AD MA cd-error on deleted users as previous Group members

Hi,

We are running FIM 2010 R2 SP1 and Windows 2008 R2 AD with Recycle Bin enabled.

A user gets deleted from our HR system, and it turn gets deleted from FIM Portal, AD and FIM MV.

In AD, this user gets moved to Recycle Bin; and removed from the AD Groups they were a member of (in FIM Portal, AD and FIM MV).

This deleted user exists in AD Connector Space as: Placeholder CN=username\0ADEL:<some GUID>\CN=Deleted Objects,DC=....

When Exporting (Run Profile) the AD MA, we now get the following error on the Group object the user used to belong to:

Error: cd-error
Source Error Code: 1168
Source error: Element not found

Group membership modification is trying to occur, and we can also see the following in the error:

Changes: Delete
Value: CN=username\0ADEL:<some GUID>

Any idea on how to resolve this?

Thank you.

November 13th, 2014 6:33am

Hi,

never had this, just a guess:

you can try to exclude the Deleted Objects container in the AD MA Advanced container configuration manually, even if it dont appear in the selection.

I remember also that in the past when this feature "recycle bin support" appear in FIM 2010 update 1 a hotfix on the DCs where needed, but dont know if this still is the fact.

Regards
Peter

Free Windows Admin Tool Kit Click here and download it now
November 13th, 2014 12:53pm

I am suspecting its the missing DC hotfix, thank you.
November 18th, 2014 11:41pm

Hello,

I have exaclty the same pb at 2 other different clients running FIM 2010 R2 SP1 and Windows 2008 R2 AD with Recycle Bin enabled.

All the hotfix on the DC have been applied.

The pb is that FIM , on a Delta Import on AD, see the previous deleted AD account as a member of the group  as CN=...\0ADEL:<someGUID>,CN=Deleted Objects,DC...

Why FIM does not filter it? why FIM treat it as a normal member? For me it's a bug in FIM. Then FIM run in error at export when it try to remove the member CN=...\0ADEL:<someGUID>,CN=Deleted Objects,DC... (cd-error, Element not found)

Regards,

Sylvain G.

Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 11:30am

1. is the service account used in AD MA a domain admin, if YES, remove it from domain admins.  This fixes the issue.

2. Did you select all OU tree in AD, meaning you selected the root AD and everything underneath, if yes, select only OUs where you have users and groups instead.

February 3rd, 2015 7:03pm

  1. the service account used in AD MA is not domain admin. It's only domain user.
  2. no, i haven't select all OU in AD (i have even excluded explicitly the OU CN=Deleted Objects,DC..)

Do you think it is normal that , during an import of an AD group, FIM gets the deleted users as placeholder? Why not , but FIM should then be able to delete them during the export of the group, as it does for other placeholder!!

Regards,

Sylvain Guyot

Free Windows Admin Tool Kit Click here and download it now
February 16th, 2015 12:44pm

i dont think this is a normal behavior. Do you project AD users to FIM Metaverse?
February 16th, 2015 2:41pm

I don't undertand your question: FIM provision users in AD. When i user is deleted in FIM, he is then deleted in AD (put in the trash) with no error. Errors occurs on group export containing the user that have been deleted in FIM and in AD.
Free Windows Admin Tool Kit Click here and download it now
February 19th, 2015 4:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics