Error messages and warnings

A warning or error message might be displayed in the user interface to provide information about the adapter or when an error occurs.

The table lists the error messages and warnings that might occur while performing the user account or group management tasks, where applicable.It also includes the corrective actions to resolve the errors.

For information about error codes and their description, see the Microsoft Windows Server documentation and search for "ADSI Error Codes."

Table 1. Troubleshooting the Active Directory Adapter errors
Error message Corrective action
Unable to bind to base point Ensure that:
  • The Users Base Point is correctly specified on the adapter service form.
  • The target servers are up and reachable when they are specified in the base point.
  • The user ID is correctly specified on the adapter service form.
  • The password is correctly specified on the adapter service form.
  • The Active Directory is reachable from the workstation where the adapter is installed.
Unable to bind to group base point. Ensure that:
  • The Groups Base Point is correctly specified on the adapter service form.
  • The user ID is correctly specified on the adapter service form.
  • The password is correctly specified on the adapter service form.
  • The target servers are up and reachable when they are specified in the base point.
  • The Active Directory is reachable from the workstation where the adapter is installed.
Unable to determine default domain This error occurs when the Active Directory Adapter fails to:
  • Bind to root DSE
  • Get the default naming context
Ensure that:
  • The Users Base Point is correctly specified on the adapter service form.
  • The user ID is correctly specified on the adapter service form.
  • The password is correctly specified on the adapter service form.
  • The Active Directory is reachable from the workstation where the adapter is installed.
Error binding to DN: DN String This error occurs when the Active Directory Adapter fails to bind to a user object of the Active Directory for processing.

Ensure that the user being processed in the Active Directory is not deleted by any other process simultaneously.
Extended attribute attribute name has unsupported syntax The Active Directory Adapter does not support the data type used for the extended attribute.
Use one of the following data types:
  • Boolean
  • Integer
  • Case-sensitive string
  • Case-insensitive string
  • Numerical string
  • Unicode string
  • Distinguished name
  • UTC coded time
  • Octet string

For more information about customizing the adapter to use the extended attributes, see the Active Directory Adapter Installation and Configuration Guide and search for the section "Customizing the Active Directory Adapter".
Extended attribute attribute name not found in Active Directory schema The extended attribute specified in the exschema.txt file does not exist on the Active Directory

Either remove the attribute name from the exschema.txt file or add the attribute to the Active Directory.
Error binding to schema container error code. Loading of extended schema attribute attribute name failed. These errors occur when the Active Directory Adapter fails to extract the schema of the extended attributes.
  • Ensure that the Active Directory is reachable from the workstation where the adapter is installed.
  • Verify that the extended attribute is correctly defined and added to the user class.
Error getting parent of schema error code. Loading of extended schema attribute attribute name failed.
Error binding to DN of schema error code. Loading of extended schema attribute attribute name failed.
Unable to connect to default domain. Loading of extended schema attribute attribute name failed.
Extended schema file not found. No extensions loaded. This information message occurs when the Active Directory Adapter fails to find the extended schema file (exschema.txt) or fails to open the file.
Unable to bind to user user name This error occurs when the Active Directory Adapter fails to connect to a user object in the Active Directory for processing.

Ensure that the user user name exists on the Active Directory.
Error determining RAS server name Check the value of the registry key ForceRASServerLookup.

If the value of the key is TRUE, the Active Directory Adapter determines the RAS server regardless of whether you specify the server name on the adapter service form.

This error could be because the domain does not exist or the domain controller is not available for the specified domain.

Ensure that the Active Directory is reachable from the workstation where the adapter is installed.
Unable to get domain name. Terminal and RAS servers cannot be determined. This error occurs when the Active Directory Adapter fails to get the domain name from the specified base point or from the default domain.

Ensure that a base point is specified with a correct domain name.
Invalid domain name syntax Use one of the following formats to specify the domain name:
  • Server name/ou=org1,dc=ibm,dc=com
  • ou=org1,dc=ibm,dc=com
User not found Ensure that the user exists on the Active Directory and is not directly deleted or modified on the Active Directory.
Group not found. Ensure that the group exists on the Active Directory and is not directly deleted or modified on the Active Directory.
Error setting attributes country. Unknown country code. The country code specified for the user is invalid.

