Support-Info: (CONNECTORS): Failed to create ADMA (Receiving error 80230910)

Article
05/12/2018

PRODUCTS INVOLVED

Microsoft Identity Manager 2016 Service Pack 1
- Active Directory Management Agent (ADMA)

NOTE

The product involved in this solution was MI 2016 SP1; however, it is important to note that this issue can occur with the other Identity Management products that use an Active Directory Management Agent. For example:

Forefront Identity Manager 2010, R2, R2 SP1
Azure AD Connect Sync

PROBLEM SCENARIO DESCRIPTION

Attempting to create an Active Directory Management Agent in the Synchronization Service Engine an LDAP Error is received that provides just the number 80230910.

ERROR MESSAGE

“Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected”

NOTE

Troubleshooting Tools Utilized

Network Capture Tool (Network Monitor 3.4 or WireShark)
- Download Microsoft Network Monitor 3.4: https://www.microsoft.com/en-us/download/details.aspx?id=4865
LDIFDE.EXE
- https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/ms870068(v=exchg.65)

EXAMPLE

Ldifde -f export_1.txt -d cn=schema,cn=configuration,dc=contoso,dc=com -r "(&(objectClass=classSchema)(objectClassCategory=3))" -l dn,subClassOf

CAUSE

The cause of this issue, is because the Person class had be instantiated, it becomes structural. According to the RFC 4512 Standard ((https://tools.ietf.org/html/rfc4512#section-2.4), you cannot have an Auxiliary Class be a SubClassOf a Structural Class.

EXAMPLES OF THE PROBLEM

dn: CN=Person,CN=Schema,CN=Configuration,DC=contoso,DC=comsubClassOf: topobjectClassCategory: 0 (NOTE: 0 should not be used)

dn: CN=MyLinuxUser,CN=Schema,CN=Configuration,DC=contoso,DC=comsubClassOf: personobjectClassCategory: 3 (NOTE: Auxiliary Class)

NOTE

More information on ObjectClassCategory, review the following documentation: https://msdn.microsoft.com/en-us/library/ms679014(v=vs.85).aspxStructural, Abstract, and Auxiliary Classes: https://msdn.microsoft.com/en-us/library/ms677964(v=vs.85).aspx

NOTE

From RFC 4512: “Auxiliary object classes cannot subclass structural object classes.” RFC 4512 section 2.4.3 talks about this information.As per standards, auxiliary classes in AD have to be created so that its parent class is always TOP and not any other class to be compliant.You can see more information from the link: https://tools.ietf.org/html/rfc4512#section-2.4

RESOLUTION

Remove the Custom Auxiliary Class from any ObjectTypes it may be associated
Disable the Custom Auxiliary Class by setting the isDefunct Property to True.
- https://msdn.microsoft.com/en-us/library/ms675903%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Create the Active Directory Management Agent (ADMA)
Enable the Custom Auxiliary Class by setting the isDefunct Property to False

ADDITIONAL INFORMATION

Identity Management Information

Forum Posting: https://social.technet.microsoft.com/Forums/en-US/3f572a24-362a-4601-b109-9d4965144e13/miis-2003-sp1-adam-connector-error-80230910?forum=identitylifecyclemanager

Disabling Existing Classes and Attributes: https://msdn.microsoft.com/en-us/library/ms675903%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Object-Class-Category Attribute: https://msdn.microsoft.com/en-us/library/ms679014(v=vs.85).aspx
Structural, Abstract, and Auxiliary Classes: https://msdn.microsoft.com/en-us/library/ms677964(v=vs.85).aspx

Support-Info: (CONNECTORS): Failed to create ADMA (Receiving error 80230910)

PRODUCTS INVOLVED

PROBLEM SCENARIO DESCRIPTION

ERROR MESSAGE

Troubleshooting Tools Utilized

CAUSE

RESOLUTION

ADDITIONAL INFORMATION

Identity Management Information

Active Directory Related Information

Additional resources