Management Agent Run Error Codes
The following tables contain error codes that might appear in the Synchronization Service Manager user interface in Microsoft® Forefront Identity Manager (FIM) 2010 R2, as well as descriptions for each of those errors.
Connection errors
| Error | Description |
|---|---|
failed-connection |
Connection to the connected directory has failed for a reason other than authentication. For example, the network is unavailable, or the target server is offline. |
dropped-connection |
The connection between the management agent and the connected directory no longer exists. The management agent tries to reconnect to the connected directory in many instances. |
failed-authentication |
Authentication is not possible using the supplied credentials. |
failed-permission |
Insufficient rights to access a container in the connected directory. This error is only expected for Lightweight Directory Access Protocol (LDAP) management agents that search different connected directory containers. |
failed-search |
A container or table search failed with an unexpected error. |
warning-no-watermark |
The management agent cannot read the watermark when doing a full import. This error is only expected for the management agent for Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) when the initial management agent configuration is completed and the connected directory has change log enabled. Later, when the connected directory change log is turned off, if the management agent configuration is not updated, this warning occurs when a full import is done. |
no-start-partition-delete |
The LDAP partition originally configured for this management agent no longer exists. This error is returned when the partition was deleted, or the partition was deleted and re-created with the same name. In the latter case, even though the name is the same, the error partition GUID will have changed. |
Discovery errors
| Error | Description |
|---|---|
missing-change-type |
This error is returned during a delta import run by file-based and database management agents, as well as the management agent for Sun and Netscape directory servers, when the change type column value (add, modify, delete) is not present. |
invalid-change-type |
This error is returned during a delta import run by file-based and database management agents, as well as the management agent for Sun and Netscape directory servers when the change type column value does not match the list of valid change types. It is also returned from an LDAP Data Interchange Format (LDIF) full import when a change type field is present and has a value other than add. |
multi-valued-change-type |
This error is returned during a delta import run by file-based and Sun and Netscape directory servers management agents when more than one value for the change type is present. |
need-full-object |
This error is returned during a delta import run of a file-based management agent or when resuming from a file-based management agent. It indicates that the management agent has submitted a modification on an object which cannot be located in the connector space. The synchronization engine is requesting the current values of all attributes on the object. Since this is an import from a file, that information is not available. A full import should resolve this problem. |
missing-dn |
This error is returned for file-based management agents (that is, management agents for LDIF, DSML, or flat files with configured domain name attributes) when there is no domain name value. This is also returned in the case of a corrupted Sun ONE Directory Server change log where the domain name attribute is missing. It indicates that the management agent could read the element and parse it, but there was no domain name value for the object. |
dn-not-ldap-conformant |
This error is returned when a management agent for LDAP, LDIF, DSML, or a flat file with a configured domain name attribute reports a domain name value that does not conform to the LDAP specification. |
invalid-dn |
This error is returned when a management agent reports that a domain name does not meet an FIM constraint, which includes:
|
missing-anchor-component |
This error is returned by file-based and database management agents, as well as the management agent for Sun and Netscape directory servers, when the anchor cannot be constructed because one or more anchor construction rule attributes do not have values. |
multi-valued-anchor-component |
This error is returned by the management agent for Sun and Netscape directory servers if they cannot construct the anchor because an anchor construction rule attribute has more than one value. |
anchor-too-long |
This error is returned by file-based and database management agents, as well as the management agent for Sun and Netscape directory servers, when the anchor construction produces an anchor that exceeds the maximum size limit for FIM. |
duplicate-object |
This error is returned on full imports by file-based and database management agents when an object with the same anchor has already been reported to the synchronization engine during this run. Note Obsolescence of connector space objects will only occur if the current run-step has completed with Success, Complete with sync failure, Complete with warning, or Complete with transient. |
missing-object-class |
