Yesterday I encountered an error I haven’t seen before when trying to set up a new AD Connector in SCSM. The connector always stopped at 92% and generated the following error in the eventlog:

image

Data synchronization failed by DefaultCache.MomStore.ADUsers_Manager.DefaultCache.ADConnector.5f4e989660d749b6b420fb4532c5ed9a:Microsoft.EnterpriseManagement.ServiceManager.Connector.Sql.DataConnectorSql.
Exception type:NullReferenceException
Exception message:Object reference not set to an instance of an object..
StackTrace:   at Microsoft.EnterpriseManagement.ServiceManager.Linking.Consumer.OperationalStore.DataSetTransformer.ComputeManagerDeletes(Dictionary`2 result, IList`1 existingManagers, Dictionary`2 userToNewManager)
   at Microsoft.EnterpriseManagement.ServiceManager.Linking.Consumer.OperationalStore.DataSetTransformer.DeleteObsoleteManagerRelationships(ManagementPackRelationship relationshipType, Dictionary`2 result, EnterpriseManagementGroup managementGroup)
   at Microsoft.EnterpriseManagement.ServiceManager.Linking.Consumer.OperationalStore.DataSetTransformer.TransformToEnterpriseManagementObjects(EnterpriseManagementGroup managementGroup, ManagementPackType storeType, SessionSettings sessionSettings, Boolean useStagingSDK, Boolean isGRCSolution)
   at Microsoft.EnterpriseManagement.ServiceManager.Linking.Consumer.OperationalStore.OperationalStoreConsumer.ConsumeData(DataSet data, SessionSettings sessionSettings)
   at Microsoft.EnterpriseManagement.ServiceManager.Connector.Datacenter.SessionHost.DataSync()

 

As I couldn’t find anything on the net, I started digging into the error. The error says something about Managers relationship, so I figured I needed to look there. It turned out that there was 10 disabled users in AD that still had Direct Report Users in their AD User.

image

So in other words: some people had a Manager that was disabled. And since I only took enabled objects in the AD-Connector, some Users referred to an object (their manager) that did not exist! So instead of the connector ignoring these, as it probably should, it made an error and stopped.

 

Solution

The solution was to create another AD connector that imported the disabled managers. You can use the following LDAP query to find this:

(&(DirectReports=*)(objectCategory=User)((userAccountControl:1.2.840.113556.1.4.803:=2)))

It searches for all disabled Users that has something written in Direct Reports, which means they manages one or more users. Then create an AD Connector and select Individual Users to import.

If you want, you can actually delete the connector again so the disabled Users will be removed. The other AD Connector will still be able to sync and get pass 92%.

 

Hope I can save some trouble for some now 🙂