SharePoint: This Profile Import error is (usually) normal
Update: There was a fix for this behavior in the SharePoint 2016 August 2020 Public Update (build 16.0.5044.1001), so if you’re past that build and seeing the “batch abort exception”, it’s more likely that it indicates a real problem.
Here’s an example of an error that often occurs during Active Directory Import (aka: ADI, AD Import):
ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred.
Under what conditions might this occur?
You have an Active Directory group that has over 5,000 members.
You may see multiple errors like that if that group also contains nested AD groups that also contain over 5,000 users.
Here are some details around what you’d see in the ULS logs:
11/21/2018 14:45:58.83 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles aei5p Verbose QueueItemChange: Incoming change for item <GUID=9b78f038-7735-49a6-81b7-928fca6d8542>;<SID=S-1-5-21-1700552430-3460358242-3531541990-2775>;CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local of type 2. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:45:58.84 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles af9b7 Medium RangeQuery: Retrieving attribute ‘member’ of item ‘CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local’ using Range Query. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:45:58.94 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles aei44 Unexpected ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.RangeQuery(List`1 valuesList, LdapConnection ldapConnection, Int64 uSNChanged, String dn, String attribute, Type valueType) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.FillAllProperties(ServerConfiguration serverConfig, LdapConnection ldapConnection, UserProfileADImportPropertyMappingCollection propertyMapping, ItemInfo item, ProfileChangeData newProfile, ProfileTypePropertyManager propManager, IDictionary`2 propertyChanges) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.GetProfileChangeData(ServerConfiguration serverConfig, LdapConnection ldapConnection, UserProfileADImportPropertyMappingCollection propertyMapping, ItemInfo item, ProfileTypePropertyManager propManager) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.QueueItemChange(Provisioner item, UserProfileADImportMapping adMapping, Boolean isDeleted, List`1& itemIdSuccesses, Dictionary`2& itemIdFailures, Stopwatch externalTimeSpent, Int32 loopCount, ProfileTypePropertyManager propManager, Int32& countAdds, Int32& countDeletes, Int32& countUpdates) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileConfiguration.QueueSearchResultEntry(ProfileConfiguration profileConfig, LdapConnection ldapConnection, String rootDn, SearchResultEntry entry, List`1& itemIdSuccesses, Dictionary`2& itemIdFailures, List`1& itemIdOUFiltered, Stopwatch externalTimeSpent, Int32 loopCount, Int32& countAdds, Int32& countDeletes, Int32& countUpdates) at Microsoft.Office.Server.UserProfiles.ADImport.DirSyncWrapper.ProcessChanges(ProfileConfiguration profileConfig, LdapConnection ldapConnection, UserProfileADImportMapping adMapping, String rootDn, Stopwatch externalTimeSpentInProfile, Stopwatch externalTimeSpentInDirectory, SPUserProfileADImportUsageEntry usage, Int32 loopCount, Boolean& fEventLogged, SearchRequest request, DirectoryControl pagingControl, List`1 itemsLeft)’: assuming all successes if any are failures, and stopping further dirSync requests for this batch! 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:45:58.95 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Server General 7202 Critical ActiveDirectory Import: DirSync import failed: ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at <same stack as above>
11/21/2018 14:45:58.95 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles aihvo Unexpected ScanDirSyncChanges: Critical failure to process entry with objectGuid=’7d1c6e4f-b819-4aef-81b7-b61e63320bc5′, DN=’CN=TestyUser5336,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local’: must ForceImportItem. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
That looks bad. Why should I not be concerned?
Because in SharePoint 2016 builds prior to 16.0.5044.1001, its normal for groups with large memberships. The first run at importing the group is unable to enumerate all the memberships. It fails with the above error, but it also places the group in a queue for a retry. This “Retry Import” is generally able to import all group memberships successfully.
For example, here’s the sequence from my ULS log during the same run of the profile import timer job, just a bit farther down:
11/21/2018 14:46:01.22 OWSTIMER.EXE (0x1C40) 0x09D4 Document Management Server Reporting awggm Medium UserProfileADImportJob_RetrySyncFailures Start: My Scenario Start 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:46:01.45 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles aei5g Verbose ScanDirSyncChanges: SearchResponse Entry #1, DistinguishedName ‘<GUID=9b78f038-7735-49a6-81b7-928fca6d8542>;<SID=S-1-5-21-1700552430-3460358242-3531541990-2775>;CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local’. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:46:01.45 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles af9b7 Medium RangeQuery: Retrieving attribute ‘member’ of item ‘CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local’ using Range Query. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:46:01.52 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles af9cb Medium RangeQuery: Retrieved 5502 values of attribute ‘member’ of item ‘CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local’ using Range Query. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
11/21/2018 14:46:01.52 OWSTIMER.EXE (0x1C40) 0x09D4 SharePoint Portal Server User Profiles aei5l Verbose QueueSearchResultEntry: Finished Queuing DistinguishedName ‘<GUID=9b78f038-7735-49a6-81b7-928fca6d8542>;<SID=S-1-5-21-1700552430-3460358242-3531541990-2775>;CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=contoso,DC=local’. 17a3a49e-10a0-e088-a10e-ea3cd3720a8d
How can I tell if the group memberships were actually imported?
You can do this a few different ways after the import is finished.
PowerShell:
#List group memberships according to the UPA
$user = “contoso\user1” #specify the user
Add-PSSnapin *sharePoint*
$profileManager = [Microsoft.Office.Server.UserProfiles.UserProfileManager]([Microsoft.Office.Server.ServerContext]::Default)
$up = $profileManager.GetUserProfile($user)
Write-Host “Account: ” $up.AccountName
Write-Host “Name: ” $up.DisplayName
Write-Host “Groups:”
$groups = $up.Memberships.GetItems()
$groups | select id, title, group | sort title | ft -AutoSize
SQL (run against the Profile database):
— Return group members (all members of a specific group) – SharePoint 2016 query
select mg.displayname as GroupName, mg.Id as GroupID, mg.SourceReference as GroupDN, upf.ntname as UserName, upf.PreferredName, upf.RecordID as UserID from upa.userprofile_full upf (nolock)
join upa.usermemberships um (nolock) on upf.recordid = um.recordid
join upa.membergroup mg (nolock) on um.membergroupid = mg.id
where mg.displayname like ‘%ADGroup1%’
order by mg.displayname, upf.ntname
— Return user memberships (all groups a certain user belongs to) – SharePoint 2016 query
select upf.ntname as UserName, upf.PreferredName, upf.RecordID as UserID, mg.displayname as GroupName, mg.Id as GroupID, mg.SourceReference as GroupDN from upa.userprofile_full upf (nolock)
join upa.usermemberships um (nolock) on upf.recordid = um.recordid
join upa.membergroup mg (nolock) on um.membergroupid = mg.id
where upf.ntname like ‘%testyuser1%’
order by upf.ntname, mg.displayname
For example, here’s the output of the above SQL query, run for my user “testuser1”, who is a member of the “LGTopLevel” group that we saw throw the “Batch-abort Exception”
error on the initial import, but then succeed on the “Retry Import”. As you can see, it shows the user as a member of “LGTopLevel”.