This error is returned by a file-based management agent (that is, a management agent for DSML, LDIF, or a flat file with a configured object class attribute), or for the management agent for Sun and Netscape directory servers, if there is a corrupted change log. This indicates that the management agent cannot read a value for the object class attribute. |
missing-object-type |
This error is returned when performing a resume of import from a corrupted drop file. This error should not be encountered during normal operation. |
unmappable-object-type |
This error is returned by a file-based management agent when it reads an object that has a set of object class values that cannot be matched to any of the prefix mappings. |
parse-error |
This error is returned by the management agent for Sun and Netscape directory servers in delta mode and by file-based management agents when they cannot parse an entry. The <entry-number> element (and in most cases <line-number> and <column-number>) will be present to help locate the error. The <attribute-name> element might be present. The management agent for Sun and Netscape directory servers terminates the run when this is encountered. The file-based management agents log the discovery error and continue. |
read-error |
This error is returned by call-based management agents when there is a generic error reading a particular object. This generally causes termination of the run. The connected data source error element is present, which you can use to troubleshoot the problem. |
staging-error |
This error is returned by most management agents. It indicates that the synchronization engine could not stage the delta in the connector space. The server creates an event log that provides information about the problem and that can be used for troubleshooting. Most management agents continue the import run when the error is logged, but the management agent for Sun and Netscape delta runs stops because gaps in the change log processing could be cause an inconsistent state in the connector space. This error should not be encountered during normal operation. |
invalid-modification-type |
This error is returned during a delta import on an LDIF management agent when an object level modification type is not one of the standard LDIF modification types or there is a non-replace modification type on the objectclass, such as add: objectclass or delete: objectclass. |
conflicting-modification-types |
This error is returned by the LDIF management agent indicating differing attribute level modification types were encountered in the same record (in this case the attribute name which produced the conflicting types is reported) or multiple replace LDIF deltas are seen in the same file, such as:
|
multi-single-mismatch |
This error is returned by a file-based management agent when it reports more than one value add, or more than one value delete for an attribute that is defined in FIM as being a single value attribute. This error might indicate that the connected data source schema that is stored with FIM is incorrectly specified (file-based management agents) or out of date with the current schema. Includes an <attribute-name> element to give the context of the error. |
invalid-attribute-value |
This error is returned by a call-based management agent when an attribute value is read that does not conform to the attribute type declared in the schema. Includes an <attribute-name> element to give the context of the error. |
invalid-base64-value |
This error is returned by the management agents for LDIF, DSML and Sun and Netscape directory servers when they encounter an invalid base64 string. |
invalid-numeric-value |
This error is returned by file-based management agents and the management agent for LDAP when they are unable to parse a numeric value. Includes an <attribute-name> element to give the context of the error. |
invalid-boolean-value |
This error is returned by file-based management agents and the management agent for LDAP when they are unable to parse a Boolean value. Includes an <attribute-name> element to give the context of the error. |
reference-value-not-ldap-conformant |
This error is returned by management agents for LDAP, LDIF, and DSML or flat files (with configured domain name attribute) when a domain name value does not conform to the LDAP specification. This error message includes an <attribute-name> element to give the context of the error. |
invalid-reference-value |
This error is returned by a management agent when a domain name does not meet FIM constraints, which include:
|
unsupported-value-type |
This error is returned by the DSML or LDIF management agent when the type of value given in the file is incompatible with the type of attribute, including: A URI or URL value is given for a non-string attribute or for any reserved keyword such as dn, objectclass, or changetype. A base64 value is given for the changetype attribute. A string value containing non-ASCII characters is given for a binary attribute. |
Synchronization errors
| Error | Description |
|---|---|
extension-dll-exception |
This error occurs if a rules extension causes an exception. If you encounter this error, look at the <exception-error-info> element to examine the call stack of the exception. In some cases, the <rule-error-info> is present and provides additional information about what rule was being processed when the error occurred. |
