-
제목
Link Resolver - most common issues and ways to troubleshoot -
설명
DSA log contains errors and Link Resolver is reporting errors: "Error 0x80004005. Unspecified error." Mini dumps are being created and those files are filling up the drive. What can be done? And what is being considered as linked attribute when QMM reports about failures during link resolving?
-
원인
Log reports:
Resolving managedBy attribute links (links number: 1)
12/16/2009 2:15:03 PM 2132 3064 update <GUID=87ae67c897d23b4fb776f28e00b0e9ef>; <SID=0105000000000005150000008b9f9885c271566737ca6e30aa650000>;CN=Joe\, Doe A,OU=Users,DC=domain,DC=com
12/16/2009 2:15:03 PM 2132 3064 Searching object LDAP://...............
12/16/2009 2:15:03 PM 2132 3064 Error 0x80004005. Unspecified error
As first step Link Resolver verifies whether target object (for example group) exists in target or not, this happens in the beginning of each resolve cycle and in the log one can see the note Searching object...
Only if the target object exists will the Link Resolver try to resolve links for that object.In the example above the Link Resolver fails trying to find the target object. In order to see the list of all attributes being treated by LinkResolver as links see the following file:
C:\Program Files\Quest Software\Migration Manager\DSA\CONFIGS\resolver.xml
Below is an excerpt from this file:
---------------------------------------------member BackLink=memberOf ApplyBy=SidOrDn
manager BackLink=directReports ApplyBy=Dn
managedBy BackLink=managedObjects ApplyBy=Dn>
publicDelegates BackLink=publicDelegatesBL ApplyBy=Dn
authOrig BackLink=authOrigBL ApplyBy=Dn
unauthOrig BackLink=unauthOrigBL ApplyBy=Dn
altRecipient BackLink=altRecipientBL ApplyBy=Dn
dLMemSubmitPerms BackLink=dLMemSubmitPermsBL ApplyBy=Dn
dLMemRejectPerms ApplyBy=Dn
assistant ApplyBy=Dn
-
해결 방안
When working Link Resolver heavily relies on objectClass and objectCategory attributes, those attributes should not be skipped for any object class.
Attributes used as auxiliary and matching attributes (with Exchange in forest, extensionAttribute14 and extensionAttribute15; without Exchange in forest, adminDescription and adminDisplayName) should never be skipped.
It is also a good idea not to skip the following attributes for users and for groups (unless absolutely necessary):
distinguishedName (DN), SamAccountName, CN, name.
Additionally, please make sure that DSA and LinkResolver executables are excluded from antivirus scanning and AV exclusions are applied. Support observed several instances where LinkResolver crashed, creating MDMP files because AV exclusions were not applied to DSA machine.
Note: there was a case where LinkResolver generated "Error 0x80004005. Unspecified error." but no MDMP files were created. Please check Event Viewer, System for warnings or errors with "The system detected a possible attempt to compromise security" and "downgrade". It'll indicate what DC has rejected the authentication request and didn't allow NTLM fallback. Change DC to another one from the same domain in Agent Manager, DSA properties, preferred DC/GC and retry the migration session or re-enable dirsync if it was stopped.
-
추가 정보
To enable debug logging for Link Resolver the following procedure should be used:
1. Stop directory synchronization
2. Open the services.msc console and ensure the Quest DSA Link Resolving Service is stopped
3. Rename the old LinkResolver.log. This file is located by default in \Program Files\Quest Software\Migration Manager\DSA\Configs\ folder on the computer where DSA is installed.
4. Use the registry editor registry enable debug logging by settings (or creating a new string value) the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeDSAResolver_QMM\Config
LogLevel = Full
5. Then start directory synchronization and all services again