Environment
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Active Directory
Situation
When synchronizing a group from AD to eDirectory, -8003 errors are being received on several users, and those users do not show up as members of the group in eDirectory.
[07/03/14 07:54:15.165]:dchris12-AD Driver PT:Resolving association references.
[07/03/14 07:54:15.166]:dchris12-AD Driver PT:
DirXML Log Event -------------------
Driver: \DCHRIS11-TREE\mountain\DriverSet\dchris12-AD Driver
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=User14,CN=Users,DC=dchris12-domain,DC=lab,DC=novell,DC=com from attribute Member.
[07/03/14 07:54:15.167]:dchris12-AD Driver PT:
DirXML Log Event -------------------
Driver: \DCHRIS11-TREE\mountain\DriverSet\dchris12-AD Driver
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=User13,CN=Users,DC=dchris12-domain,DC=lab,DC=novell,DC=com from attribute Member.
[07/03/14 07:54:15.165]:dchris12-AD Driver PT:Resolving association references.
[07/03/14 07:54:15.166]:dchris12-AD Driver PT:
DirXML Log Event -------------------
Driver: \DCHRIS11-TREE\mountain\DriverSet\dchris12-AD Driver
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=User14,CN=Users,DC=dchris12-domain,DC=lab,DC=novell,DC=com from attribute Member.
[07/03/14 07:54:15.167]:dchris12-AD Driver PT:
DirXML Log Event -------------------
Driver: \DCHRIS11-TREE\mountain\DriverSet\dchris12-AD Driver
Channel: Publisher
Status: Warning
Message: Code(-8003) Unable to synchronize reference to CN=User13,CN=Users,DC=dchris12-domain,DC=lab,DC=novell,DC=com from attribute Member.
Resolution
An 8003 error is defined as: W_UNABLE_TO_SYNC_REFERENCE -8003
Which in this case means that the object (user) you are trying to synchronize in the group membership list, DOES NOT have an association to the driver. Meaning that the user has not been synchronized through the driver previously, and an association has not been created for the user in AD to a user in eDirectory. You cannot synchronize groups and corresponding group memberships for users that do not have associations to users in eDirectory.
The fact that you synchronize a group from AD to eDirectory will not start a synchronization or migration process for all users in the group. You must first synchronize / migrate users, then the groups for which they are a member.
Which in this case means that the object (user) you are trying to synchronize in the group membership list, DOES NOT have an association to the driver. Meaning that the user has not been synchronized through the driver previously, and an association has not been created for the user in AD to a user in eDirectory. You cannot synchronize groups and corresponding group memberships for users that do not have associations to users in eDirectory.
The fact that you synchronize a group from AD to eDirectory will not start a synchronization or migration process for all users in the group. You must first synchronize / migrate users, then the groups for which they are a member.