Active Directory Synchronization job fails or partially fails in Project Server 2013.
==================================
Detail/background of the intermittent issue
AD Sync process sometimes shows an error message and the process partially fails if it finds any inactive or disabled users in the AD group(s) that are synchronized. It is an issue with both the enterprise resource pool (ERP) and group sync processes. This behavior can be applicable to Windows Server 2003, Windows Server 2008 and/or to Windows Server 2012.
It has been observed that many organizations prefer to delete a User Account 30 days after user leaves the organization.
==================================
Symptom
Active Directory Synchronization job partially fails or fails with below error in the queue.
Datasets:
- SecurityGroupsDataSet
- Table GroupMembers
- Row: RES_UID='e1f3afde-562c-e011-873d-005056ba326c' WSEC_GRP_UID='13da50ff-dcd1-455a-844a-4df08af90808'
- Error SecurityInvalidUserUidRef (19083) - column
- Row: RES_UID='e1f3afde-562c-e011-873d-005056ba326c' WSEC_GRP_UID='13da50ff-dcd1-455a-844a-4df08af90808'
- Error SecurityInvalidUserUidRef (19083) - column
General
- Queue:
GeneralQueueJobFailed (26000) - AdSyncGroup.AdSyncGroupMessage. Details: id='26000' name='GeneralQueueJobFailed' uid='af755003-572c-e301-873d-005056ba326c' JobUID='15559ecc-562c-e311-873d-005056ba326c' ComputerName='3da96d54-0dff-4a28-ab25-e00008b01dcec' GroupType='AdSyncGroup' MessageType='AdSyncGroupMessage' MessageId='1' Stage='' CorrelationUID='e81a498c-3767-700c-1dce-cdb91ab94b7e'. For more details, check the ULS logs on machine 3da96d54-0dff-4a28-ab25-e00008b01dcec for entries with JobUID 15569ecc-562c-e300-873d-005056ba326c.
==================================
Resolution (may not be a preferred option)
- Enable Verbose Logging for Project Server (AD Sync) .
- Analyze ULS logs and search for the keywords "could not be updated during Resource Synchronization because the supplied Windows account name"
- The result set should include Windows Log On name(s).
- Remove the Log On name(s) found in the ULS logs from the AD Group in question.
- Perform AD Synch after removing Log On name(s) from the AD Group.
============================
Workaround (best option to use)
Workaround is to create the new Security Groups in AD by referencing the existing ones, with no inactive/disable users.
How does this work?
- For example, you have three AD groups: Project Managers, Resource Managers, and Team Members, which have inactive resources. We will call these groups source groups for this example. Create three new AD groups with an underscore such as Project_Managers, Resource_Managers and Team_Members. We will call these groups destination groups.
- Run the "Maintain AD group for Project Server sync with only active user accounts" script from the TechNet Gallery here before the AD sync jobs run: https://gallery.technet.microsoft.com/projectserver/Maintain-AD-group-for-c92e3087
- In the second step, the script will copy all the users minus inactive/disable users, from the source groups and will paste them into the destination groups.
- Configure AD Sync to communicate with the destination groups.
<Update 06/05/2015>
This issue (behavior) has been addressed in April 2015 patch. You can find more information here https://support.microsoft.com/en-us/kb/2965278