• Locked Locked
  • Replies 16 replies
  • Subscribers 97 subscribers
  • Views 15133 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to sync changes made in IM to AD

Andrea
over 7 years ago

Hello,

We are facing a weird issue whose scenario is the following: we have successfully synchronized both HR database and Active Directory, we have both Persons and ADSAccounts in our Manager UI and we are now trying to made some modifications in 1IM that we would like to propagate into the Active Directory target system.

We took a test user in the Manager (the ADSAccount object) and we have manually assigned some AD groups to that user but, when we execute the synchronization workflow (from 1IM to AD), the modifications made in the Manager are ignored and the account on AD doesn’t get the new groups. The same behavior happens if we try to remove a user from a group in the Manager: after the workflow execution, no groups is removed from the user.

A different thing happens when we make modifications to the account on Active Directory side: if we remove or add a group to a user and we execute the workflow, the removed group is added again to the user while the added group is removed and so the user is reverted back to their original state. This second behavior is perfectly fine to me since I want IM as the master of the operations but I believe that there is something wrong with my sync project.

After the execution of the sync workflow (that it's using the defaults steps and mappings for users and group) i have the following messages in the execution log:

Information The object (Group_A) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.
Information The object (Group_B) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.

Furthermore there are 2 items in the DPRMemberShipActions that refers to the previous object of type groups:

Add member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>bbf22027-cb22-4138-81fd-2ffa4793b219</P></Key>
Remove member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>a0ef7c75-de33-406e-b2ff-4029fa7481bb</P></Key>

I verified the UID on the IM database and they are exactly my test objects.

Can anyone give some clue?

Thanks in advance,
Andrea

Parents
  • over 7 years ago

    As Markus already pointed out there are follow-up processes that should be triggered once "handle object update for object Type ADSGroup" was sucessfully executed. I'd proceed with the troubleshooting as follows:

    Skip to 2, already done by you while i was typing my reply:)
    1. Is the job "handle object update for object Type ADSGroup" executed sucessfully? (Please check the jobservice log also, not every job enters the "FROZEN" state if there was an error)
    Job not successful -> Review error message
    Job successful? -> 2.


    2. The next process that should be generated as a result of 1. is ADS_ADSGroup_Update. If this job is not generated check the following things:

    a) Was the database field XDateSubItem of the ADSGroup record updated? (You can check this in ObjectBrowser)
    b) Open the Designer, go to "Process Orchestration" -> "Provisioning process operatins" and check, if you can find an entry in the list having:
    - "Table" set to ADSGroup
    - "Name" set to "Update"
    - "System Connection" set to "Active Directory Service (Root-DN <DN of your domain)"
    c) Open the Objectbrowser, navigate to ADSDomain, pick the domain of the group from the list, and check if the field "NamespaceManagedBy" has the value "One Identity Manager" (display) or "VISYNC" (actual value)
    d) Open the Objectbrowser, navigate to DPRRootObjectConnectionInfo and check if a record exists that:
    - ... has ObjectKeyRoot set to the value of XObjectKey of your AD Domain (you should see the display of your domain in the grid)
    - ... has UID_DPRSystemConnection set to the UID of your AD connection (you should see the same dispay as in step b) in the grid)

Reply
  • over 7 years ago

    As Markus already pointed out there are follow-up processes that should be triggered once "handle object update for object Type ADSGroup" was sucessfully executed. I'd proceed with the troubleshooting as follows:

    Skip to 2, already done by you while i was typing my reply:)
    1. Is the job "handle object update for object Type ADSGroup" executed sucessfully? (Please check the jobservice log also, not every job enters the "FROZEN" state if there was an error)
    Job not successful -> Review error message
    Job successful? -> 2.


    2. The next process that should be generated as a result of 1. is ADS_ADSGroup_Update. If this job is not generated check the following things:

    a) Was the database field XDateSubItem of the ADSGroup record updated? (You can check this in ObjectBrowser)
    b) Open the Designer, go to "Process Orchestration" -> "Provisioning process operatins" and check, if you can find an entry in the list having:
    - "Table" set to ADSGroup
    - "Name" set to "Update"
    - "System Connection" set to "Active Directory Service (Root-DN <DN of your domain)"
    c) Open the Objectbrowser, navigate to ADSDomain, pick the domain of the group from the list, and check if the field "NamespaceManagedBy" has the value "One Identity Manager" (display) or "VISYNC" (actual value)
    d) Open the Objectbrowser, navigate to DPRRootObjectConnectionInfo and check if a record exists that:
    - ... has ObjectKeyRoot set to the value of XObjectKey of your AD Domain (you should see the display of your domain in the grid)
    - ... has UID_DPRSystemConnection set to the UID of your AD connection (you should see the same dispay as in step b) in the grid)

Children
No Data