Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Notes Connector: LDAP returned the error [35] Unwilling To Perform when importing the transaction

25 views
Skip to first unread message

jason...@gmail.com

unread,
Jan 4, 2006, 6:01:17 AM1/4/06
to
I am trying to import the notes directory over to AD container
(creating contacts or users with the notes conector) and when I force
the dirsync I get this:

Event Type: Error
Event Source: MSExchangeADDXA
Event Category: LDAP Operations
Event ID: 8270
Date: 04/01/2006
Time: 11:52:09
User: N/A
Computer: EXCHCONNSRV
Description:
LDAP returned the error [35] Unwilling To Perform when importing the
transaction
dn: cn=UserName UserSN,OU=Import_From_Notes,DC=audiovisual,DC=es
changetype: Add
targetAddress:NOTES:UserName UserSN/ASUAL@ASUAL
name:UserName UserSN
displayName:UserName UserSN
givenName:UserName
mailNickname:UserNickName
sn:UserSN
proxyAddresses:notes:UID=a7f386c7-4bae346b-c125700d-41bd9f
: NOTES:UserName UserSN/ASUAL@ASUAL
importedFrom:{E1F83345-EF23-4A8F-8ACA-1FA245BDBAF4}
legacyExchangeDN:/o=Abertis Telecom/ou=First Administrative
Group/cn=Recipients/cn=a7f386c7-4bae3...
userAccountControl:512
sAMAccountName:jpaletts
showInAddressBook:CN=Default Global Address List,CN=All Global Address
Lists,CN=Address Lists Cont...
-


For more information, click
http://www.microsoft.com/contentredirect.asp.

This is going on Exchange Server 2003 SP2 over a updated Windows 2000
sp4 AD.
Any Idea?

Fitz Crittle [MSFT]

unread,
Jan 4, 2006, 2:36:01 PM1/4/06
to
If you select the option on the Notes Connector, Import Container tab
"Create a new Windows user account." You'll see this error because the Lotus
Notes connector does not support complex password policy.

Resolution
========
To perform a successful dirsync from Lotus Notes using the option "create
new account" , we should create a new Group Policy with the following
features disabled. This Group Policy should only be applied on the OUs where
the Lotus Notes users are being imported.

--> Disable the password minimum length
--> Disable the password history checking
--> Disable the password complexity

Thanks,
Fitz Crittle

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email to this address, post a reply to this newsgroup

<jason...@gmail.com> wrote in message
news:1136372477....@f14g2000cwb.googlegroups.com...

Randy

unread,
Jan 5, 2006, 1:44:12 AM1/5/06
to
Create a new folder called logs under the Exchsrvr/conndata folder -
this is extra logging for the lotus notes connector. Then run the
dirsync from notes to Exchange. Are you doing anything with mapping
tables as well ? What is the version of Domino you are using here ?

Randy

unread,
Jan 5, 2006, 1:44:26 AM1/5/06
to

Regards
Randy
Exchange Admin

jason...@gmail.com

unread,
Jan 5, 2006, 6:45:53 AM1/5/06
to
Ok. Thank's.
I've created the logs folder and got some more info: each account that
the connector can't create turns up with this message:

2006/01/05 12:22:05- LME-NOTES-DXA(0f34) 4 08320:The
associated recipient policy object is 'CN=Default Policy,CN=Recipient
Policies,CN=Abertis Telecom,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=audiovisual,DC=es'.
>> cfgmgrpt(3132)

And futher on this message:

2006/01/05 12:34:59- LME-NOTES-DXA(0400) 1 08307:Error 4b8:
Problem occurred when importing entry 'Jxxx Manxxx Naraxxx Vixxx' to
Exchange.
>> dxamexpt(2993)

This make's me think about the group policy that Fitz Crittle coments
before, but it's strange that this happens even when the systems is
trying to create contacts. Also this is a W2000 domain and I think that
password policys are uniquie for all the domain, can't actually aply
different password policys depending on which OU you are in (correct me
if I'm mistaken). This is a medium sized organization and AD
administration is "outsourced" and I can't just change the password
policy for everyone.

I've aplyed a GP eliminating the password restrictions and checking the
"Block Policy inheretance" and the "no override" option making sure the
policy is aplyed, but still have the same problem.

Any other ideas?

Randy

unread,
Jan 6, 2006, 12:19:50 AM1/6/06
to
Make sure there are no multiple instances of lsdxa.exe runnng and also
instead of choosing create a windows user account in the notes
connector properties go for the " Create a windows contact " . Make
sure the notes domain is correctly mentioned in the connector
properties. Also do you have a seperare Recipient policy for the notes
user or are you using the default policy ?
Would apreciate it if you can paste the entire log so that i can see
the sequence and comment on it more. Also increase diagnostic for LME
NOTES and MSExchangeADDXA to 7 from the registry..
HKLM\System\currentcontrolset\services\ and redo a fresh dir sync and
send the app log along with the log folder contents, if you can.


Regards
Randy

P.S : You are correct with respect to Password Policy, its unique for
the domain. Only recipient policies can be applied for different OU's .

jason...@gmail.com

unread,
Jan 9, 2006, 5:00:55 AM1/9/06
to
lsdxa.exe chacked: only one running.
Create a windows contact: selected.
Changes on the registry for more detailed logs done.
Yes, I'm using the default reciepient policy. This is the address space
set:

"&D/First Administrative Group/Abertis Telecom@exchange"

And the addresses coming from notes are "UserID/ASUAL@ASUAL".

And now I can't really explain this: for some reason the contact
creation has worked. I'm sure it was'nt working before... but :-?
...well: if this is the case probably all the problem concerns to the
password policy, right? Actually right now I need user accounts rather
than contacts and I have'nt found a easy way to transform each contact
to a mail enabled user. Maybe a LDIFFDE extract, transform (text based
replace) and import? -I would agree any idea at this respect.

I'm going to retry the whole process again, if it fails to create
contacts as before I will post logs and more.

Randy

unread,
Jan 9, 2006, 7:17:28 AM1/9/06
to
Great so it worked with the contacts, so that means the user account
is the only having problems. Are they are GP being applied on the OU
where the notes user accounts are being imported into AD ? If so try
one without any GP - i have seen such behaviour and cant say as to why
that might be a problem.

Regards
Randy

jason...@gmail.com

unread,
Jan 9, 2006, 10:55:24 AM1/9/06
to
Well, you might be right: the OU where the contacts we not beeing
created had the default domain policy and when doing all the testing
with the creation of users I actually blocked inheritance and that
might have helped with the creation of the contacts... but it does'nt
fix the user creation problem.

Right now I'm importing 1750 contacts from notes. Most of them are
generic mailboxes that need to be converted in to mail-enabled users;
the rest are distribution groups that will need to be converted as
well. Do you now of any easy way to convert these contacts in to users
and/or distribution groups?

Randy

unread,
Jan 10, 2006, 12:36:06 PM1/10/06
to
you can use the migration wizard to do the conversion.

Regards
Randy

jason...@gmail.com

unread,
Jan 11, 2006, 9:34:32 AM1/11/06
to
Good idea. I'll try it out.
Thank's for all your help.
Best regards.
Jason.

0 new messages