Getting an Error “Failed: Search” while trying to Import a User Object from one of the AD MAs(Management Agents) in Forefront Identity Manager

 

 

Although Forefront Identity Manager is not my Forte. I am more of a Forefront Edge guy. However I would still like to share with you a scenario on which I worked a couple of days back.

We were getting the Error “Failed : Search” with the Error Code 8453 while trying to do a “Full Import” of an AD MA on FIM 2010 server from the console using LDAP.

 

When we looked at the Event Viewer, we could see the following Event coming there:

 

image

So, first we took a Network trace on the FIM server to see if we have the LDAP traffic flowing between the FIM server and the Source Domain Controller. And through the analysis of the Network Trace we found out that the LDAP traffic was flowing fine between them. We could see the LDAP Bind being sent and we were getting the Responses as well from the DC.

It looked more to be an issue with the Permissions on the AD containers where the User was located.

So, we took the following Two approaches in order to see if it fixes the issue:

APPROACH 1

To grant Replicate Directory Changes permission on the cn=configuration container

1.
On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.

2.
If the Configuration node is not already present, do the following:
a.
In the navigation pane, click ADSI Edit.

b.
On the Action menu, click Connect to.

c.
In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.

3.
Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.

4.
In the Properties dialog box, click the Security tab.

5.
In the Group or user names section, click Add.

6.
Type the name of the synchronization account, and then click OK.

7.
In the Group or user names section, select the synchronization account.

8.
In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.

 

APPROACH 2

1. Right click the domain partition, go to Properties Security tab Select the User, Click advanced.

2. Select the User and make sure that under the apply to column the permission is NOT applied to “this object only” , as shown below. Make sure to select the User with Replicate directory changes permission. You will have the same user with read permission as well.

3. If it is set as “This object only”, then click edit and change the Apply to setting to “This object and all descendant objects”

NOTE: The User name referred in the above Approach 2 is the User which we used while configuring the AD Management Agent on the FIM server. We can configure the User by going to the location shown below(in the Properties of the MA):

image

And after following the above action plan, we could perform the “Full Import” for that MA on the FIM server.

Reference:

http://technet.microsoft.com/en-us/library/hh296982.aspx\#RDCc

 

I hope this Post will help in resolving similar issues. And I will try to add more the FIM Database as well in the near future.

AUTHOR

NITIN SINGH

SUPPORT ESCALATION ENGINEER, FOREFRONT EDGE SECURITY, MICROSOFT