=...,dc=... How are you constructing it using the UPN? Could you share your rule/code?http://www.wapshere.com/missmiis

That's the only reason I'm aware of. One thing you could do is manually synchronize one of the affected objects using the preview feature, and then to run another sync to find the other offender. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I'm constructing the DN using customExpression(EscapeDNComponent("CN="+loginName)+",OU=customer.local,OU=Reseller,OU=Hosting,DC=Domain,DC=local"). If I check the error message in Stack Trace, the DN quoted is as it should be. As the relationship criteria in the OSR I use loginName = userPrincipalName (and accountName = sAMAccountName on the ISR) I just can't figure out why it's throwing me this error, it's almost as if there is a corruption in the configuration :S

I think Markus just pointed me in the right direction... I have 2 OSR's for user objects, 1 for normal users/mailboxes and the other for shared mailboxes. I found I had an error in my Set criteria which caused both OSR's to apply. I've changed the Set's membership criteria, now just wait till the full sync is finished!

Ahhhhh - that's a good one! Having accidentally two EREs for the same target CS attached to an object can cause this scenario, too. I will add this to the troubleshooting article. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Yes! This seems to have solved it, however I do need to delete them from the FIM portal first and re-project them again from the AD1 connector space. Or else both EREs remain. Thanks!