extension-dll-crash |
This error occurs when the process executing the rules extension unexpectedly terminated. This error can only occur when a rule extension is being executed out-of-process. A possible cause for this error value is the rules extension is calling code that causes an access violation. |
extension-dll-timeout |
This error occurs if the customer has configured an extension timeout and the call on a single customer extension code entry point exceeds the configured timeout. The <exception-error-info> will give contextual information about what entry point was being called when it timed out. In some cases the <rule-error-info> will be present and will provide additional information about which rule was being processed when the error occurred. Note that when you are debugging the process that is executing the extension, timeouts are not enforced. |
extension-projection-object-type-not-set |
This error occurs The implementation of the IMASynchronization.ShouldProjectToMV method in the rules extension does not specify the metaverse object type. |
extension-projection-invalid-object-type |
This error occurs when the implementation of the IMASynchronization.ShouldProjectToMV method in the rules extension sets the value of the outbound metaverse object type to a value that is not listed in Metaverse Designer of Synchronization Service Manager. Check that the method uses one of the specified object type values. |
extension-join-resolution-invalid-object-type |
This error occurs when the implementation of the IMASynchronization.ResolveJoinSearch method in the rules extension sets the value of the outbound metaverse object type to a value that is not listed in Metaverse Designer of Synchronization Service Manager. Check that the method sets the value of the outbound metaverse object type to one of the listed object type values. |
extension-join-resolution-index-out-of-bounds |
This error occurs when an implementation of the IMASynchronization.ResolveJoinSearch method in the rules extension set an index value that is either negative or greater than equal to the number of metaverse objects. |
extension-provisioning-call-limit-reached |
This error occurs when the IMASynchronization.Provision method is called more than 10 times during the synchronization of a single object. This method can be called more than once if the customer logic in the Provision method deprovisions an object and there is attribute recall that causes a change to the metaverse object resulting in a new call to Provision. The 10 call limit for the Provision method is set to stop possible infinite provisioning notes. |
extension-deprovisioning-invalid-result |
This error occurs when an implementation of the IMASynchronization.Deprovision method returns an invalid DeprovisionAction enumeration value. Verify that the method returns a valid value. |
extension-entry-point-not-implemented |
This error occurs when a rules extension throws an EntryPointNotImplementedException exception. |
extension-unexpected-attribute-value |
This error occurs when a rules extension throws an UnexpectedDataException exception. |
flow-multi-values-to-single-value |
This error occurs when an import or export attribute flow rule configured in Synchronization Service Manager attempts to flow an attribute with multiple values to a single-value attribute. This error is only returned for direct flow rules configured in Synchronization Service Manager. If the flow rule uses a rules extension that flows multiple values to a single-value attribute, the TooManyValuesException exception is thrown. |
cs-attribute-type-mismatch |
This error occurs when the type of the imported attribute does not match the attribute type specified in the management agent schema. One cause of this error could be that the stored connected data source schema has become out of date with the actual schema of the connected data source. To bring the stored connected data source schema up-to-date, refresh the schema using Synchronization Service Manager. |
join-object-id-must-be-single-valued |
This error occurs when the data source attribute value used to join a metaverse object through a join rule specified in the properties of a management agent in Synchronization Service Manager contains more than one value. The data source attribute value used in the join rule can only contain a single value. |
dn-index-out-of-bounds |
This error occurs when the distinguished name component index value used in an import attribute flow configured in the properties of a management agent in Synchronization Service Manager is larger than the number of components in the distinguished name of the source object. |
connector-filter-rule-violation |
This error occurs when you perform an add or rename provisioning operation or export attribute flow and when a connector object becomes a filtered disconnector object as a result of a connector-filter configuration. This value does not occur on explicit connector objects. |
unsupported-container-delete |
The management agent is attempting to delete a container object during deprovisioning. FIM management agents cannot delete container objects with child objects. |
ambiguous-import-flow-from-multiple-connectors |