Specify a valid country code and submit the request again. For information about valid country codes, see Country and region codes.
Could not modify the attribute-msExchUserAccountControl This warning occurs when the user mailbox is not disabled on suspending a user account.
Error removing membership from group group name The Active Directory Adapter failed to remove the membership of a user or group from the group group name.
Ensure that:
  • The user or group exists on the Active Directory.
  • The user or group is a member of the group group name.
  • The group specified exist on the Active Directory.
Error adding membership to group group name The Active Directory Adapter failed to add membership of the user or group to the group group name.
Ensure that:
  • The user or group exists on the Active Directory.
  • The user or group is not already a member of the group group name.
  • The group specified exists on the Active Directory.
Unable to get info on share share name This error occurs when the Active Directory Adapter fails to retrieve share information from the home directory of the user.
Ensure that:
  • The user account under which the adapter is running has access to the home directory.
  • The share name exists on the workstation where the home directory is created.
Invalid home directory path path name The Active Directory Adapter supports creation and deletion of only UNC home directories. Specify the UNC home directory path in the following format:

\\servername\sharename\foldername

Note:
  • NTFS security and Shares can be set only on the Home Directories that are UNC paths.
  • Share Access can be set only on the Home Directories that are UNC paths that have a share created.
Unable to delete home directory home directory name The Active Directory Adapter is not able to delete the specified home directory. If the adapter is unable to delete the UNC home directory, ensure that:
  • The value of the registry key DeleteUNCHomeDirectories is TRUE.
  • The user account under which the adapter is running has permissions to delete the directory.
Home directory deletion is not enabled. Home directory will not be deleted. To enable home directory deletion, set the values of DeleteUNCHomeDirectories and ManageHomeDirectories registry keys to TRUE. Resend the modify request from IBM® Security Identity Manager.
Home directory creation not enabled. Directory will not be created. To enable home directory creation, set the values of CreateUNCHomeDirectories and ManageHomeDirectories registry keys to TRUE. Resend the modify request from IBM Security Identity Manager.
Error creating home directory home directory name The Active Directory Adapter is not able to create home directory.
Ensure that:
  • A directory with the same name does not exist.
  • The user account under which the adapter is running has permissions to create home directory.
  • Intermediate directories exist. The adapter creates only the final directory in the specified path.
Unable to set Home Directory Drive. Failed to create Home Directory.
Unable to set Home Directory NTFS security. Failed to create Home Directory.
Unable to set Home Directory Share. Failed to create Home Directory.
Unable to set Home Directory Share Access. Failed to create Home Directory.
Error deleting share share name The Active Directory Adapter is not able to delete the share when you clear value of the share-related attributes from the Active Directory account form.
Ensure that:
  • The user account has access to the specified share.
  • The specified share name exists.
  • The user account under which the adapter is running has permissions to create home directory.
Search failed. Unable to retrieve additional data after 3 retries. The Active Directory Adapter retrieves data from the Active Directory in a paged manner. The adapter reconciles users, groups, and containers and attempts to retrieve data in a maximum of three attempts. If all three attempts fail, the adapter abandons the search.
The adapter cannot retrieve data because of one of the following reasons:
  • The network response is slow.
  • The Active Directory server is busy.
  • The Active Directory Adapter installed on the Active Directory server is overloading the server.
For information about configuring the Active Directory, see http://support.microsoft.com/.
User search failed
Group search failed. Error code: error code - error description. Provider: provider name.
Container search failed. error code - error description. Provider: provider name.
Error performing User Lookup
errorMessage="Unsupported filter" The adapter does not support the attribute specified in the filter. For the list of supported attributes, see Table 1.

Error setting attribute eradprimarygroup. ADSI Result code: 0x80072035 - The server is unwilling to process the request.

 Ensure that:
  • The user is a member of the specified group.
  • The specified group is either a universal security group or a global security group.

ADSI Result code: 0x80072014 - The requested operation did not satisfy one or more constraints associated with the class of the object.

 These errors occur when the specified value for the attribute violates any constraint associated with that attribute. For example, a constraint might be:
  • Minimum or maximum length of characters the attribute can store
  • Minimum or maximum value the attribute can accept

Ensure that the specified value for the attribute does not violate these constraints.

Note: If any one of the attribute specified in the request violates a constraint, the adapter gives the same error for all the subsequent attributes. The error is given even though the subsequent attributes do not violate any constraints. For example, the Title attribute on the Active Directory can store a description of maximum of 64 characters. If you specify description of length more than 64 characters, the adapter gives these errors:
  • For the Title attribute
  • For all the other attributes specified in the request.

ADSI Result code: 0x8007202f - A constraint violation occurred.
Unable to load XML transformation buffer from adapter installation directory\data\xforms.xml. The Active Directory Adapter does not use the xforms.xml file. Therefore, you can safely ignore the xforms-related errors that are recorded in the WinADAgent.log file.
Request for proxy email types should contain at least one primary SMTP address Verify that the request for proxy email types contains a primary SMTP address.
Unable to bind to group E-mail Addresses. This error occurs when the Active Directory Adapter fails to connect to a group object in the Active Directory for processing.

