03-19-2003 07:51 AM - edited 03-12-2019 11:07 PM
We have recently duplicated a Unity server in a new domain in order to migrate users from an older domain. The major change in the new Unity server is that it's using Exchange 2000 while the old one used Exchange 5.5. There is also a different AD structure as well. The new server was installed and integrated with E2K successfully, but I'm not able to import users into Unity from E2K. I am getting the infamous error "an unrecognized error has occured". The user I attempted to import shows up in the SQL database and within Unity, but it doesn't behave like it actually exists. I've run the permission wizard, and I'm using two separate service accounts for messaging and directory services. I've read most of the posts regarding this error, and nothing seems to help. Can someone help me figure out the problem? Thanks.
Solved! Go to Solution.
03-21-2003 08:50 AM
21:35:45:140 (AvDirSynch_MC,1074,DSAD,0) [Thread 3216] COM Method [< CAvDSAdminAD::Modify(long | VARIANT* | VARIANT* | VARIANT* | VARIANT* | VARIANT*)] exited with HRESULT [0x80070005; LDAP_INSUFFICIENT_RIGHTS].
The service account that is running the AvDSAD service doesn't have appropriate permissions to modify the AD user object that you are trying to import (it has to modify some of the ciscoEcsbu AD attributes that were extended to that object). There's a utility called the "DAD" that can assist in troubleshooting this issue...
03-19-2003 08:01 AM
First, which version of Unity are you at?
Next step is to check the permissions with DAD (Directory Access Diagnostics) - the accounts you used for your directory facing account may have been given permissions properly but not on the container(s) you're trying to import users from (we need update rights on those user objects in those containers). DAD attempts to make the same updates when you point it at a particular user you want to import and will give out a detailed report on what went wrong if that's the issue. You can snag the latest version of DAD from here:
03-19-2003 08:21 AM
I ran DAD and everything passed. However, the ciscoEcsbuAlternateDTMFIdsOrder property gave me neither pass nor fail. It just has "------" for both read and write.
As for the version of Unity, I'm using 3.0(4).
03-19-2003 08:29 AM
I also have found the following event log messages:
Event Type: Information
Event Source: AvCsServices_MC
Event Category: Warning
Event ID: 1077
Date: 3/19/2003
Time: 6:06:02 AM
User: N/A
Computer: DEN-UNITY1
Description:
Gateway FindCsComponents failed [JUSTCONNECT.NET\Unity_Den-Unity1, 0x80070005] (caller is denied access).
------------------------------------------------------
Event Type: Error
Event Source: AvCsServices_MC
Event Category: Error
Event ID: 1097
Date: 3/19/2003
Time: 8:18:51 AM
User: N/A
Computer: DEN-UNITY1
Description:
Gateway: GatherUserRights failed (hr=[0x8004010F]) while getting the COS for the mailuser with alias [Jeff.Sailers].
03-19-2003 08:35 AM
the next step is to make sure your subscriber templates and related objects in the database are healthy. Go grab the latest dbWalker version from here http://www.ciscounitytools.com/App_DirectoryWalker3.htm
if there's an issue with the templates that may be causing us to stumble during the subscriber creation process it should point it out.
03-19-2003 12:13 PM
OK. I ran the dbWalker and I received the following error while it was walking: "(error):94(Invalid Use of Null) in procedure checkSubscribers of Form frmMain". I clicked "OK" and it continued through the walk. The only error I'm getting is for the subscriber I just tried to create that failed. Here's the output of the errors:
Alias=Jeff.Sailers
Display Name=Sailers, Jeff
Jump to this subscriber in the SA using this link: Open SA to this subscriber
1520:(error) subscriber has NULL for their primary call handler reference - this is not a valid subscriber. Please contact TAC.
1342:(error) COS reference is NULL. You can fix this by selecting a valid COS object on the profile page for this subscriber in the SA.
1343:(error) Location reference is NULL. This is a serous error, you should contact TAC.
Subscriber has no voice name recorded
Location object display name={Default}
1202:(error) Subscribers language set to 'inherited' which is not legal for the subscriber language
This can be fixed by selecting an installed language for the 'Subscribers language' on the 'conversations' page of the subscriber in the SA
1353:(warning) the Switch ID for this subscriber is set to NULL. This means it will default to switch 0. You can fix this by selecting a valid switch on the profile page for this subscriber in the SA.
Subscriber has no private lists
-----------------------------------------------
Handler Alias=ch_Jeff.Sailers
1198:(error) Subscriber record not found for this primary call handler. You can have this handler removed automatically by checking the 'Remove orphaned call handlers automatically' option.
