AD Import fails: Error writing resource NSE for rule: {XXXX.EN_US}. Hexadecimal value 0x1E, is an invalid character.
search cancel

AD Import fails: Error writing resource NSE for rule: {XXXX.EN_US}. Hexadecimal value 0x1E, is an invalid character.

book

Article ID: 176189

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Importing computers from AD suddenly began failing to import the resources.  The NSE generated during AD Import is empty.  The only evidence in the failure is two errors in the NS logs containing something similar to the following (excerpt):

Entry 1:

Error writing resource NSE for rule: {DC68B3AB-F188-46EE-8430-7343732424DA}

' ', hexadecimal value 0x1E, is an invalid character.
   [System.ArgumentException @ System.Xml]
   at System.Xml.XmlEncodedRawTextWriter.InvalidXmlChar(Int32 ch, Char* pDst, Boolean entitize)
   at System.Xml.XmlEncodedRawTextWriter.WriteAttributeTextBlock(Char* pSrc, Char* pSrcEnd)
   at System.Xml.XmlEncodedRawTextWriter.WriteString(String text)
   at System.Xml.XmlWellFormedWriter.WriteString(String text)
   at System.Xml.XmlWriter.WriteAttributeString(String localName, String value)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryDataProcessor.WriteUserGroupInventoryData(ResourceRef reRef, DirectoryElement dirElement, NSMessageGenerator gen)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryDataProcessor.GenerateStep(NSMessageGenerator gen, DirectoryElementCollection col)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryDataProcessor.Generate(DirectoryElementCollection source)

Entry 2:

ImportDistributionGroups failed: Unable to load the specified item: 0cf4de32-eafd-e4e0-bbd4-d1e59869f653

Unable to load the specified item: 0cf4de32-eafd-e4e0-bbd4-d1e59869f653
   [Altiris.NS.Exceptions.AeXException @ Altiris.NS]
   at Altiris.NS.ItemManagement.Item.Load(Guid itemGuid)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags, Boolean& cacheHit)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags, Boolean vigorous)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryItemImporter.PeekReadableLoadWriteable[T](Guid guid, Boolean forceWriteable)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryItemImporter.CreateCollection(String strName, ArrayList nameArgs, Boolean bLocalizeName, String strDescription, ArrayList descriptionArgs, Boolean bLocalizeDesc, Guid type, String key, String path, Boolean& exist, Boolean& changed)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryItemImporter.CreateDistributionCollections(Groups2Collections col, GcEntry e)
   at Altiris.DirectoryServices.DirectoryImport.DirectoryItemImporter.CreateDistributionCollections(OperationProgressIterator op, Groups2Collections col)

'_', hexadecimal value 0x1E, is an invalid character. Line 9, position 183.

Environment

ITMS 8.x

Cause

There was an invalid/unexpected character in the name of one of the security groups the computers being imported were members of.

The following steps outlines how the problem was isolated:

  1. In the SMP Log Viewer program go to "Options > Extended Verbosities"
  2. Move the slidebar below "Active Directory" to "Ultra" (the maximum setting)
  3. Open CoreSettings.config with a text editor (under C:\Program data\Symantec\SMP\Settings)
  4. Search for "ADSaveDiscoveryResults" and change the its value from "0" to "3". Save change.
  5. Run the Computer AD Import rule that was previously failing and let it finish.
  6. Search the SMP logs for the error previously being thrown (make sure that "Trace, Verbose, and Debug) are all enabled.
  7. When you find the error "Error writing resource NSE for rule: {XXXXXXXXXXXXXXXX.EN_US}", you should see a trace element below the first error which should contain the last computer that was being worked on before the failure.

Writing resource xml: CN=NXXX18XX,OU=Laptops, OU=Windows10,OU=Clients,DC=Support,DC=Example,DC=Com,
 type=493435f7-3b17-4c4c-b07f-c23e7ab7781f,
 fqdn=
NXXX18XX.Support.Example.Com,
 nameDomain=NXXX18XX.Support,
 ref=E5BAFB73AE53C535056982ABA0B607EE

Next Phase:

  1. Go to C:\PrograData\Symantec\SMP\ and find "DirectoryServices"
  2. Search for the file "Tree.xmI" and open it in a text editor.
  3. Search for the name of the computer identified in step #7 above.  You should find it in a section listing the computer and all of the groups it is a member of.  Look for something that appears to be an invalid or non standard character in the computer's name or one of the groups it is a member of. In this example it was a specific group

  <m c="User, Computer" u="122487290" i="5063" r="515" dn="CN=NX9818XX,OU=Laptops,OU=Windows10,OU=Clients,DC=Support,DC=Example,DC=Com">
    <p c="Group" u="121334829" dn="CN=RAD_ALTIRIS_ALL_MACHINES_MIGRATION,OU=Radia,OU=Draper,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=ALT_Adobe_Acrobat_Pro_11,OU=Altiris,OU=Example,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=ALT_Cherwell_Service_Mgmt_Client_9_3_1,OU=Altiris,OU=Example,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=ALT_Cisco_Jabber_11_6_0_35037,OU=Altiris,OU=Example,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="
CN=ALT_NetSkope_Client_66.0.0.327&#x1E;,OU=Altiris,OU=Example,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=ALT_Office_2013_Standard,OU=Altiris,OU=Example,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=ALT_Project_2013_STD,OU=Altiris,OU=Example,OU=Integrated Applications,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=CG_DENY_BITLOCKER,OU=Managed Groups,OU=Groups,DC=Support,DC=Example,DC=Com" />
    <pr dn="CN=CG_UnifiedAccess,OU=Managed Groups,OU=Groups,DC=Support,DC=Example,DC=Com" />
  </m>

There is/was a hidden character in the name of the group that was visible only as a space as seen above in red.

Note: Don't forget to revert back the changes done to "ADSaveDiscoveryResults" and the verbosity on the NS logs.

Resolution

Rename the group so that it contains standard and visible characters.

Run again the Computer AD Import Rule to verify that the problem has been resolved.