Ensure that the group E-mail Addresses exists on the Active Directory.
Error while fetching the group interface for group DN. This error occurs when the Active Directory Adapter fails to bind to a group object on the Active Directory for processing.

Ensure that the group that is being processed in the Active Directory is not deleted by any other process simultaneously.
Unable to bind to the container object in move operation. This error occurs when the Active Directory Adapter binds to the requested container when a user or group object is moved in the Active Directory hierarchy.

Ensure that the container exists on the Active Directory.
Cannot set Fixed Callback without Callback number. Callback number not found in the request. When you select Callback Settings as Fixed Callback, you must specify the Callback Number.
Error setting the RAS attribute RAS attribute name. Error reading RAS info. Ensure that:
  • The user account under which the adapter is running has administrator rights to the Active Directory.
  • The RAS service is running on the Domain Controller.
Not a valid IPv4 address. The IP address specified for the Static IPv4 Address is in an incorrect format.

Specify the IP address in the IPv4 format.
0x80072035 - The server is unwilling to process the request. This error occurs from the Active Directory when an attempt is made to perform an operation that is not supported on the Active Directory. Ensure that:
  • You provided the correct value for the attributes in the request. For example, clear the value of the Country or region attribute.
  • The requested operation is supported for the attribute, user account, or group on the Active Directory.
Home Directory will not be created. Home directory management is disabled. Set the adapter registry keys CreateUNCHomeDirectories and ManageHomeDirectories to TRUE:
  • To create a home directory.
  • To create home directory share.
  • To set share access.
  • To set home directory NTFS access for a user account.
For more information, see Creating a home directory for a user account and Home Directory attribute modification.
Cannot create share share name. Home directory management is disabled.
Cannot set share access. Home directory management is disabled.
Cannot set NTFS access. Home directory management is disabled.

Value specified is not in the proper format.
Ensure that the value format of extended attribute of type DNWithBinary is 
B:char count:binary value:object DN

Value specified for the attribute does not start with character 'B'.

Ensure that value specified for extended attribute of type DNWithBinary is start with the character ‘B’ only.

Value given after 'B:' is not correct. Expected value is the total number of Hexadecimal Digit count

For extended attribute of type DNWithBinary, verify that value given for the char count is the total number of Hexadecimal Digit count. Ensure that it does not contain any alphabetical characters or any special characters.

Hexadecimal value does not contain the number of characters specified in the character count.

For extended attribute of type DNWithBinary, verify that total hexadecimal digit count specified in the char count is equal to number of hexadecimal characters.

Wrong Digit in Hex String.

For extended attribute of type DNWithBinary, verify that value given in the binary value contains only hexadecimal character. Valid characters are numerals 0 through 9 and letters A through F. The value can be a combination of valid numerals and letters.

Value is not set on resource due to invalid constraint.
This error occurs when the specified value for the extended attribute of type DNWithBinary violates any constraint associated with that attribute. For example, some constraints might be:
  • The object DN in the value must be a distinguished name of existing user object.
  • The maximum or minimum number of bits in the hexadecimal value.
Ensure that the specified value for the attribute does not violate any constraints.

Hexadecimal value should always contain even number of characters.

For extended attribute of type DNWithBinary, verify that value given in the binary value contains an even number of hexadecimal characters.

Attribute can be set only if Mailbox is enabled for Unified Messaging. To enable Unified Messaging both values UMMailbox Policy and UM Addresses(Extensions) are required.

Ensure that valid values of both UMMailbox Policy and UM Addresses(Extensions) are specified in the request to enable the user for Unified Messaging.

Attribute Operation Type is not supported.

Ensure that the value specified for UM Addresses (Extensions) is not of operation type, MODIFY.

Attribute cannot be set. Mailbox is Disabled for Unified Messaging.

Ensure that the request does not contain Unified Messaging attributes with operation ADD or MODIFY when the MailBox of the user is disabled for Unified Messaging.

Attribute cannot be set. Error occurred while trying to Disable MailBox for Unified Messaging.

This error occurs if disable Unified Messaging is failed and if request contains UM Addresses (Extensions) attribute with operation types ADD or MODIFY.

Attribute cannot be delete. Error occurred while trying to Disable MailBox for Unified Messaging.

This error occurs if disable Unified Messaging is failed and if the request contains UM Addresses (Extensions) attribute with operation type DELETE.