• State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 95 subscribers
  • Views 5468 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD sync project in DEV is not creating any objects at all - but works in UAT

Tim Staddon
over 7 years ago

Hi,

Strange one here - we have two environments sharing the same SQL instance on the same server. There are different job servers for AD in dev and test, but the configurations are mirrored and only the queue names and servers are different. Both environments point to the same AD.

In UAT, we can sync AD and other systems fine, aside from some errors where the UPN is empty for users. But in DEV, although we can see no additional errors or warnings in any of the logs compared to UAT, and the sync project verifies and simulates successfully, no objects get created in the DEV database. At all.

To create the job services manually I used this:

sc CREATE "One Identity Manager Job Service (DEV)" type= own displayName= "One Identity Manager v7.1.2 Job Service (DEV)"

binPath= "C:\Job Service\DEV\viNetworkService.exe"

sc CREATE "One Identity Manager Job Service (UAT)" type= own displayName= "One Identity Manager v7.1.2 Job Service (UAT)"

binPath= "C:\Job Service\DEV\viNetworkService.exe"

 

To set description:

sc description "One Identity Manager Job Service (DEV)" "One Identity Manager v7.1.2 Job Service for SQL Server (DEV)"

sc description "One Identity Manager Job Service (UAT)" "One Identity Manager v7.1.2 Job Service for SQL Server (UAT)"

Then I verified the credentials to our service account.

IN designer, I have checked the queue names for the database job servers match those of the servers, and there are no cross-contaminations - DEV points to a queue \SQL2012_DEV and UAT points to a queue \SQL2012_UAT. I've confirmed this in the jobservice.cfg. I've even checked the ports are different (1880 for DEV, 1881 for UAT) so we're not confusing them either.

 

The AD sync project, and the Manager properties, are set up the same in DEV as in TEST (I created a PROJSHELL export). They have different descriptions in the UI just to avoid any confusion.

 

When I try to save the AD project I get the warning "Some start up configurations cannot be automatically assigned to the associated base object. Select the associated base object for each startup configuration in the list below." This doesn't happen in UAT. But that's the only technical difference I can see. We are even using the same service account.

 

Any ideas what else might be tripping it?

 

Thanks in advance

Parents
  • 0 over 7 years ago

    OK, it's looking mostly okay now - users and groups (and group memberships) are syncing in both directions.

    I was still having issues with OUs and containers not appearing but I now think this is because I am using an object filter on the scopes to pick up objects only from the right OU and any nested containers within it.

    I tried everything from filtering by DN to filtering by parent container to get Target System Browser to see the objects, e.g.

    (msDS_parentdistname='OU=Test Users,DC=company,DC=com' or msDS_parentdistname='OU=One Identity (DEV),OU=Test Users,DC=company,DC=com' or distinguishedName like '%One Identity (DEV)%')

    No permutation I tried was able to find a test container with these properties:

    objectCategory = CN=Container,CN=Schema,CN=Configuration,DC=company,DC=com
    cn = Test Container 1
    description = empty test container
    distinguishedName = CN=Test Container 1,OU=One Identity (DEV),OU=Test Users,DC=company,DC=com
    displayName = TestContainer1DisplayName

    I did have the same issue with organizationalUnit, but I was able to get an OU called One Identity (DEV) to appear after I populated its CN field manually (it was blank when I checked in ADUC).

    Even though I couldn't see the containers in Target System browser, when checked in the simulator I could see those objects:

     Processed objects
 Schema type               Method                   Count
 ADSContainer              Insert                   3
 ADSGroup                  Insert                   1
 
 Executed methods on system objects
 Schema type   System object                                      Method
 ADSContainer  Test Container 1                                   Insert
 ADSContainer  Test Container 2                                   Insert
 ADSContainer  One Identity (DEV)                                 Insert
 ADSGroup      Test Group 1                                       Insert

    After running sync, Manager showed the containers - just not in the right place in the treeview:

     

    The containers are also presented in the wrong place in the treeview if, for example, I try to change the container of a test user:

    I need to do some more testing, but I think it's nearly there.

    Thanks

Reply
  • 0 over 7 years ago

    OK, it's looking mostly okay now - users and groups (and group memberships) are syncing in both directions.

    I was still having issues with OUs and containers not appearing but I now think this is because I am using an object filter on the scopes to pick up objects only from the right OU and any nested containers within it.

    I tried everything from filtering by DN to filtering by parent container to get Target System Browser to see the objects, e.g.

    (msDS_parentdistname='OU=Test Users,DC=company,DC=com' or msDS_parentdistname='OU=One Identity (DEV),OU=Test Users,DC=company,DC=com' or distinguishedName like '%One Identity (DEV)%')

    No permutation I tried was able to find a test container with these properties:

    objectCategory = CN=Container,CN=Schema,CN=Configuration,DC=company,DC=com
    cn = Test Container 1
    description = empty test container
    distinguishedName = CN=Test Container 1,OU=One Identity (DEV),OU=Test Users,DC=company,DC=com
    displayName = TestContainer1DisplayName

    I did have the same issue with organizationalUnit, but I was able to get an OU called One Identity (DEV) to appear after I populated its CN field manually (it was blank when I checked in ADUC).

    Even though I couldn't see the containers in Target System browser, when checked in the simulator I could see those objects:

     Processed objects
 Schema type               Method                   Count
 ADSContainer              Insert                   3
 ADSGroup                  Insert                   1
 
 Executed methods on system objects
 Schema type   System object                                      Method
 ADSContainer  Test Container 1                                   Insert
 ADSContainer  Test Container 2                                   Insert
 ADSContainer  One Identity (DEV)                                 Insert
 ADSGroup      Test Group 1                                       Insert

    After running sync, Manager showed the containers - just not in the right place in the treeview:

     

    The containers are also presented in the wrong place in the treeview if, for example, I try to change the container of a test user:

    I need to do some more testing, but I think it's nearly there.

    Thanks

Children
No Data