Troubleshooting missing group member errors

In some implementations, it makes sense (usually by improving performance) to separate your user and group provisioning into seperate MAs. One downside of this approach, however, is that you can run into export errors when trying to update a group with a member who doesn’t exist in the external directory – and this includes delete member operations.

The error you will see will either be dn-attributes-failure or cd-missing-object, depending on the type of group.

The detailed error will say something about an add or delete operation on a member that does not exist but, unhelpfully, will not tell you which one.

I’ve had some fun and games with this one recently, so this post is about some ways I figured out to troubleshoot the problem, and includes a vbscript for finding that missing member.

dn-missing.vbs

While trying to troubleshoot these missing member errors during the week I wrote a quick vbscript to help – you can look at it here.

Basically it exports an XML copy of the group object from the connector space, and then attempts an LDAP bind against each member. This works for AD. I haven’t tried it for other directories, but I expect it would work with anything based on LDAP.

What if the member exists?

The big problem I was having was when the member actualy did exist in AD. This was very frustrating. It seemed that once ILM had decided it couldn’t export the group then nothing could convince it otherwise. I tried various mitigation techniques:

  • Full Import Full Sync of everything (didn’t help),
  • Hacking the export.xml (helped when I was having a problem with a member delete),
  • Adding the member manually in AD then doing a Delta Import Delta Sync (a bit pointless, but it got things moving again).

A full clear-out and re-import of the connector space would doubtlessly have worked, but considering the number and size of the groups, this would have been a painful process.

Targeting the same DC

What I did eventually figure out was that the two MAs were targeting different DCs. Duh! Obviously, to avoid any missing objects due to AD sync delays, you should target the same DC.  In fact this post on the Technet forum indicates that a Global Catalog server is best.

To hardcode a DC use the Domin controller connection settings on the Configure Directory Partitions tab of the AD MA.

Remove users from groups before deleting the user account

Another pretty obvious one, but I was also being careless on this front.

Even though it might seem perfectly reasonable to delete a non-existant user from a group, all AD will see is that you have explicity requested an operation involving something it can’t find.

In this implemetation, I disable users for a week before they are actually deleted. I now make sure that they are removed from all groups as soon as they are disabled.

I will write another post soon on the disable-delete methodology.

DC Logging Levels

Finally, if you are still having problems and need to get more information about why AD is rejecting an export, try increasing the logging levels on the DC as per this KB:

 
The ones to increase are 8, 9 and 16.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.