Error messages and problem solving

A warning or error message might be displayed in the user interface to provide information about the adapter or when an error occurs.

These errors might be displayed in the user interface when the adapter is installed on your system.

Table 1. Troubleshooting the Active Directory Adapter errors
Error message Corrective action
Unable to bind to base point Ensure that:
  • The Users Base Point is correctly specified on the adapter service form.
  • The target servers are up and reachable when they are specified in the base point.
  • The user ID is correctly specified on the adapter service form.
  • The password is correctly specified on the adapter service form.
  • The Active Directory Server is reachable from the workstation where the adapter is installed.
Unable to bind to group base point. Ensure that:
  • The Groups Base Point is correctly specified on the adapter service form.
  • The user ID is correctly specified on the adapter service form.
  • The password is correctly specified on the adapter service form.
  • The target servers are up and reachable when they are specified in the base point.
  • The Active Directory Server is reachable from the workstation where the adapter is installed.
Unable to determine default domain This error occurs when the Active Directory Adapter fails to:
  • Bind to root DSE
  • Get the default naming context
Ensure that:
  • The Users Base Point is correctly specified on the adapter service form.
  • The user ID is correctly specified on the adapter service form.
  • The password is correctly specified on the adapter service form.
  • The Active Directory Server is reachable from the workstation where the adapter is installed.
Error binding to DN: DN String This error occurs when the Active Directory Adapter fails to bind to a user object of the Active Directory Server for processing.

Ensure that the user processed in the Active Directory Server is not deleted by any other process simultaneously.
Extended attribute attribute name has unsupported syntax The Active Directory Adapter does not support the data type used for the extended attribute. Use one of the following data types:
  • Boolean
  • Integer
  • Case-sensitive string
  • Not case-sensitive string
  • Numerical string
  • Unicode string
  • Distinguished name
  • UTC coded time
  • OctetString
  • Integer8
For more information about customizing the adapter to use the extended attributes, see Customizing the Active Directory Adapter.
Extended attribute attribute name not found in Active Directory schema The extended attribute specified in the exschema.txt file does not exist on the Active Directory Server.

Either remove the attribute name from the exschema.txt file or add the attribute to the Active Directory Server.
Error binding to schema container error code. Loading of extended schema attribute attribute name failed. These errors occur when the Active Directory Adapter fails to extract the schema of the extended attributes.
  • Ensure that the Active Directory Server is reachable from the workstation where the adapter is installed.
  • Verify that the extended attribute is correctly defined and added to the user class.
When the adapter service is started, the adapter reads the exschema.txt file and binds to the domain in which the adapter is running. The adapter checks the syntax of the specified. Because checking the syntax of an extended attribute is a one-time process, it is done at startup. If the adapter fails to bind to the domain, it does not manage any of the extended attributes.
Ensure that:
  • At least 1 domain controller is accessible before starting the Active Directory Adapter service.
  • The user account under which the adapter service is running has permission to read the Active Directory schema.
Error getting parent of schema error code. Loading of extended schema attribute attribute name failed.
Error binding to DN of schema error code. Loading of extended schema attribute attribute name failed.
Unable to connect to default domain. Loading of extended schema attribute attribute name failed.
Extended schema file not found. No extensions loaded. This information message occurs when the Active Directory Adapter fails to find the extended schema file (exschema.txt) or fails to open the file.
Unable to bind to user user name This error occurs when the Active Directory Adapter fails to connect to a user object in the Active Directory Server for processing.

Ensure that the user user name exists on the Active Directory Server.
Error determining RAS server name Check the value of the registry key ForceRASServerLookup. If the value of the key is TRUE, the Active Directory Adapter determines the RAS server regardless of whether you specify the server name on the adapter service form.

This error might be because the domain does not exist or the domain controller is not available for the specified domain.

Ensure that the Active Directory Server is reachable from the workstation where the adapter is installed.
Unable to get domain name. Terminal and RAS servers cannot be determined. This error occurs when the Active Directory Adapter fails to get the domain name from the specified base point or from the default domain.

Ensure that a base point is specified with a correct domain name.
Invalid domain name syntax Use one of the following formats to specify the domain name:
  • Server name/ou=org1,dc=ibm,dc=com
  • ou=org1,dc=ibm,dc=com
User not found Ensure that the user exists on the Active Directory Server and is not directly deleted or modified on the Active Directory Server.
Group not found. Ensure that the group exists on the Active Directory Server and is not directly deleted or modified on the Active Directory Server.
Error setting attributes country. Unknown country code. The country code specified for the user is not valid.

Specify a valid country code and submit the request again. For information about valid country codes, see the country and region codes section in the Active Directory Adapter User Guide.
Could not modify the attribute–msExchUserAccountControl This warning occurs when the user mailbox is not disabled on suspending a user account.
Error removing membership from group group name The Active Directory Adapter failed to remove the membership of a user or group from the group group name.
Ensure that:
  • The user or group exists on the Active Directory Server.
  • The user or group is a member of the group group name.
  • The group specified exists on the Active Directory Server.
Error adding membership to group group name The Active Directory Adapter failed to add membership of the user or group to the group group name.
Ensure that:
  • The user or group exists on the Active Directory Server.
  • The user or group is not already a member of the group group name.
  • The group specified exists on the Active Directory Server.
Unable to get info on share share name This error occurs when the Active Directory Adapter fails to retrieve share information from the home directory of the user.
Ensure that:
  • The user account under which the adapter is running has access to the home directory.
  • The share name exists on the workstation where the home directory is created.
Invalid home directory path path name The Active Directory Adapter supports creation and deletion of only UNC home directories. Specify the UNC home directory path in the following format:

\\servername\sharename\foldername

Note:
  • NTFS security and Shares can be set only on the Home Directories that are a UNC path.
  • Share Access can be set only on the Home Directories that are a UNC path that have a share created.
Unable to delete home directory home directory name The Active Directory Adapter is not able to delete the specified home directory. If the adapter is unable to delete the UNC home directory, ensure that:
  • The value of the registry key DeleteUNCHomeDirectories is TRUE.
  • The user account under which the adapter is running has permissions to delete the directory.
Home directory deletion is not enabled. Home directory will not be deleted. To enable home directory deletion, set the values of DeleteUNCHomeDirectories and ManageHomeDirectories registry keys to TRUE. Resend the modify request from IBM Security Verify Governance.
Home directory creation not enabled. Directory will not be created. To enable home directory creation, set the values of CreateUNCHomeDirectories and ManageHomeDirectories registry keys to TRUE. Resend the modify request from IBM Security Verify Governance.
Error creating home directory home directory name The Active Directory Adapter is not able to create home directory.
Ensure that:
  • A directory with the same name does not exist.
  • The user account has permissions to create home directory.
  • Intermediate directories exist. The adapter creates only the final directory in the specified path.
Unable to set Home Directory Drive. Failed to create Home Directory.
Unable to set Home Directory NTFS security. Failed to create Home Directory.
Unable to set Home Directory Share. Failed to create Home Directory.
Unable to set Home Directory Share Access. Failed to create Home Directory.
Error deleting share share name The Active Directory Adapter is not able to delete the share when you clear the value of the share-related attributes from the Active Directory Server account form.
Ensure that:
  • The user account has access to the specified share.
  • The specified share name exists.
  • The user account under which the adapter is running has permissions to create home directory.
Search failed. Unable to retrieve additional data after 3 retries. The Active Directory Adapter retrieves data from the Active Directory Server in a paged manner. The adapter reconciles users, groups, and containers and attempts to retrieve data in a maximum of three attempts. If all three attempts fail, the adapter abandons the search.
The adapter cannot retrieve data because of one of the following reasons:
  • The network response is slow.
  • The Active Directory Server is busy.
  • The Active Directory Adapter installed on the Active Directory Server server is overloading the server.
For information about configuring the Active Directory Server, see http://support.microsoft.com.
User search failed
Group search failed. Error code: error code - error description. Provider: provider name.
Container search failed. Error code: error code - error description. Provider: provider name.
Error performing User Lookup
errorMessage="Unsupported filter" The adapter does not support the attribute specified in the filter. For the list of supported attributes, see supported attributes in the Active Directory Adapter User Guide.

Error setting attribute eradprimarygroup. ADSI Result code: 0x80072035 - The server is unwilling to process the request.

 Ensure that:
  • The user is a member of the specified group.
  • The specified group is either a universal security group or a global security group.

ADSI Result code: 0x80072014 - The requested operation did not satisfy one or more constraints associated with the class of the object.

 These errors occur when the specified value for the attribute violates any constraint associated with that attribute. For example, a constraint might be:
  • Minimum or maximum length of characters the attribute can store.
  • Minimum or maximum value the attribute can accept.
Ensure that the specified value for the attribute does not violate these constraints.
Note: If any one of the attribute specified in the request violates a constraint, the adapter gives the same error for all the subsequent attributes. This error is issued even though they do not violate any constraint. For example, the Title attribute on the Active Directory Server can store a description of maximum of 64 characters. If you specify a description of more than 64 characters, the adapter gives these errors for the Title attribute and for all the other attributes specified in the request.

ADSI Result code: 0x8007202f - A constraint violation occurred.
Request for proxy email types should contain at least one primary SMTP address

Verify that the request for proxy email types contains a primary SMTP address.

Unable to load XML transformation buffer from 'adapter installation directory\data\xforms.xml'

 The Active Directory Adapter does not use the xforms.xml file. Therefore, you can safely ignore the xforms-related errors that are recorded in the WinADAgent.log file.
Unable to bind to group group name. This error occurs when the Active Directory Adapter fails to connect to a group object in the Active Directory Server for processing.

Ensure that the group group name exists on the Active Directory Server.
The specified User Principal Name (UPN) UPN values already exists in the enterprise. Specify a new one. This error occurs when an attempt is made to create user request and the user account exists in the Active Directory Server with the same value for User Principal Name attribute.
Ensure that:
  • The value specified for the User Principal Name attribute when you create a user account is not already used by an existing user account on the Active Directory Server.
  • You set the registry key UPNSearchEnabled to FALSE when you do not want the adapter to check the uniqueness of the User Principal Name attribute. For more information about usage of the registry key UPNSearchEnabled, see "User Principal Name of a user account" in the Active Directory Adapter User Guide.
Error while fetching the group interface for group DN. This error occurs when the Active Directory Adapter fails to bind to a group object on the Active Directory Server for processing.

Ensure that the group processed in the Active Directory Server is not deleted by any other process simultaneously.
Unable to bind to the container object in move operation. This error occurs when the Active Directory Adapter binds to the requested container when a user or group object is moved in the Active Directory Server hierarchy.

Ensure that the container exists on the Active Directory Server.
Cannot set Fixed Callback without Callback number. Callback number not found in the request. When you select Callback Settings as Fixed Callback, you must specify the Callback Number.
Error setting the RAS attribute RAS attribute name. Error reading RAS info. Ensure that:
  • The user account under which the adapter is running has administrator rights to the Active Directory Server.
  • The RAS service is running on the Domain Controller.
Not a valid IPv4 address. The IP address specified for the Static IPv4 Address is in an incorrect format.

Specify the IP address in the IPv4 format.
Agent ADAgent is not installed. This error occurs when an attempt is made to run the certTool utility by running the following command: 
CertTool -agent ADAgent
Ensure that:
  • The user who runs the certTool utility has administrator permissions.
  • You disabled the User Account Control (UAC) security feature before you run the certTool utility on the workstation where the adapter is installed.
Home Directory will not be created. Home directory management is disabled. Set the adapter registry keys CreateUNCHomeDirectories and ManageHomeDirectories to TRUE to:
  • Create a home directory
  • Create home directory share
  • Set share access
  • Set home directory NTFS access for a user account.
For more information about creating the home directory and modifying the home directory attribute, see Active Directory Adapter User Guide.
Cannot create share share name. Home directory management is disabled.
Cannot set share access. Home directory management is disabled.
Cannot set NTFS access. Home directory management is disabled.

Value specified is not in the proper format.
Ensure that the value format of extended attribute of type DNWithBinary is 
B:char count:binary value:object DN

Value specified for the attribute does not start with character 'B'.

Ensure that value specified for extended attribute of type DNWithBinary is start with the character ‘B’ only.

Value given after 'B:' is not correct. Expected value is the total number of Hexadecimal Digit count

For extended attribute of type DNWithBinary, verify that value given for the char count is the total number of Hexadecimal Digit count. Ensure that it does not contain any alphabetical characters or any special characters.

Hexadecimal value does not contain the number of characters specified in the character count.

For extended attribute of type DNWithBinary, verify that total hexadecimal digit count specified in the char count is equal to number of hexadecimal characters.

Wrong Digit in Hex String.

For extended attribute of type DNWithBinary, verify that value given in the binary value contains only hexadecimal character. Valid characters are numerals 0 through 9 and letters A through F. The value can be a combination of valid numerals and letters.

Value is not set on resource due to invalid constraint.
This error occurs when the specified value for the extended attribute of type DNWithBinary violates any constraint associated with that attribute. For example, some constraints might be:
  • The object DN in the value must be a distinguished name of existing user object.
  • The maximum or minimum number of bits in the hexadecimal value.
Ensure that the specified value for the attribute does not violate any constraints.

Hexadecimal value should always contain even number of characters.

For extended attribute of type DNWithBinary, verify that value given in the binary value contains an even number of hexadecimal characters.

Attribute can be set only if Mailbox is enabled for Unified Messaging. To enable Unified Messaging both values UMMailbox Policy and UM Addresses(Extensions) are required.

Ensure that valid values of both UMMailbox Policy and UM Addresses(Extensions) are specified in the request to enable the user for Unified Messaging.

Attribute Operation Type is not supported.

Ensure that the value specified for UM Addresses (Extensions) is not of operation type, MODIFY.

Attribute cannot be set. Mailbox is Disabled for Unified Messaging.

Ensure that the request does not contain Unified Messaging attributes with operation ADD or MODIFY when the MailBox of the user is disabled for Unified Messaging.

Attribute cannot be set. Error occurred while trying to Disable MailBox for Unified Messaging.

This error occurs if disable Unified Messaging is failed and if request contains UM Addresses (Extensions) attribute with operation types ADD or MODIFY.

Attribute cannot be delete. Error occurred while trying to Disable MailBox for Unified Messaging.

This error occurs if disable Unified Messaging is failed and if the request contains UM Addresses (Extensions) attribute with operation type DELETE.
Error creating user account for [username]. Error: 0x80070005 It appears that the 0x80070005 - Access is denied is being encountered and this means that a domain account that manages users needs to be applied on the Active Directory Adapter.
  1. Ensure that the Active Directory Adapter is installed on a machine that has an Active Directory instance.
  2. After completing the adapter installation, verify the Windows service for Active Directory Adapter:
    1. Click Start > Programs > Administrative Tools > Services to open the Services page.
    2. Locate the service named Active Directory Adapter.
    3. In the Log On tab, under This Account, enter a domain account and password that has sufficient permissions to manage user accounts.
    4. Restart the service to apply the changes.
  3. Test the adapter connection to ensure it is functioning properly.
  4. Attempt to create a new AD User Account using the ISVG/ISVG-IM/Verify server to confirm that the issue is resolved.
Error while fetching the group interface for [dn of AD group]. Error code: 0x80072030 - There is no such object on the server.
  1. Ensure that the Active Directory Adapter is updated to the latest version
  2. Verify the following setting in AgentCfg.exe:
    • Single Thread Agent should be set to False in the Advanced Settings Configuration section.