-----------------------------------------------
Nothing else had errors. the templates all look fine.
03-19-2003 12:24 PM
Presumably that's the guy you failed to import... i would expect it to have broken links like this since the import process didn't complete.
You'll want to delete that subscriber from the Subscriber table in UnityDB and the call handler as well - normally the SQL triggers would take care of the call handler for you but since they're no linked properly that wont happen.
You'll want to get traces in place as Steve suggested next and take a look at what's going on under the covers.
03-19-2003 08:35 AM
For the import problem, if you want to set some diagnostic traces and reproduce the problem, I can take a look. That would be all of the traces for the AvDsGlobalCatalog and AvDSAD components. Each one of those components will have its own diagnostic file. If the contents is posted here, we can see what's up.
What's the frequency of the error logs that are showing up (I think they are a separate problem from the import issue)? Can you post all of the Unity services that are running under the JUSTCONNECT.NET\Unity_Den-Unity1 AD account?
03-19-2003 12:55 PM
how often is the diag file posted in the commserver\logs directory? I opened the one for the DSAD diag after I enabled the traces and reproduced the problem, but there wasn't anything in it.
As far as the error frequency, I'm getting this one every 30 minutes exactly:
Event Type: Information
Event Source: AvCsServices_MC
Event Category: Warning
Event ID: 1077
Date: 3/19/2003
Time: 1:09:59 PM
User: N/A
Computer: DEN-UNITY1
Description:
Gateway FindCsComponents failed [JUSTCONNECT.NET\Unity_Den-Unity1, 0x80070005] (caller is denied access).
The services using the Unity_Den-Unity1 are: AvCsGateway, AvCsMgr, AvGaenSvr, AvRepDirSvrSvc, and AvUMRSyncSvr.
The services using the Directory service account (JUSTCONNECT.NET\srvc_unity) are: AvDirChangeWriter, AvDSAD, and AvDSGlobalCatalog.
Let me know how to get the diag files and I'll get those posted as soon as possible. Thanks.
03-19-2003 01:49 PM
If you change the AvRepDirSvrSvc to LocalSystem and restart that service, you should be able to get rid of those annoying event log messages.
The error doesn't have anything to do with the import problems or anything that DBWalker reported, but that should get rid of it.
There's a little bit about the Unity Diagnostic Tool here...
It's a program off the Start\Programs\Unity\Unity Diagnostic Tool. When you're ready to reproduce the problem, open that up and go to "Micro Traces". Select all of the traces for the DSAD and DsGlobalCatalog components. The click on "start new log files". Reproduce the problem. In UDT, click on "gather log files". Choose "select logs" and select the very last log that shows up for "AvDSAD" and "AvDsGlobalCatalog". Then, post the contents in here.
03-19-2003 03:31 PM
Is the UDT tool only for Unity 3.1 and up? I don't have it in my program folder. I'm running 3.0(4). Any other tools off of answermonkey.com?
03-19-2003 04:51 PM
Ooops. You'll need to use MaestroTools.exe...
http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_tech_note09186a0080094c53.shtml
03-20-2003 08:49 PM
Here's the output of AvDSAD:
Sorry for the length. I didn't get it as narrowed down as I hoped for. Thanks for your help.
Moderator Note:
Trace removed due to size.
03-21-2003 08:50 AM
21:35:45:140 (AvDirSynch_MC,1074,DSAD,0) [Thread 3216] COM Method [< CAvDSAdminAD::Modify(long | VARIANT* | VARIANT* | VARIANT* | VARIANT* | VARIANT*)] exited with HRESULT [0x80070005; LDAP_INSUFFICIENT_RIGHTS].
The service account that is running the AvDSAD service doesn't have appropriate permissions to modify the AD user object that you are trying to import (it has to modify some of the ciscoEcsbu AD attributes that were extended to that object). There's a utility called the "DAD" that can assist in troubleshooting this issue...
03-21-2003 02:13 PM
The DAD utility has always shown success all the way down the list, including now. Steve, your last post prompted me to look at the rights on the user I'm trying to import. When doing so, I noticed that the "allow inherited permissions from parent to propogate to this object" checkbox was unchecked. I thought that odd, so I checked it, and wouldn't you know, I'm now able to import that user successfully.
After I checked the checkbox and imported the user, somehow the checkbox has come unchecked again. I'll be following up with my AD administrator to see if he has some sort of process that goes through and uncheck that. Otherwise, have any of you out there in Unity or AD land ever heard of this happening? Any help will be appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide