Support-Info: (CONNECTORS): Failed to create ADMA (Receiving error 80230910)

PRODUCTS INVOLVED

  • Microsoft Identity Manager 2016 Service Pack 1
    • Active Directory Management Agent (ADMA)
NOTE The product involved in this solution was MI 2016 SP1; however, it is important to note that this issue can occur with the other Identity Management products that use an Active Directory Management Agent.  For example:

  • Forefront Identity Manager 2010, R2, R2 SP1
  • Azure AD Connect Sync

PROBLEM SCENARIO DESCRIPTION

  • Attempting to create an Active Directory Management Agent in the Synchronization Service Engine an LDAP Error is received that provides just the number 80230910.

ERROR MESSAGE

“Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected”

NOTE

Troubleshooting Tools Utilized

EXAMPLE Ldifde -f export_1.txt -d cn=schema,cn=configuration,dc=contoso,dc=com -r “(&(objectClass=classSchema)(objectClassCategory=3))” -l dn,subClassOf

 

CAUSE

The cause of this issue, is because the Person class had be instantiated, it becomes structural.  According to the RFC 4512 Standard ((https://tools.ietf.org/html/rfc4512#section-2.4), you cannot have an Auxiliary Class be a SubClassOf a Structural Class.

EXAMPLES OF THE PROBLEM
dn: CN=Person,CN=Schema,CN=Configuration,DC=contoso,DC=com

subClassOf: top

objectClassCategory: 0 (NOTE: 0 should not be used)

dn: CN=MyLinuxUser,CN=Schema,CN=Configuration,DC=contoso,DC=com

subClassOf: person

objectClassCategory: 3 (NOTE: Auxiliary Class)

NOTE

More information on ObjectClassCategory, review the following documentation: https://msdn.microsoft.com/en-us/library/ms679014(v=vs.85).aspx

Structural, Abstract, and Auxiliary Classes: https://msdn.microsoft.com/en-us/library/ms677964(v=vs.85).aspx

 

 

NOTE From RFC 4512:

“Auxiliary object classes cannot subclass structural object classes.” RFC 4512 section 2.4.3 talks about this information.

As per standards, auxiliary classes in AD have to be created so that its parent class is always TOP and not any other class to be compliant.

You can see more information from the link: https://tools.ietf.org/html/rfc4512#section-2.4

RESOLUTION

ADDITIONAL INFORMATION

Identity Management Information

Active Directory Related Information