Non Admin vs Domain Admin for syncing to destination AD

Created: 2012-04-20 08:09:59
Modified: 2024-03-22 15:48:05
Tags: Active Directory Troubleshooting UnitySync

UnitySync performs most easily if the destination login account is a Domain Admin. This is because only a domain admin can read the destination roots for legacyExchangedn, x400 and showInAddressBook. When you use a domain admin account, your UnitySync connection can automatically detect and set the appropriate values for these attributes.

To use a Non Domain Admin User account:

  1. The Sync OU (Dest Tab, Placement DN) must be manually created (And the Structure Name must be blank).

  2. Special Permissions must be applied to the Sync OU.

  3. You must edit your config and/or custom map file to override the default values for some attributes (explained below).

legacyExchangeDN

If legacyExchangeDN roots are not being properly detected, you will see the following error in your Run Summary:

LegacyExchangeDN Failure | 1
Fatal Error | 1

In the Destination Configuration Discovery section of your log, you’ll also see:

LegacyExchangeDN | Failed to Detect - No Entries Found

There is a work around for this error. Please refer to setting exch-legdn for instructions to override legacyExchandeDN detection by setting the legacyexchangedn attribute.

NOTE: While this error is most commonly seen when you are not able to use domain admin for your Destination, some clients have also reported the error even if they are using domain admin login credentials. Often, this is due to Exchange Forest Prep being run on the destination, without Exchange also being installed. If this is the case with your Destination, please contact support@dirwiz.com for assistance in disabling legacyexchangeDN detection.

exch-x400

If x400 roots are not being properly detected, you may see the following error in the Error Summary at the end of your log:

32: No such object | 1

If you search your log for 32:, you’ll likely also see the following in the Destination Configuration Discovery section of your log:

X400 Template | Failed to Detect 
LDAP Return | 32: No such object 
LDAP Message | 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of: 
'CN=ABC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ABC,DC=COM'

There is a work around for this error. Please see setting exch-x400 to override detection by setting the x400 root.

showInAddressBook

If the address books cannot be automatically detected, or if those detected are not valid, you may see an error similar to the following after each attempt to add an object:

Adding User | CN=jdoe@abc.com,OU=ABC Users,DC=abc,DC=com 
Add Person Return | 19:000020B5: AtrErr: DSID-03152804, #1:  
0: 000020B5: DSID-03152804, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90284 (showInAddressBook)

There is a work around for this error. Please see setting showInAddressBook to set the showInAddressBook attributes properly.

Error on Structure creation

Finally, domain admin credentials are needed to allow your sync to create structure. Since he Non-Admin account will not have the ability to create the Sync OU it must be created manually. This is the OU specified on the Dest Tab, Placement DN. AND, the Structure Name must be blank.

Knowledgebase

Directory
  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
Password
  1. emPass - Sync
Obsolete
  1. Profiler
  2. SimpleSync