Synchronization with active directory.
Recently, the connection between idm and active directory disappeared.
Idm does not see any changes that have occurred in active directory.
For example, an IT specialist creates a new group, a mail database, but these groups are not displayed on the application server.This is very critical, because mail databases are synchronized (old ones are deleted, new ones appear).
Accordingly, the new idm does not see, while the old ones have already been deleted, which causes errors in creating accounts with mailboxes.
What could be the problem????

One identity manager 8.1 01-21-396

  Hi  

    This might be the wrong forum for an Identity Manager question, however are you sync'ing from Identity Manager to Active Directory, or Active Roles?

    Couple of questions

    1. When you say the connection between IDM and AD has disappeared, do you mean that the Synchronization Project within Synchronization Editor is no longer present? Or just that changes made in AD are no longer being synchronized into IDM?
    2. If the synchronization project is still present, could you:
      1. check the logs, and confirm when the last synchronization was run (and also the last successful synchronization)? And the number of Inserts/Updates/Deletes made
      2. check the start-up configuration:
        1. Confirm if any are present, and if so, if any of them are set to run on a schedule?
          1. If so, can you confirm that the schedule is enabled or not?
        2. Check which workflow, the start-up configuration it's using
          1. then check within Workflows tab for the same workflow listed in the start-up configuration for the group step, what processing rules are present, IE is it set to insert in IDM if present in AD but not IDM, update if change in AD and already present in IDM etc
      3. Within the target system tab, could you confirm if any scopes are defined which might exclude the objects you mention are missing?
      4. Also within the Target System tab, are you able to browse to the group object you mention?
    3. If you create a new group or user within Identity Manager, does this get provisioned to AD?

    There are a number of different things which may cause something created in AD to not appear in IDM, but usually these are caused by things like:

    • A change made to IDM configuration (disabling schedules for example)
    • Retiring an domain controller which the sync project is pointing to, or change to firewall rules
    • Changing the service account password which Identity manager uses to connect to AD
    • Also could relate to revision history

    It would be useful to have the answers to the above questions, and if any errors are been generated for any of the steps above.

    Also have you raised an SR at all?

    Kind regards


  • This means that the changes made in ad are no longer synchronized in idm.
    How do I understand which account is used to synchronize with ad?(services, tasks that run from under it?)
    Recently changed passwords on the server

    • Do you mean sync editor?
      All parameters are there.
      Active Directory Connector
      Microsoft Exch Connector 2016
      Advertising domain
      Microsoft Ex 2016
      We checked the connection parameters with colleagues from IT, all the parameters are correct, I checked the connection tests, everything is fine, the connection is more expensive
  • where can i see the magazines?
    In the sunchranization editor?Logs
    Or job queue info? If here, then there are no errors

  • idm-ad synchronization works correctly, because every day users appear, they are assigned base groups.Every day, users are dismissed-accordingly, the uz is blocked and removed from groups, all this is synchronized with ad