Synching with Active Directory

[dedeod]

I am setting up a new Project 2003 Server and can not get the Active
Directory synching to work. I followed the instructions in the
Administrator's Guide on pages 41-43 and I get a "failure" message
beside the group names when I manually do the sync. Here are the steps
I have done so far:

1. Setup AD group names "Portfolio Managers", "Project Managers", etc.
to match the Project Server 2003 group names.

2. Added myself to the Portfolio Manager AD group.

3. Logged in as Administrator on the project server.

4. From the Project Web Access Admin page, went to Manage users and
groups and modified the "Portfolio Managers" group.

5. Set the AD Group name for Portfolio Managers to be domain\Portfolio
Managers and saved the change.

6. Went to the AD Synchronization and did an Update Now for the
Portfolio Managers group.

7. The group name listing shows "Failure" in the Last Sync column for
Portfolio Managers.

8. I was unable to login with my name.

Can someone tell me what I am doing wrong?

 

[Rolly Perreaux]

Hi (e-mail address removed),

Your procedure looks pretty sound. Let's see if you can access the
Active Directory database.

Can you run the DSQUERY commands from the Project Server.
1. To open a command line click Start --> Run -->
2. Type CMD and click OK
3. Type the following:

DSQUERY group
(finds groups in the directory)

DSQUERY server
(finds all domain controllers in the directory)

Do you get any results running these commands?
Let us know when you have a chance.

Many thanks!

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[Dede]

Yes, I see a list of groups and a list of servers with each of those
commands.

 

[Rolly Perreaux]

Hi Dede,

Did you execute the DSQUERY commands from the Project Server 2003
server?

When you ran "DSQUERY group", did you find your "Portfolio Managers" and
"Project Managers" AD groups?

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[Dede]

Hi Rolly,

Yes, I executed the DSQUERY commands from the Project Server 2003.

I didn't see the Project Managers or Portfolio Managers groups listed
when I initially ran the DSQUERY group command but I re-ran it with the
-limit 1000 parameters on the end and the Project groups showed up.

Thanks!

 

[Rolly Perreaux]

Hi Dede,

This may sound strange but try renaming the Active Directory Groups. For
example, your AD group called "Portfolio Manager" is renamed to
"Portfolio_Manager".

You'll also need to modify the Project Server group to change to the
newly renamed AD Group to <domainName>\Portfolio_Manager.

Also note that if your Project Server Windows Authentication account has
already been created (before the AD Sync) you will receive the AD Sync
failed error. Which makes sense because the account cannot be created
since it's already there.

Let me know if this works.

Cheers

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[KenAtQUT]

Dede,
We spent a number of weeks trying to figure why our installation of
Project Server 2003 would 'fail' or have a 'partial failure' when attempting
an A.D. sync with different A.D. groups. After narrowing down the users in
test groups and trying them 'A' / 'B' style I came up with a list of users
which did NOT work, or caused the sync to fail. I looked through all of the
A.D. metadata and could see NO 'difference' between the users and others that
'worked'. After doing many searches I found a KB article that states (very
weakly) that if you have duplicate entries or empty entries in the 'Display
Name' field in A.D. Project Server 2003 will FAIL to synchronise! So...it
wasn't a 'difference' problem - it was because they are the same. In our
case we use our 'name' for an account, then 'name-admin' for our admin
accounts. This also occurs for academics which are in multiple faculties or
staff who are also students. Both have the SAME 'Display name' field in
their A.D. record. When we altered one of the names it all worked...but alas
our university derives A.D. accounts via HR through Novell E-dir to A.D.
which can not be changed - so the Display name gets reverted back each day.
We sent this issue up the MS Premier Support path and found they do not
consider it a problem - recommend using 'local' names (impossible for us -
too many), or having A.D. changes made (again, not possible for us). I have
been struggling to get an install of MS Project Server 2007 (beta) installed
with non-default web sites (don't want to use host headers)...when I
originally did the default web site install it appeared to A.D. sync with ANY
directory!!! The Premier folks didn't think that 2007 would fix the issue -
but it appears to be fixed.
I recommend trying some test groups - try to isolate the failure point (if
you are syncing the resource pool it usually fails just before adding the
'bad' user - so check down the list of the pool compared to the A.D.
directory you're trying to sync to). Check to see if their 'Display Name' is
empty or duplicate. If so try altering / adding some different data in both
records so they have SOMETHING and all records are distinct.
Sorry this is a bit long...hope this helps.

 

[Dede]

I tried using an ad group with no one in it and I tried renaming the
group to something else and both still failed.

 

[KenAtQUT]

Dede,
I don't know if an 'empty' group will work. Try a couple of users who
you are sure have a Display name that is not empty or the same. I think
there is also a MS KB article (search) that I found in passing that talked
about the service account your SP is 'running' on. That is, does it have
proper domain rights, etc.
Cheers,
Ken

 

[Dede]

Ken,

It still did not work. Below is the error message in the Events log:

Componenet: AD Connector
File: AutoADProcess
Line: -1
Description: <Description><![CDATA[Accessing AD group domain\Executives
failed due to error 20004-FetchGroup: <Error>
<Component>AD Connector </Component><File>AutoADProcess
</File><Line>-1</Line><Number>0x4e24<?Number><Description>
<![CDATA[Failed to get record of group domain\Excecutives from active
directory global catalog]]></Description></Error>]]></Description>

Thanks for the help,
Dede