DirSync Troubleshooting: Delta Import Delta Sync Fails After Making an Organizational Unit Move in Active Directory

  • Article

 

 Tip
For feedback, click here

 

 

Symptoms

FIM console

  • Azure Active Directory Synchronization delta sync cycles are failing during Delta Import Delta Sync
  • The Delta Import Delta Sync operations show Discovery Errors in the FIM console

Application event log

ForeFront Identity Manager events 6301 and 6060 are logged in the Application Event Log:

** The server encountered an unexpected error in the synchronization engine:**

"MMS(4796): New Delta: HRESULT: 0x0

<delta operation="update" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com" newdn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

<parent-anchor encoding="base64">yNHbKkOBCkOy4RtgfdfNrg==</parent-anchor>

<attr name="objectGUID" operation="replace" type="binary" multivalued="false">

<value encoding="base64">NgROk3jn60yLGvXGBfzUKw==</value>

</attr>

</delta>

 MMS(4796): Delta: HRESULT: 0x0

<delta operation="add" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

<parent-anchor encoding="base64">yNHbKkOBCkOy4RtgfdfNrg==</parent-anchor>

<primary-objectclass>organizationalUnit</primary-objectclass>

<objectclass>

<oc-value>top</oc-value>

<oc-value>organizationalUnit</oc-value>

</objectclass>

<attr name="objectGUID" type="binary" multivalued="false">

<value encoding="base64">NgROk3jn60yLGvXGBfzUKw==</value>

</attr>

</delta>

 MMS(4796): Post: HRESULT: 0x0

<entry dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

<parent-anchor encoding="base64">yNHbKkOBCkOy4RtgfdfNrg==</parent-anchor>

<primary-objectclass>organizationalUnit</primary-objectclass>

<objectclass>

<oc-value>top</oc-value>

<oc-value>organizationalUnit</oc-value>

</objectclass>

<attr name="objectGUID" type="binary" multivalued="false">

<value encoding="base64">NgROk3jn60yLGvXGBfzUKw==</value>

</attr>

</entry>

BAIL: MMS(4796): tripleholo.cpp(11867): 0x80230305 (The dimage has a distinguished name that is different than the image.)

BAIL: MMS(4796): tripleholo.cpp(2498): 0x80230305 (The dimage has a distinguished name that is different than the image.)

BAIL: MMS(4796): tower.cpp(1372): 0x80230305 (The dimage has a distinguished name that is different than the image.)

<delta operation="update" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com" newdn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

<parent-anchor encoding="base64">yNHbKkOBCkOy4RtgfdfNrg==</parent-anchor>

<attr name="objectGUID" operation="replace" type="binary" multivalued="false">

<value encoding="base64">NgROk3jn60yLGvXGBfzUKw==</value>

</attr>

</delta>

<tower><unapplied-export><delta operation="none" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

</delta>

</unapplied-export>

<escrowed-export>

<delta operation="none" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor></delta></escrowed-export><unconfirmed-export>

<delta operation="none" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com"><anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

</delta></unconfirmed-export><pending-import><delta operation="add" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor><parent-anchor encoding="base64">yNHbKkOBCkOy4RtgfdfNrg==

</parent-anchor><primary-objectclass>organizationalUnit</primary-objectclass><objectclass><oc-value>top</oc-value><oc-value>organizationalUnit

</oc-value></objectclass><attr name="objectGUID" type="binary" multivalued="false">

<value encoding="base64">NgROk3jn60yLGvXGBfzUKw==</value></attr></delta></pending-import><synchronized-hologram></synchronized-hologram>

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor><connector>0</connector><connector-state>normal</connector-state>

<seen-by-import>1</seen-by-import><rebuild-in-progress>0</rebuild-in-progress><obsoletion>0</obsoletion><need-full-sync>0</need-full-sync>

<placeholder-parent>0</placeholder-parent><placeholder-link>0</placeholder-link><placeholder-delete>0</placeholder-delete><pending>1

</pending><ref-retry>0</ref-retry><rename-retry>0</rename-retry><sequencers><current><batch-number>0</batch-number><sequence-number>0

</sequence-number></current><unapplied><batch-number>0</batch-number><sequence-number>0</sequence-number></unapplied><original>

<batch-number>0</batch-number><sequence-number>0</sequence-number></original></sequencers><import-delta-operation>add

</import-delta-operation><export-delta-operation>none</export-delta-operation></tower>
BAIL: MMS(4796): csobj.h(1437): 0x80230305 (The dimage has a distinguished name that is different than the image.)

BAIL: MMS(4796): syncstage.cpp(2018): 0x80230305 (The dimage has a distinguished name that is different than the image.)

BAIL: MMS(4796): syncstage.cpp(539): 0x80230305 (The dimage has a distinguished name that is different than the image.)

ERR: MMS(4796): syncstage.cpp(588): 0x80230305 - staging failed 0x80230305

ERR: MMS(4796): syncstage.cpp(589): Staging failed 0x80230305: [OU=MyChildOU,OU=MyOU,DC=contoso,DC=com]

ERR: MMS(4796): syncmonitor.cpp(2515): SE: Rollback SQL transaction for: 0x80230305

MMS(4796): SE: CS image begin

MMS(4796): <cs-object cs-dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com" id="{DB03B034-C528-E111-A02F-005056901089}" object- type="organizationalUnit">

<unapplied-export>

<delta operation="none" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

</delta>

</unapplied-export>

<escrowed-export>

<delta operation="none" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

</delta>

</escrowed-export>

<unconfirmed-export>

<delta operation="none" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

</delta>

</unconfirmed-export>

<pending-import>

<delta operation="add" dn="OU=MyChildOU,OU=MyOU,DC=contoso,DC=com">

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

<parent-anchor encoding="base64">yNHbKkOBCkOy4RtgfdfNrg==</parent-anchor>

<primary-objectclass>organizationalUnit</primary-objectclass>

<objectclass>

<oc-value>top</oc-value>

<oc-value>organizationalUnit</oc-value>

</objectclass>

<attr name="objectGUID" type="binary" multivalued="false">

<value encoding="base64">NgROk3jn60yLGvXGBfzUKw==</value>

</attr>

</delta>

</pending-import>

<synchronized-hologram>

</synchronized-hologram>

<anchor encoding="base64">NgROk3jn60yLGvXGBfzUKw==</anchor>

<connector>0</connector>

<connector-state>normal</connector-state>

<seen-by-import>1</seen-by-import>

<rebuild-in-progress>0</rebuild-in-progress>

<obsoletion>0</obsoletion>

<need-full-sync>0</need-full-sync>

<placeholder-parent>0</placeholder-parent>

<placeholder-link>

↑ Back to top

 

Cause

  • Windows Azure Active Directory Synchronization learns about the existing Active Directory forest's domain and Organizational Unit structure during its initial Full Sync cycle, where all of the FIM run profiles are of type Full
  • After the first Full Sync has completed, Windows Azure Active Directory Synchronization begins performing Delta Sync cycles on a 3-hour interval from that point forward
  • New Organizational Units will be realized during Delta Sync cycles, but changes in the Distinguished Name of an existing Organizational Unit (i.e. - the Organizational Unit has been moved in Active Directory to another location) are not synchronized correctly during a Delta Sync cycle, and will cause the errors shown in the Symptom section of this article.
  • In order for Windows Azure Active Directory Synchronization to succeed future Delta Sync cycles, a Full Sync cycle must occur first

 

↑ Back to top

 

Resolution

On the Windows Azure Active Directory Synchronization server:

  1. Start, Run, RegEdit.exe
  2. Drill down to: HKLM\SOFTWARE\Microsoft\MSOLCoExistence
  3. Double-click the FullSyncNeeded value
  4. Set FullSyncNeeded to 1 and click OK
  5. Close RegEdit
  6. Open PowerShell, and then type Import-Module DirSync
  7. Type Start-OnlineCoexistenceSync, and then press Enter
  8. Launch the FIM console (miisclient.exe)
  9. Select the Operations tab
  10. Watch each of the ‘Full’ run profiles execute for SourceAD and TargetWebService
  11. Once TargetWebService Export has completed, you should then see a Delta Sync operation begin within 3 hours, and the Discovery Errors for the Organizational Unit(s) in question should now be resolved

↑ Back to top