• State Verified Answer
  • Replies 2 replies
  • Subscribers 65 subscribers
  • Views 480 views
  • Users 0 members are here
Options
Related

Error when updating Dynamic Group

JackO2
1 month ago

Hi

Can anyone help me understand what is going on.

We have a few dynamic groups (about 20-50).

All of them use a simple filter

> Users - Include by query > For example then > Company = XYZ

I think today a computer object was deleted and then an event errorr 2521 is generated 50 times in the same second.

All events say that this object could not be found, below is the event message.

Why is a computer object affecting dynamic groups that only have a user filter and why is this triggered when a computer is removed?

Error when updating Dynamic Group.

Failed to add object to Dynamic Group.
Details: Administration Service encountered an error when searching the container object 'CN=NotebookXY,OU=test,OU=Computers,OU=test,DC=grp,DC=test,DC=com'.
Directory object not found. (Exception from HRESULT: 0x8007208D)
Object: NotebookXY in 
Dynamic Group: DISTRIBUTION_DYN_AllEmployees in test/test/Groups/Distribution/

Object is missing from Dynamic Group until after the issue is resolved. Try forcing update of Dynamic Group from the Members tab in the Properties dialog box for Dynamic Group, in the Active Roles console.

Parents
  • +1 1 month ago

    This is completely normal and expected behaviour based on current Active Roles functionality.

    Active Roles subscribes to changes in Active Directory via Microsoft's DirSync protocol. When a native change occurs, Active Roles gets a real-time notification of the change and then runs that change against every Dynamic Group within scope to see if that change results in a Dynamic Group membership update.

    Currently, there is no filtering on this logic. Every change is run against every Dynamic Group in-scope, even if the change was made to a computer object and the Dynamic Group is only scoped to User objects. The change will still be passed by the Dynamic Group filter to see if it is relevant.

    The issue here is that Active Roles does not do anything like a 'pre-check' to see if the object referenced by the change is resolvable. It processes every change against every Dynamic Group as one operation. So, if the object cannot be resolved, then you see one error for each Dynamic Group in-scope.

    Also related is the fact that Active Directory is a DN-reference system, and DN's change when an object is moved or renamed.

    This means that it is completely normal to see this specific error message, "Directory object not found." quite commonly due to normal Active Directory functionality.

    Active Roles throws the same blanket error whenever any error is encountered when retrieving an object, but this specific scenario will not result in any issues with Dynamic Group functionality.

    It's not really an error. It's a by-product of a deep integration with Active Directory. While we could possibly add a different error message in this specific scenario, it would be extremely difficult to state, with confidence, which 0x8007208D is legitimate and which is not, programmatically.

  • 0 1 month ago in reply to Terrance.Crombie

    thank you for the explanation makes it easier to understand

Reply Children
No Data