• Locked Locked
  • Replies 16 replies
  • Subscribers 97 subscribers
  • Views 15132 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to sync changes made in IM to AD

Andrea
over 7 years ago

Hello,

We are facing a weird issue whose scenario is the following: we have successfully synchronized both HR database and Active Directory, we have both Persons and ADSAccounts in our Manager UI and we are now trying to made some modifications in 1IM that we would like to propagate into the Active Directory target system.

We took a test user in the Manager (the ADSAccount object) and we have manually assigned some AD groups to that user but, when we execute the synchronization workflow (from 1IM to AD), the modifications made in the Manager are ignored and the account on AD doesn’t get the new groups. The same behavior happens if we try to remove a user from a group in the Manager: after the workflow execution, no groups is removed from the user.

A different thing happens when we make modifications to the account on Active Directory side: if we remove or add a group to a user and we execute the workflow, the removed group is added again to the user while the added group is removed and so the user is reverted back to their original state. This second behavior is perfectly fine to me since I want IM as the master of the operations but I believe that there is something wrong with my sync project.

After the execution of the sync workflow (that it's using the defaults steps and mappings for users and group) i have the following messages in the execution log:

Information The object (Group_A) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.
Information The object (Group_B) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.

Furthermore there are 2 items in the DPRMemberShipActions that refers to the previous object of type groups:

Add member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>bbf22027-cb22-4138-81fd-2ffa4793b219</P></Key>
Remove member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>a0ef7c75-de33-406e-b2ff-4029fa7481bb</P></Key>

I verified the UID on the IM database and they are exactly my test objects.

Can anyone give some clue?

Thanks in advance,
Andrea

  • over 7 years ago
    What version of the software are you running? Also can you confirm that for the ADSAccount within Manager that the intended user has the check box set for "Groups can be inherited".
    This is on the ADSAccount overview page for the general tab
  • over 7 years ago

    The changes made in One IM are synced using AdHoc-Provisioning into AD. There is no need to start a fullsync workflow. I would check your jobqueue and your dbqueue.

  • over 7 years ago
    We are using version 7.1.
    I checked the option that you've mentioned and they was not flagged: i thicked the option for a test user then added a group but nothing happens.
  • over 7 years ago
    @Markus i spoken to a colleague some days ago and he said the same thing: those operations should be done automatically, without the need to start a workflow, perhaps we are running into a bug or something because even technical support have no clues.

    When i click on Save button in the Manager, right after the group adding/removing, the job queue gets populated by a couple of items (see screenshot: www.dropbox.com/.../ScreenShot098.png while DBQueue is empty and still nothing changes on the AD side.
  • over 7 years ago
    Are the jobs being processed? You should see more process after the first two have been executed. If not, check the logs, from the Job server executing the jobs and/or check the Job history to get what's wrong.

    Another thought, in your Sync Project check if the Target System connection is configured to be read only and check if you do have the provisioning sync workflows configured in your project.
  • over 7 years ago
    After the two jobs execution, nothing appears on job queue and logfiles don't show any error, just a single warning: www.dropbox.com/.../im.log
    Our project is configured read-write and i do have the sync workflows in my project.
  • over 7 years ago

    As Markus already pointed out there are follow-up processes that should be triggered once "handle object update for object Type ADSGroup" was sucessfully executed. I'd proceed with the troubleshooting as follows:

    Skip to 2, already done by you while i was typing my reply:)
    1. Is the job "handle object update for object Type ADSGroup" executed sucessfully? (Please check the jobservice log also, not every job enters the "FROZEN" state if there was an error)
    Job not successful -> Review error message
    Job successful? -> 2.


    2. The next process that should be generated as a result of 1. is ADS_ADSGroup_Update. If this job is not generated check the following things:

    a) Was the database field XDateSubItem of the ADSGroup record updated? (You can check this in ObjectBrowser)
    b) Open the Designer, go to "Process Orchestration" -> "Provisioning process operatins" and check, if you can find an entry in the list having:
    - "Table" set to ADSGroup
    - "Name" set to "Update"
    - "System Connection" set to "Active Directory Service (Root-DN <DN of your domain)"
    c) Open the Objectbrowser, navigate to ADSDomain, pick the domain of the group from the list, and check if the field "NamespaceManagedBy" has the value "One Identity Manager" (display) or "VISYNC" (actual value)
    d) Open the Objectbrowser, navigate to DPRRootObjectConnectionInfo and check if a record exists that:
    - ... has ObjectKeyRoot set to the value of XObjectKey of your AD Domain (you should see the display of your domain in the grid)
    - ... has UID_DPRSystemConnection set to the UID of your AD connection (you should see the same dispay as in step b) in the grid)

  • over 7 years ago
    2a: i verified that the field gets updated but just for some AD groups, not every group that i've modified gets this timestamp updated.
    2b: nothing in there, page is empty
    2c: i have NamespaceManagedBy = One Identity Manager, Value = VISYNC and under MetaData-->Display i have the value "Synchronized by"
    2d: first answer is yes, second answer is i don't know because i don't have any entry in the page for step 2b
  • over 7 years ago

    Then 2b is the issue. If those objects are not present, no processes will be generated at all. They are created by the synchronization project template for Active Directory during the Synchronization project wizard. So my question is, how was the synchronization project created? Any chance that you've transported it from a (Development)instance?

    The following screenshot shows such a record.

     

    For test purposes, you can create such a record manually (as shown on the screenshot) but without knowing how this project was created it is hard to give further advice how to fix those missing records.

    ... If the project was transported from a development instance, you could also transport DPRObjectOperation from there...

    ... If you do not have made modifications yet, maybe it is easier to re-create the synchronization project using the wizard in the synchronization editor.

    ... Another option is creating all those records by yourself but those are quite a few. (Insert/Update/Delete for ADSDomain, ADSAccount, ADSContainer, ADSGroup, ADSMachine, ADSContact, ADSPrinter and ADSPolicy)

  • over 7 years ago
    I believe I know what is happening here. There is no provisioning job within the Synchronization Editor, this explains why the ADSGroup_Update jobs never generate. Was this a read only connection at one time and then changed to read/write? If I remove my provisioning job from within Synchronization Editor and then go into Designer and look at "Process Orchestration" -> "Provisioning process operations - this would be empty if I have no read/write sync project setup within Synchronization editor. Can you please open the Synchronization Editor and load the Active Directory sync project. Once opened please click on Workflows and let me know if you see a provisioning job listed if not this is the reason why it is not working.