Custodian Manager's AD Synchronization never completes in an environment with multiple or very large Active Directory domains.
|Article:TECH202081|||||Created: 2013-01-25|||||Updated: 2013-01-30|||||Article URL http://www.symantec.com/docs/TECH202081|
|NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.|
Enterprise Vault (EV) Discovery Accelerator (DA) Custodian Manager (CM) ADSynchroniser processing either takes weeks or never completes synchronizing Active Directory (AD) domains when either very large (i.e., over 100K users and groups) or multiple AD domains are configured for synchronization.
Event Source: Accelerator AD Synchronizer
Event ID: 34
APP AT - Customer ID: X - An error occured in ProfileSynchroniser::SynchroniseEmployeeProfile while retrieving properties.
System.Runtime.InteropServices.COMException (0x8000500C): Unknown error (0x8000500c)
at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.UpdateProfileRowFromDirEntry(DirectoryEntry entry,
ProfileRow& profileRow, StringCollection& emailAddresses, StringCollection& allDisplayNameAddresses, String userLogin)
at KVS.Accelerator.ActiveDirectory.ADProfileSynchroniser.SynchroniseADEmployeeProfile(ProfileRow profileRow,
StringCollection& allEmailAddresses, StringCollection& allDisplayNameAddresses, PropertyCollection& ADUserProps,
- Discovery Accelerator 9.0 or greater
- Very large (i.e., 250K+ users and groups) Active Directory domain or multiple Active Directory domains configured to synchronize with Custodian Manager.
Several causes exist to prevent the ADSynchroniser process from completing with all Active Directory (AD) users and groups synchronized. The following is a partial list of the known causes:
- Data for a history start reference date parameter is missing for indirect group to user members in 2 tables of the Custodian Manager (CM) database (db).
- Groups deleted from AD have wrong entries in 2 tables of the CM db.
- A retry flag is not being properly reset.
- Moving a Group from one AD container (i.e., Organizational Unit) to another is not being properly tracked, which can cause unwanted users added to the moved group.
- When the 'Recurse into nested list' check box is unchecked for a group and that group is synchronized as part of an incremental synchronization, direct and indirect users in the group will be displayed in the CM group.
- Clicking the 'Synchronize now' button does not synchronize all groups.
- A failure obtaining a proxy address for a user will stop the crawler process that obtains data from AD.
- A blank search of AD used by some ADSynchroniser processing does not work.
- An AD user or group that was deactivated using the CM site does not propagate when reactivated unless there is an AD Update Serial Number (USN) change in the user or group.
- Once a deactivated user fails to get the associated AD profile, all remaining users in the batch do not get picked up for synchronization.
- CM launches multiple processes per AD domain in a single run when more than one AD Domain is added for synchronization.
- The deactivation pass processes all users and groups in a single transaction, which can cause all deactivations in that pass to be rolled back should an error occur.
- The deactivation pass can time out for a large number of qualified users and groups.
- Each synchronization run would attempt to complete a full synchronization of each AD domain instead of just synchronizing changes within the domain (i.e., changed users or groups).
Symantec Corporation has acknowledged that the above-mentioned issue is present in the current version(s) of the product(s) mentioned at the end of this article. Symantec Corporation is committed to product quality and satisfied customers.
There are no plans to address this issue by way of a patch or hotfix in the current or previous versions of the software at the present time. However, the issue is currently scheduled to be addressed in the next major revision of the product. Please be sure to refer back to this document periodically as any changes to the status of the defect will be reflected here. Please note that Symantec Corporation reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests. Symantec’s plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.
ADSynchronization never finishes
ADSynchronization never finishes
Article URL http://www.symantec.com/docs/TECH202081