Troubleshoot the following points:
1. Often the source Active Directory object can be hidden from the DSA. The attribute on the object is known as "ShowInAdvancedViewOnly." Resolve this by accessing the source Active Directory object via ADSIEdit.msc. Find your object, locate the attribute and set it to false manually by editing the field.
2. An object may have been previously "mismatched" to a target Active Directory object. This may happen based on what match attribute is used to linke your source object to the target Active Directory object. Typically, one of three are used to match. SamAccountName, Email , or SIDHistory. The DSA will look to the target for these to match on by any combination configured. Resolve this by searching the target AD for the matching criteria you have used. Use any suitable windows utility that can search Active Directory. For example LDP.exe can be used with LDAP queries constructed, or a GUI based util such as "AD Explorer".
An even shorter method can be to obtain the ObjectGUID from the source object and searching the target Active Direcotory for the match. If Exchange is installed the DSA will stamp the source ObjectGUID into the ExtensionAttribute15 of the matching or created object on the target.
An even shorter method can be to obtain the ObjectGUID from the source object and searching the target Active Directory for the match. If Exchange is installed the DSA will stampe the source ObjectGUID into the ExtensionAttribute15 of the matching or created object on the target.
For example, using LDP.exe you could construct a query similar to the following:
1. (&(objectCategory=person)(objectClass=user)(sAMAccountName=JSmith))
2. (&(objectCategory=person)(objectClass=user)(ExtensionAttribute15=<replaceWithSourceObjectGUIDHere>))
If found you can determine who the user is and make changes as needed to correctly match.
3. The DSA configuration has "Filtered" out your object. Under the "Properties" of the DSA Synchronization, select the filter button. Check the tab for explicit "Exclusions", "AD Class Exclusion" or any custom LDAP query that may have been designed to filter the user by accident.
4. The DSA was configured to only "MERGE" objects, and NOT "Create." This can be seen on the properties of the DSA as well. You may have to use Migration session to have object migrated first before the DSA can see it in this case and finishing migrating all attributes. Be careful if switching the DSA to "Create" objects on the target, as it will create any new objects found from your selected source OUs. i.e. The scope configured.
5. If a custom Add-in was used, it may be preventing certain objects from
6. The "Name" attribute was skipped under the "Attributes to skip" configuration section. If "Name" is skipped and your are allowing objects to be created on the target, the Active Directory will not have enough information to actually create the new account. Consider recreating th e
Source accounts have expired. This is a simple resolution that can be checked within the source Active Directory.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center