Group Memberships are not Updating (4301700)

Even though Migration and Synchronization are functional, Group Memberships are not updating on the target groups.

Link Resolver Log

26/10/2016 16:34:59    1980    4628    Creating new connection to , 389
26/10/2016 16:34:59    1980    4628    LDAP Error 0x52. Local error occurred.
26/10/2016 16:34:59    1980    4628    Finish resolving links for object LDAP://

Even though this account has full rights to ADAM, the SPN attribute for the ADAM instance is either missing or incorrect.  Link resolver uses a different method to access the ADAM database than the Directory Synchronization Agent.

The issue can be caused by incorrect Service Principal Name entries on the Service account.  These entries are sometimes left over if the account in question was ever used to Install an ADAM-AD LDS Instance.

This can also be caused by the ADLDS Instance running under the wrong security context.

Resolution 1

Clearing the incorrect values in the SPN attribute for the existing Service Account and adding the correct values for the current ADAM instance

Resolution 2

Recreating the Service account would be the easiest method and then granting access through the Migration Manager Console.

1. Switch to the Active Directory Synchronization tab at bottom left
2. From the Menu select Action
3. Select Delegate
4. Enter the user and credentials for the new Service Account
5. Restart the ADAM instance

Resolution 3

If the ADLDS Instance service is set to run under any context other than the Service Account, then change the Log On to the Service Account and restart the Instance service.

1. Open Services.
2. Locate the appropriate ADLDS Instance service and double-click on it.
3. Click on the Log On tab.
4. Select 'This account:'
5. Enter the Service Account.
6. Enter the password in both fields.
7. Click OK.
8. Restart the Service.