This error occurs when you have multiple connectors under the source management agent connected to the metaverse object and a declarative import attribute flow rule is defined. To import attributes through a management agent with multiple connectors to a metaverse object, use a rules extension to define the flow rules rather than configuring a direct rule in the properties of a management agent. |
ambiguous-export-flow-to-single-valued-attribute |
This error occurs when the export flow rule, configured in the properties for a management agent in Synchronization Service Manager, attempts to flow multiple values from a metaverse object to a single-value attribute. |
cannot-parse-object-id |
The string value that is used to search for a metaverse object in a join rule that is specified in the properties of a management agent in Synchronization Service Manager is not in the correct globally unique identifier (GUID) format. The GUID format is {nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn} where n is a hexadecimal number. |
unexported-container-rename |
The implementation of the IMVSynchronization.Provision or IMASynchronization.Deprovision method is attempting to rename a container object with one or more unexported child objects. |
mv-constraint-violation |
This error occurs when direct import attribute flow occurs and the attribute value from the connector space exceeds the length restrictions of the metaverse attribute. |
locking-error-needs-retry |
Multiple management agents are attempting to synchronize the same connector space object. Run the management agent again. |
unique-index-violation |
A user is manually setting a unique index on an attribute in a metaverse table. Do not manually configure the metaverse tables. |
encryption-key-lost |
The encryption key sets are missing from the server that is running FIM. |
unexpected-error |
This error occurs when the synchronization engine tries to apply a change to the metaverse (including provisioning and export attribute flow). This error can only occur during runs which apply changes to the metaverse. Check the event log for more information. |
exported-change-not-reimported |
This error occurs when changes that are exported to a management agent are not reconfirmed during this import management agent run. A user or a system process operating outside of FIM has changed the data in the connected data source in a way that indicates a configuration problem where the export attribute flow rule is trying to flow a value to a connected data source object, but the connected data source automatically resets the value to something different without reporting an error to the management agent. The <change-not-reimported> element indicates which changes were not reconfirmed. |
cannot-parse-dn-component |
This error is returned by any management agent that has an LDAP-style distinguished name (also known as DN) configured and synchronization from the connector space to the metaverse has failed. A distinguished name component cannot be parsed by a dn-component mapping because it is not in the correct format for the destination attribute type. |
missing-partition-for-run-step |
This error indicates that the partition specified in the run profile cannot be found. Verify that the partition has not been deleted or renamed. |
Export errors
| Error | Description |
|---|---|
cd-missing-object |
This error is returned when a modify of an object is exported to the connected data source, but the object cannot be found in the connected data source. It is returned only for call-based management agents. The cause of this error is that a person or external process has deleted an object from the connected data source outside of FIM. |
cd-existing-object |
This error is returned when an add is exported to the connected data source, but the object is already present in the connected data source. It is returned only for call-based management agents and relational database management agents. |
duplicate-anchor |
This error is returned if the anchor on a newly provisioned object is not unique. It is returned only for call-based and database management agents, as well as the management agent for Sun and Netscape directory servers. If this error is encountered, check the anchor construction rules to ensure that a unique anchor value for each object has been defined. |
ambiguous-update |
This error is returned when the management agent cannot apply an update or delete delta because the anchor is not unique. It is returned only for the management agents for Microsoft SQL Server and Oracle Database. If this error is encountered, check the anchor construction rules to ensure that a unique anchor value for each object has been defined. |
password-policy-violation |
This error is returned by the management agents for Active Directory and Active Directory global address list (GAL) when the password attribute is set or changed to a value that does not meet the administrator-defined password policy of the connected data source. |
password-set-disallowed |
This error is returned by the management agent for Active Directory Application Mode (ADAM) when the password encryption is set to no encryption or 128-bit Secure Sockets Layer (SSL), and the administrator has not explicitly made an override to allow password sets in this scenario. |
kerberos-time-skew |
