Microsoft Identity Integration Server 2003 graphic

Troubleshooting

What problem are you having?

I received an "SSL Security error" error message during installation of SQL Server 2000.

Cause:   SQL Server 2000 introduces Secure Sockets Layer (SSL) encryption through the use of certificates. If SQL Server 2000 finds certificates on the local computer, SQL Server 2000 attempts to use the certificates. If the certificate is not issued to the fully qualified domain name of the computer, SQL Server 2000 considers the certificate invalid. If multiple certificates are on the computer, there is no way to pick which certificate SQL Server 2000 must use.

Solution:  Remove the existing personal certificates. To remove the certificates:

  1. Click Start, click Run, type mmc, and then click OK.
  2. Click File, click Add/Remove Snap-in, click the Standalone tab, and then click Add.
  3. Select Certificates, and then click Add.
  4. Select Computer account, click Next, select Local computer, click Finish, click Close, and then click OK.
  5. Expand Certificates (Local computer), and then click Personal.
  6. Delete all certificates.

See also:  Article 309398, "SQL Server 2000 Installation or Local Connections Fail with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" Error Message," in the Microsoft Knowledge Base. (http://www.microsoft.com/)

I received a "Missing anchor component" error message during an import from a file.

Cause:  In cases where the distinguished name (also known as DN) and the selected anchor attribute are the same, Microsoft Identity Integration Server 2003 attempts to build the distinguished name first. If the anchor attribute is missing, or Microsoft Identity Integration Server 2003 is unable to read the anchor attribute, then it fails to build the distinguished name and generates the error message "Missing anchor component."

Solution:  Verify that the anchor attribute exists and is valid in the file.

I received an "exported-change-not-reimported" error message on the first import after a change had been exported.

Cause:  Some connected data sources might have policies that affect the values that an attribute can have. For example, Active Directory might have a policy that affects the userAccountControl attribute. You can export the value 0x202, but Active Directory writes the value 0x222. On the next import, the confirmation of the value fails with the error "exported-change-not-reimported."

Solution:  Modify the rules extension code so that the exported value matches the requirements of the connected data source.

Cause:  When Lightweight Directory Access Protocol (LDAP)-based directories, such as Active Directory, receive an empty string in an attribute change operation, they typically delete the attribute, causing the error message "exported-change-not-reimported."

Solution:  This is expected behavior for LDAP-based directories, such as Active Directory. You can also create a scripted attribute flow with a rules extension to determine when to flow attribute with empty strings. For more information, see Attribute flow rules.

The Microsoft Identity Integration Server service failed to start with an Event ID: 6317, "The computer ID in the database does not match this computer's ID."

Cause:  The server running Microsoft Identity Integration Server 2003 might have been renamed, and the new computer name does not match the existing name in the database.

Solution:  Synchronize the database with the computer name by running the Miisactivate.exe tool. For more information, see MIISactivate: Server activation tool.

I received a "Server down" error when trying to connect to a server or run a management agent.

Cause:  If you trying to connect to a server running Sun ONE Directory Server or Windows Server 2003, Enterprise Edition using Secure Sockets Layer (SSL), then the target server does not have SSL configured.

Solution:  Configure the target server for SSL.

Cause:  The Microsoft Identity Integration Server 2003 service account does not have the CA Certificate installed. Even though your SSL bind may be successful, the management agent runs in the context of the Microsoft Identity Integration Server 2003 service account, and may fail without the CA Certificate installed.

Solution:  Install the CA Certificate on the Microsoft Identity Integration Server 2003 service account.

Cause:  If you are synchronizing between two Windows 2000 forests, then the DNS forwarder is not configured correctly.

Solution:  Configure the DNS forwarder as described in the GAL Synchronization scenario documentation.

A delta import run after a full import does not process the remaining deleted objects after the deletion limit has been reached.

Cause:  Most management agents (the management agent for Active Directory is the exception) do not retain their deletion watermarks after the full import process.

Solution:  Run a full import to completion on the management agent.