I recently worked through an issue with encryption and the synchronization from active directory. I was getting errors in the MEE connector logs: "...change attribute older than current users: Ignoring other changes"
Seems some user attribute(s) were no replicating via connector. Troubleshooting revealed that after our recent AD upgrade the issue began, I had previously pointed the AD Connector to our new DC...
Thank to this forum, I looked at "uSNChanged” value, which wasn't replicated between old and new DCs. The “uSNChanged” value being higher in MEE than in AD would cause the connector job to ignore changes as was indicated in the connector logs. To verify, I manually edited the MEE User attributes “SbAdCon0.changes” to “0” for an individual account, the connector log (and MEE DB) indicate updated user attributes... yay.
So it seems that my issue was due to attributes in MEE being interpreted by MEE connector query (sBAdCon0.changes) as newer than that which is in AD within the “uSNChanged” field, therefore not updating…
Worked out a fix which seems to be working in test… scripting a two part fix to the MEE database using sbadmcl.exe
Step1: (The following will change the connector reference)
sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname -group:* -OldBind:SbAdCon0.changes -NewBind:SbAdCon9.changes
Step2: Manually run the AD connector which will generate new SbAdCon0.changes
Step3: (The following will remove the previously renamed entries and corresponding (incorrect) values...cleanup:)
sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname –group:* -OldBind:SbAdCon9.changes -NewBind:
Thought I'd share my experience, since this forum has helped me in the past... and that the documentation (scripting tool guide) lists the -command:ChangeBindingname incorrectly as -command:changebinding which threw me for a loop.
you could have just deleted the existing binding value, or set it to "0" rather than renaming it?
Manually doing this on a one-by-one wouldn't be feasible given thousands needed to be updated...
on an individual basis, that would be the way to go for sure.
There are API commands to both delete the binding, and set its value
Message was edited by: SafeBoot on 8/22/11 10:12:16 AM EDT
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA