Solving Synchronization Problems with the nadLoginName Reference
Novell Cool Solutions: Tip
Digg This -
Posted: 14 Feb 2003
If you're plagued with any of the symptoms listed below, this tip might be just what the doctor ordered.
- Unable to synchronize reference to and/or from attribute nadLoginName."
- Password does not sync from NDS to Active Directory.
- The NDS user account does not properly show the object class nadUser or the attribute nadLoginName after choosing to "Migrate from NDS" in the properties of the ADDriver Driver Set.
The Probable Cause:
The dirxml-association attribute on the nadDomain object is missing or incorrect or the nadDomain object is missing or unknown.
If the nadDomain object is missing or corrupt, it can only be recreated during the install of Password Synchronization for Windows. If it is present but the dirXML-association attribute on the dirXML tab of the nadDomain object shows no association to the ADDriver, this will cause the driver to fail to add the nadLoginName attribute to the users. Normally the association state shows up as "pending" for the ADDriver, which is the natural state of a working default install. If it is missing, it can be recreated manually with some care.
To do this, first find the objectGUID for the Domain object in Active Directory using the ADSIedit snapin for the Microsoft Management Console (MMC). Once the snapin has been added to MMC, select Action, Connect To. Click OK on the dialog that comes up. Expand the Domain NC entry, which reveals the entry for the Domain itself. This will be an object with a folder icon named DC=domain,DC=mycompany,DC=com. Right click this entry and select properties. From the "select a property to view" pulldown menu select objectGUID. Copy the OctetString below into notepad, and clear out each 0x and space.
The original would look like this:
0xbf 0x95 0x3e 0x31 0xff ...
The modified version would be:
Take this value back to ConsoleOne to create the manual association for the nadDomain object to the ADDriver. Select the Domain object, select properties and go to the DirXML tab. Click Add, and in the dialog select the ADDriver. In the associated object ID field type in the modified objectGUID from the previous step. Be absolutely sure there are no extra spaces at the end. Pasting the value in from notepad can do this. Click OK and the driver should be ready to process new users for nadLoginName.
If the driver fails even after these steps are taken use DSBROWSE to verify there are no extra spaces at the end of the value. Choose Tree Browse and browse to the nadDomain object under the ADDriver. Highlight the object and press F3, and select View Attributes. Choose the dirXML-association attribute and press enter. If there is more than one dirXML-association both values will be shown; select the ADDriver. Select View Value Details, then select Press Enter to display the attribute data in hex. If the last 8 characters are 2000 0000, there is a space at the end. If the last 8 characters are 3900 0000, it terminates correctly. In this specific example the last character in the objectGUID is the number 9 (3900 in ascii hex is 9). As each GUID is unique, the last significant characters could be any hexidecimal value, but will never be 2000 0000, as this is the ascii hex value for a space.
The best way to submit a user to the working driver to add the nadLoginName attribute is to select the properties of the Driver Set, Select the ADDriver, click "Migrate from NDS", select Add and choose the user, or the container the user is in.
For more information or updates to this tip, see TID-10078395.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com