• State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 96 subscribers
  • Views 3931 views
  • Users 0 members are here
Options
Related

removing coss-domain AD memberships

Christian Stevens
over 6 years ago

We are observing a strange behavior with the AD provisioning in 7.1.3, that might be a basic configuration issue.

We have different AD domains configured via variable sets in the same sync project.
We can add users and computers to AD groups of  different realms, however, we can not remove them.

From IM point of view, the memberships have been removed just fine. The provisioning logs state that the action for the AD group has been successful for Update vrtMembersSID  with a minus (-) and the SID of the object to be removed, as expected. The problem is, that the membership in question still remains in AD, although is was "successfully" deprovisioned.

I understand there are some implications when dealing with cross-domain memberships, that need to be taken into account. I assumed that the AD connector handles these things. Did we miss something? It is particulalry strange that we can ADD but not REMOVE such memberhsips. Is there a way to enable more detailed provisioning logs?

Parents Reply Children
  • 0 over 6 years ago in reply to Trevor Pike

    Hi Trevor,

    the domains in question are in the same forest, at the same level under the tree root. Transitive trusts of type "Shortcut" are present in both directions between the two domains.

    We have one sync project for both domains, using variable sets to specify only different CP_ADRootDN and CP_ADServer for each domain (the domains are managed though different servers). The project was created in 7.0.1 and  we haven't applied any patches (7.1.3 now), there are warnings under the vrtMembersSID mapping rule (yellow triangle): "...There is no mapping for this schema type, which was defined for the many-to-many mapping", but the provisioning works generally.

    I don't understand how we are able to add, but not to remove group memberships using projection. Can this be caused by mis-configuration at all? I can manually remove the memberships using "Active Directory Users and Computers", using the same user account that the sync project uses. I suspect there could be an issue resolving the object from the other domain, but shouldn't the same issue then apply when adding the membership?

    I enabled Trace level logging but couldn't find any obvious errors from my understanding. The most  suspicious lines I found were along "There are no differences of failed objects to the previous execution of step (group)! These failures do not cause a retry!"

  • 0 over 6 years ago in reply to Christian Stevens

    I strongly suggest to re-create you synchronization project in 7.1.3 as it has changed quite a bit between the two versions mentioned.

    Starting from that, you are able to patch your sync project if necessary in the future (Sync project patching has first been introduced with version 7.1).