Problem with Distribution Groups - members not added by DMS

Question

Hi,

Like this thread, I can create a new SharePoint group and assign it an email address and DMS creates the relevant distribution group in the target OU in AD. However, the members of the group are not automatically added to the distribution group in the OU. When I try and add or remove users to the SharePoint group, I get the following error: 

Error

The Directory Management Service has reported an error which is not recognized by Microsoft SharePoint Foundation.

I have checked that the domain account which runs the Central Administration application pool has the relevant access to the OU container: 'Create, delete and manager user accounts'. I assume that the permissions were correct anyway as the OU could be populated with new email contacts or distribution groups created in SharePoint.

Can someone help me please? How do I solve this error message and get the distribution group to be automatically populated with members from the SharePoint group?

Thanks in advance

Answer 1

Hello,

Thank you for your question.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Best Regards,

Sally Tang

Answer 2

Hi Jon,

This seems to be an obscure issue, but the first thing that comes to mind is the extra permissions that are necessary for the Central Admin application pool account in Active Directory per this TechNet article:

http://technet.microsoft.com/en-us/library/cc262947.aspx

Beginning in the section titled "Configure AD DS to be used with Directory Management Service", it sounds like you've got the first requirement completed, the "Create, delete, and manage user accounts" delegation.  The next section describes that you must also delegate "Create all Child Objects" and "Delete all Child Objects" as well.  Can you test granting the application pool account these permissions, then reset IIS and see if you experience the same issue?

Thanks,

Bob

Answer 3

Hi Bob,

Thanks for your reply and advice. I had done this already but went ahead and removed the Central Admin app pool account and started again with adding the correct OU permissions. Still get the same problem though... When I create a group I am able to email enable it and I see the distribution group get created within the OU, just not with the members!

Please could you help me further?

Many thanks,
Jon

Answer 4

You bet Jon!  I would think that this would be the appropriate time to enable verbose logging on all categories for the ULS:

> Central Admin > Monitoring > Configure diagnostic logging > Set check on All Categories > Set Least critical event to report to the trace log to Verbose, click OK, taking note of the file location.

In addition, with the hope of getting a more informative error, can you please also disable custom error messages in the web.config files for the farm, using these steps:

C:\Inetpub\wwwroot\wss\VirtualDirectories\<port>

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\ISAPI

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\CONFIG

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS

I'm suggesting the Program Files locations because we don’t know where the unknown error is originating from, but you might test after changing each one if that seems to make more sense to you.

In each web.config, change:

<SharePoint>

<SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="false">

To

<SharePoint>

<SafeMode MaxControls="200" CallStack="true" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="false">

Then for custom errors, change:

</httpHandlers>

<customErrors mode="On" />

To

</httpHandlers>

<customErrors mode="Off" />

If possible, run IISRESET /noforce, and test with a new browser session, taking note of the exact time that you reproduce the issue, then review the ULS log for that time on each web front end server to see if you can find additional details around the error, and post them up.  In addition, if the web.config changes produce a more verbose error or a stack trace, please include it as well.

Thanks!

Bob

Answer 5

Hi Bob,

Thanks for your helpful email. So I didn't go as far as changing the web.config custom errors but have got some interesting information with the ULS log that I will post below. I can do the custom error changes if you think that will help.

At the time of trying to add a member to the SP group and getting the 'The Directory Management Service has reported an error which is not recognized by Microsoft SharePoint Foundation' I see the following as 3 separate entries in the ULS log:

---

Microsoft.SharePoint.SPDistributionGroupException: The Directory Management Service has reported an error which is not recognized by Microsoft SharePoint Foundation.   
 at Microsoft.SharePoint.SPGroup.ResynchronizeDistributionGroup()    
 at Microsoft.SharePoint.SPUserCollection.UpdateMembers(Object objUpdateInfo, Object objAddIds, Object objRemoveLogins, Object objRemoveIds, Boolean fSendEmail)    
 at Microsoft.SharePoint.SPUserCollection.AddCollection(SPUserInfo[] addUsersInfo, IEnumerable`1 addUsers)    
 at Microsoft.SharePoint.ApplicationPages.AclInv.BtnOK_Click(Object sender, EventArgs e)    
 at System.Web.UI.WebControls.Button.OnClick(EventArgs e)    
 at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)    
 at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)    
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

System.UnauthorizedAccessException: Access is denied.      
 at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()    
 at System.DirectoryServices.DirectoryEntry.CommitChanges()    
 at Microsoft.SharePoint.EmailIntegration.SPEWSADManager.ChangeUsersMembershipInDistributionGroup(String Alias, String[] AddNt4NameList, String[] DeleteNt4NameList, Boolean DeleteAllCurrentMembers)SPEWSADManager::ChangeUsersMembershipInDistributionGroup

Deleting all members for distribution group office_staff

---

So it looks like an permissions issue perhaps as it says Access is denied.

Do you have any suggestions?

Many thanks
Jon

Answer 6

Thanks for collecting those bits Jon.  Can you tell me if SharePoint and the user accounts are in different forests?  So, in effect, are you attempting to add users from another domain/forest into the SharePoint group that you have created?  Can you provide the domain topology and detail which domain the Central Admin application pool account is in, whether it's from the same domain/forest as the SharePoint server(s) or the domain/forest that the users are in?  There is a known issue that was present in SharePoint 2007, and is under review for SharePoint 2010 where there are issues with user accounts from other forests/domains being added to the group: http://support.microsoft.com/?id=979565.  The error is different, but I believe that the topology bears consideration, as it could be relevant.

If none of the above applies, servers and users are in the same domain, I would recommend that you open a case with the SharePoint Admin support for assistance with troubleshooting this issue.  It's possible that the issue is occurring due to replication problems with Active Directory, and would require in depth tracing/troubleshooting to chase down.

Thanks!

Bob

Answer 7

Hi Bob,

The servers and users are indeed in the same domain, so looks like I will have to go ahead and open a case with SharePoint admin support. By this, do you mean the SharePoint 2010 - Setup, Upgrade, Administration and Operation forum hosted here?

Thanks for helping me out

Jon

Answer 8

Not a problem Jon!  I would have liked to have gotten to the bottom of this for you.  I am recommending that you open a paid support request with Microsoft, in order to work with a SharePoint support engineer.  This link will take you to the entry point for getting this process going: http://support.microsoft.com/ph/14944.

Thanks,

Bob

Answer 9

Does the user executing the operation have the permission to Read/Write Members on the groups and user objects?

---

http://sharepoint.nauplius.net

Answer 10

The domain account for the Central Admin application pool does, yes.

I have a question: when I check in Central Admin->Security->Distribution Groups->Approved Distribution Groups, I see the distribution groups that have been created. When I check each group item, I see that it's been created by the application pool for that web application, not the Central Admin application pool. Am I correct in thinking that only the Central Admin app pool account needs the relevant permissions to read/write on the OU, and not the web application pool account too?

Bob, I am unable to pay for MS support so I hope that someone else will be able to shed some light as to what's not working here. 

Thanks