This error is returned by the management agents for Active Directory and Active Directory global address list (GAL) when the password attribute is being set or changed and the FIM server machine time is more than five minutes different from the time on the domain controller. |
kerberos-no-logon-server |
This error is returned by the management agents for Active Directory and Active Directory global address list (GAL) when they try to set or change a password attribute and cannot resolve the server for the domain part of the logon credentials. This can be caused by an incorrect NetBIOS or DNS configuration. |
encryption-not-enabled |
This error is returned by the management agent for Active Directory Application Mode (ADAM) when the password attribute is set or being changed and the connection that the management agent uses to communicate to the connected data source has not been configured with an appropriate encryption mechanism (128 bit SSL or TLS). ADAM requires either 128 bit SSL or TLS configuration for setting passwords. |
invalid-dn |
This error is returned by the management agents for LDAP and Windows NT 4.0 when exporting a newly provisioned object or renaming an existing object and when the distinguished name is incompatible with the connected data source naming requirements. |
schema-violation |
This error is returned by the management agent for LDAP when exporting an object modification and adding a attribute that is not in the connected data source schema or when removing an attribute from an object that is required by the schema. FIM does not allow these operations to occur because its rules check the stored copy of the connected data source schema. However, this problem might occur if the FIM schema is out of date with the connected data source schema. If you encounter this problem, refresh the management agent schema by using the user interface. |
constraint-violation |
This error is returned by the management agent for LDAP and database management agents when the export of an add, modify, or delete violates connected data source enforced constraints. Typical causes for the management agent for LDAP include setting multiple values for a single value attribute, exceeding field width constraints on string and binary attributes, or violating range constraints on numeric attributes. There are many possible causes for database management agents, including referential integrity, rules, and constraints that might be defined for their database. |
syntax-violation |
This error is returned by the management agents for LDAP and Windows NT 4.0 when the value for an attribute violates certain value constraints. For example, when the value being exported contains an invalid character. |
modify-naming-attribute |
This error is returned by the management agent for LDAP when a naming attribute (such as CN for many object types) is set to a value that conflicts with the relative distinguished name (also known as RDN) value. This can happen because of a poorly defined export attribute flow rule or because an error in the script code that sets initial values on a newly provisioned object. |
insufficient-field-width |
This error is returned by the management agent for fixed-width text files when exporting an add or modify to an object and when the value of an attribute exceeds the width of the column. |
insufficient-columns |
This error is returned by the management agents for fixed-width and delimited text files when exporting an add or modify to an object and when the number of values for a multivalue attribute exceeds the number of columns configured for that attributes multiple values. |
permission-issue |
This error is returned by the management agents for LDAP and Windows NT 4.0 when the export of an add, modify, or delete fails because the management agent has insufficient permissions to perform the operation against the connected data source. |
dn-attributes-failure |
This error is returned by the management agents for Active Directory, Active Directory global address list (GAL), and Active Directory Application Mode (ADAM) when exporting an add or modify sets a reference value for which there is no corresponding connected data source object. If you see this error, use the connector space object viewer to determine which changes to reference attributes were not successfully exported. |
non-existent-parent |
This error is returned by the management agent for LDAP when either the export of an add or a rename fails because the parent object does not exist in the connected data source. |
code-page-conversion |
This error is returned by file-based management agents when the conversion of an attribute value, which is stored in Unicode within the server running FIM, to the code page of the export file failed because of conversion errors. |
no-export-to-this-object-type |
This error is returned by the management agent for Windows NT 4.0 when you try to perform provisioning operations or export attribute flow on computer objects. Export operations are not allowed on this type of object but you can perform an import on objects of this type. |
missing-provisioning-attribute |
This error is returned by the management agent for Lotus Notes when you are exporting a newly provisioned object and when certain attributes that are required for provisioning a new object have not been set by the rules extension. |
invalid-provisioning-attribute-value |
