SharePoint: This Profile Import error is (usually) normal

 

Here’s an example of an error that often occurs during Active Directory Import (aka: ADI, AD Import):

 

ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred.

 

Under what conditions might this occur?

You have an Active Directory group that has over 5,000 members.

You may see multiple errors like that if that group also contains nested AD groups that also contain over 5,000 users.

 

 

Here are some details around what you’d see in the ULS logs:

11/21/2018 14:45:58.83    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    aei5p    Verbose    QueueItemChange: Incoming change for item <GUID=9b78f038-7735-49a6-81b7-928fca6d8542>;<SID=S-1-5-21-1700552430-3460358242-3531541990-2775>;CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local of type 2.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:45:58.84    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    af9b7    Medium    RangeQuery: Retrieving attribute ‘member’ of item ‘CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local’ using Range Query.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:45:58.94    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    aei44    Unexpected    ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.RangeQuery(List`1 valuesList, LdapConnection ldapConnection, Int64 uSNChanged, String dn, String attribute, Type valueType) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.FillAllProperties(ServerConfiguration serverConfig, LdapConnection ldapConnection, UserProfileADImportPropertyMappingCollection propertyMapping, ItemInfo item, ProfileChangeData newProfile, ProfileTypePropertyManager propManager, IDictionary`2 propertyChanges) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.GetProfileChangeData(ServerConfiguration serverConfig, LdapConnection ldapConnection, UserProfileADImportPropertyMappingCollection propertyMapping, ItemInfo item, ProfileTypePropertyManager propManager) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileDispatcher.QueueItemChange(Provisioner item, UserProfileADImportMapping adMapping, Boolean isDeleted, List`1& itemIdSuccesses, Dictionary`2& itemIdFailures, Stopwatch externalTimeSpent, Int32 loopCount, ProfileTypePropertyManager propManager, Int32& countAdds, Int32& countDeletes, Int32& countUpdates) at Microsoft.Office.Server.UserProfiles.ADImport.ProfileConfiguration.QueueSearchResultEntry(ProfileConfiguration profileConfig, LdapConnection ldapConnection, String rootDn, SearchResultEntry entry, List`1& itemIdSuccesses, Dictionary`2& itemIdFailures, List`1& itemIdOUFiltered, Stopwatch externalTimeSpent, Int32 loopCount, Int32& countAdds, Int32& countDeletes, Int32& countUpdates) at Microsoft.Office.Server.UserProfiles.ADImport.DirSyncWrapper.ProcessChanges(ProfileConfiguration profileConfig, LdapConnection ldapConnection, UserProfileADImportMapping adMapping, String rootDn, Stopwatch externalTimeSpentInProfile, Stopwatch externalTimeSpentInDirectory, SPUserProfileADImportUsageEntry usage, Int32 loopCount, Boolean& fEventLogged, SearchRequest request, DirectoryControl pagingControl, List`1 itemsLeft)’: assuming all successes if any are failures, and stopping further dirSync requests for this batch!    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:45:58.95    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Server    General    7202    Critical    ActiveDirectory Import: DirSync import failed: ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at <same stack as above>

11/21/2018 14:45:58.95    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    aihvo    Unexpected     ScanDirSyncChanges: Critical failure to process entry with objectGuid=’7d1c6e4f-b819-4aef-81b7-b61e63320bc5′, DN=’CN=TestyUser5336,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local’: must ForceImportItem.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

 

 

That looks bad. Why should I not be concerned?

Because its normal for groups with large memberships. The first run at importing the group is unable to enumerate all the memberships. It fails with the above error, but it also places the group in a queue for a retry. This “Retry Import” is generally able to import all group memberships successfully.

For example, here’s the sequence from my ULS log during the same run of the profile import timer job, just a bit farther down:

11/21/2018 14:46:01.22    OWSTIMER.EXE (0x1C40)    0x09D4    Document Management Server    Reporting    awggm    Medium    UserProfileADImportJob_RetrySyncFailures Start: My Scenario Start    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:46:01.45    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    aei5g    Verbose    ScanDirSyncChanges: SearchResponse Entry #1, DistinguishedName ‘<GUID=9b78f038-7735-49a6-81b7-928fca6d8542>;<SID=S-1-5-21-1700552430-3460358242-3531541990-2775>;CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local’.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:46:01.45    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    af9b7    Medium    RangeQuery: Retrieving attribute ‘member’ of item ‘CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local’ using Range Query.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:46:01.52    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    af9cb    Medium    RangeQuery: Retrieved 5502 values of attribute ‘member’ of item ‘CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local’ using Range Query.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

11/21/2018 14:46:01.52    OWSTIMER.EXE (0x1C40)    0x09D4    SharePoint Portal Server    User Profiles    aei5l    Verbose    QueueSearchResultEntry: Finished Queuing DistinguishedName ‘<GUID=9b78f038-7735-49a6-81b7-928fca6d8542>;<SID=S-1-5-21-1700552430-3460358242-3531541990-2775>;CN=LGTopLevel,OU=LargeGroup,OU=Test Users,DC=joroar,DC=local’.    17a3a49e-10a0-e088-a10e-ea3cd3720a8d

 

How can I tell if the group memberships were actually imported?

You can do this a few different ways after the import is finished.

PowerShell:

#List group memberships according to the UPA

$user = “contoso\user1” #specify the user

Add-PSSnapin *sharePoint*

$profileManager = [Microsoft.Office.Server.UserProfiles.UserProfileManager]([Microsoft.Office.Server.ServerContext]::Default)

$up = $profileManager.GetUserProfile($user)

Write-Host “Account: ” $up.AccountName

Write-Host “Name: ” $up.DisplayName

Write-Host “Groups:”

$groups = $up.Memberships.GetItems()

$groups | select id, title, group | sort title | ft -AutoSize

 

 

 

SQL (run against the Profile database):

— Return group members (all members of a specific group) – SharePoint 2016 query

select mg.displayname as GroupName, mg.Id as GroupID, mg.SourceReference as GroupDN, upf.ntname as UserName, upf.PreferredName, upf.RecordID as UserID from upa.userprofile_full upf (nolock)

join upa.usermemberships um (nolock) on upf.recordid = um.recordid

join upa.membergroup mg (nolock) on um.membergroupid = mg.id

where mg.displayname like ‘%ADGroup1%’

order by mg.displayname, upf.ntname

 

— Return user memberships (all groups a certain user belongs to) – SharePoint 2016 query

select upf.ntname as UserName, upf.PreferredName, upf.RecordID as UserID, mg.displayname as GroupName, mg.Id as GroupID, mg.SourceReference as GroupDN from upa.userprofile_full upf (nolock)

join upa.usermemberships um (nolock) on upf.recordid = um.recordid

join upa.membergroup mg (nolock) on um.membergroupid = mg.id

where upf.ntname like ‘%testyuser1%’

order by upf.ntname, mg.displayname

 

For example, here’s the output of the above SQL query, run for my user “testuser1”, who is a member of the “LGTopLevel” group that we saw throw the “Batch-abort Exception”
error on the initial import, but then succeed on the “Retry Import”. As you can see, it shows the user as a member of “LGTopLevel”.