You synchronise the FIM Service management agent (MA) and get an sync-rule-flow-provisioning-failed error (status of the management agent operation is completed-sync-errors).
If you click the GUID in the Flow Errors column (next to the sync-rule-flow-provisioning-failed error listed in the NNN Error(s) column), followed by the Synchronization Error tab and finally the Stack Trace… button you’re faced with something like this (call stack information):
Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "ADDS" do not include an object with DN "CN=Adams\, Terry,OU=Users,OU=Human Resources,OU=Departments & Functions,DC=corp,DC=tailspin-toys,DC=com" and object classes user.
What this means is that the DN contains one or more containers that are not within the scope of the management agent. Obviously it could also mean a bad DN but for the most part the person getting the DN value to the FIM Synchronization Service knows what they’re doing, thus the issue is almost always that one or more of the containers within the DN are not selected within the configuration of the management agent (MA).
Include all containers within the DN within the scope of configuration for the MA.
To include all containers within the scope of the MA perform the following steps:
Note. I’m going to use the Active Directory Domain Services (AD DS) MA for the purpose of this example. The steps might vary slightly for other LDAP MAs.
- Open the properties of the LDAP MA that has thrown the error.
- Click Configure Directory Partitions.
- Click Containers…
- Enter the MA password.
- Select all appropriate containers from the tree view.
- Stage (Full Import) the MA.
Here’s a screenshot of my demo environment whereby I’ve intentionally missed some of my OUs from within the scope of configuration.
If the container closest to the RDN is selected, e.g. the USERS container within the DN CN=paulw,OU=Users,OU=IT,OU=Departments & Functions,DC=corp,DC=tailspin-toys,DC=com then the issue is likely that you haven’t yet staged (imported) the LDAP MA.
FYI this particular issue is the same as the old Microsoft.MetadirectoryServices.MissingParentObjectException which I actually blogged about a long time ago. J