This error is returned when you are exporting a newly provisioned object and when certain attributes for provisioning set by the rules extension are invalid, for example, when they are not in a certain value range. |
provision-to-secondary-nab |
This error is specific to the management agent for Lotus Notes when an attempt is made to provision a person or certifier object to a secondary Lotus Notes address book. Lotus Notes only allows provisioning contacts to secondary address books. |
missing-anchor-component |
This error is returned when you are exporting a newly provisioned object and an anchor cannot be generated because a value required for constructing the anchor is not available. Possible causes are when an attribute is not set during provisioning (that is, in management agents for Sun or Netscape directory servers, database, and file-based management agents), or it cannot be read from the connected data source (that is, in management agents for Active Directory, Sun and Netscape directory servers, and database management agents) when the anchor is constructed from an auto-increment column. |
multi-valued-anchor-component |
This error is generated by the management agent for Sun and Netscape directory servers when it cannot construct the anchor for a newly provisioned object because one of the attributes that are used in constructing the anchor has multiple values. Attributes used in the anchor construction can be defined to be multivalue in the connected data source schema, but they must only have a single value on the actual objects in FIM. |
anchor-too-long |
This error is returned by file-based and database management agents, as well as the management agent for Sun and Netscape directory servers, when the anchor construction produces an anchor that exceeds the maximum size limit for FIM. The maximum length of anchor values for a single attribute in the connector space is 398 characters. If the anchor is constructed from multiple attributes, subtract 2 characters for each additional attribute. For example, an anchor constructed of 3 attributes (sn+location+telephoneNumber) would have a limit of 392 characters. |
invalid-attribute-value |
This error occurs when you try to flow out an attribute value that contains characters which are invalid for the connected data source. For example, the attribute values exported to the management agents for fixed-width text files, delimited text files, and attribute-value pair text files cannot contain CR, LF, or EOF characters. |
encryption-key-lost |
This error should not be encountered as part of normal operation. It indicates that FIM is unable to decrypt the value of an encrypted attribute that is stored in the connector space when it loads the object. It might indicate that the encryption key sets used by FIM are missing from the computer. This error can be generated by any management agent that contains a password attribute such as Active Directory, Active Directory global address list (GAL), Sun and Netscape directory servers, Lotus Notes, and Windows NT 4.0. |
locking-error-needs-retry |
This error should only occur when multiple management agents have tried to synchronize the same connector space object at the same time. If this error is encountered, try running the export a second time. |
cd-error |
This error is returned when the connected data source has a specialized error type. This error is accompanied by the <cd-error> element, and the information contained there should aid in troubleshooting. |
unexpected-error |
This error is returned when a change is trying to be exported and the operation causes a malfunction. If this error is encountered, look in the event log for more information that will help troubleshoot the problem. |
no-export-to-this-object-type |
This error is returned by the management agent for Windows NT 4.0 when you try to perform provisioning operations or when you export attribute flow on computer objects. The management agent for Windows NT 4.0 does not support export operations on this type of object. |
certifier-ou-not-configured |
This error is returned by the management agent for Lotus Notes when you are trying to provision a new user or container and the certifier name you have specified for the _MMS_Certifier attribute is not the name of a properly configured certifier container. Each certifier container must be configured using Synchronization Service Manager before it can be used in provisioning. |
temporary-certifier-file-creation-failure |
This error is returned by the management agent for Lotus Notes when a new user or container is provisioned and the process of creating the certifier file fails for any reason (for example, out of disk space, permissions, and so on). The FIM process for creating the certifier file is to fetch the certifier information for the certifier container, specified by the _MMS_Certifier attribute, and temporarily create a certifier file in the MAData folder of the management agent for Lotus Notes for use by the Notes API. |
unexpected-provisioning-attribute |
This error is returned by the management agent for Lotus Notes when you are exporting a newly provisioned object and certain attributes for provisioning, set by the customer extension, should not be included because they are incompatible with the values of other provisioning attributes. For example, you might see this error when:
|