Helpdesk Active Directory import does not work and contacts or workers are not updating

Article:TECH41705  |  Created: 2009-03-23  |  Updated: 2012-06-05  |  Article URL http://www.symantec.com/docs/TECH41705
Article Type
Technical Solution

Issue



The Helpdesk Active Directory import does not work. Looking at Helpdesk contacts or workers, some or all do not update, such as their name or email address, or new ones are not being brought in from Active Directory.


Cause



The expected data does not exist in the Notification Server that Helpdesk looks for to sync into its own database. This data may be waiting for an Active Directory sync or Inventory Forward rule. But if it's not in the Notification Sever that Helpdesk is installed to, another process is at fault and needs to be resolved before Helpdesk can sync then-existing data.


Solution



If Helpdesk contacts or workers aren't updating or being created, this may be due to several reasons. The processes that controls this are described below along with some suggestions for troubleshooting them.

How Helpdesk syncs user data from the Notification Server and Active Directory

Helpdesk syncs user data every hour (by default) from the Notification Server (NS) to Helpdesk. This sync is one way, NS to Helpdesk, and permanent. This works as follows:
 

  • Once users are synced from NS to Helpdesk, they will remain in Helpdesk even if their counterparts are deleted in NS.
  • Deleting users in Helpdesk will not delete their NS counterparts.
     

Helpdesk does not, however, sync data from Active Directory (AD), which is a core Notification Server process. Helpdesk expects that what ever users are to be synced are already in the NS, whether by an NS AD sync, manual creating, etc., is all the same to Helpdesk. The NS performs the AD sync using the Microsoft Active Directory Import function found in Configuration > Notification Server Infrastructure. This imports users from AD directly to Resources > Organizational Structures > Domain_Name > Users in the Notification Server. There can be any number of subfolders under the Domain_Name that include AD users. The users to sync must appear somewhere here. If the user is not synced to here from AD, then they will not be synced to Helpdesk either during the Helpdesk sync. If issues exist with importing data from AD exist, please contact the Notification Server support team as Helpdesk has no control over this process.

How does Helpdesk update its contacts and workers?

Helpdesk performs an hourly (by default) one way sync of users that are in the NS to Helpdesk. This works in the following way:
 

  • The NS to Helpdesk sync is controlled by the Incident Settings function in Configuration > Notification Server Settings in the Altiris Console. This is the "Synchronize resources and incident data with Notification Server" setting, which should be enabled and set to an interval of 3600 seconds by default. Note: To force an immediate sync, click on the Apply button. Do not change the default interval.
  • The key fields used for the sync are the NT ID an email address, which should be unique for each contact. Note: If these fields are not unique in AD, this may result in an existing Helpdesk contact synced with a different user of the same name and email address. There is no way to reconcile this, other than removing contacts manually from Helpdesk after users are removed from AD. If these two fields are not populated in the Notification Server user record, the user will not be synced to Helpdesk.
  • New contacts are added during the sync and existing ones are updated. New contacts can also be added by having a user login to the Helpdesk end user console(http://server/aexhd/winuser) and register if self enrollment is enabled, or by adding them manually in Helpdesk.
  • Workers are not added by the sync but existing ones are updated. New workers can be added by assigning them to a Helpdesk security role (such as Level 1 Worker) and then having the user login to the Helpdesk worker console (http://server/aexhd/worker) and register if self enrollment is enabled, or by adding them manually in Helpdesk. Note: When a worker is created, a corresponding, linked contact is also created (if one does not already exist). 
     

What should be expected for how Helpdesk performs its updates?

As discussed above, the user must exist in the NS before Helpdesk can sync them. This can be controlled by several processes:
 

  1. Users are added to the NS. This can be from an automated method, such as an AD import, Connector rule, or manually created as users using CMDB Solution.
  2. NS users are later synced to Helpdesk as contacts using the above sync process.
     

Depending on the method used to add users to the NS, a user may not be synced to Helpdesk for at least one hour or longer. Here are several examples of how this may work:
 

Example 1

  • A person manually creates a user in the NS using CMDB Solution.
  • The Helpdesk sync just occurred before the user was saved. For this example, the default Helpdesk one hour sync interval is used.
  • After an hour has passed, the next Helpdesk sync starts. This may take a few minutes to finish, depending on how much data is being synced and the processing state of the NS. For this example, this takes 5 minutes.
  • The contact then appears in Helpdesk.
  • Summary: For this example, it took approximately 1 hour 5 minutes for the manually created user to appear in Helpdesk as a contact. 
     

Example 2

  • The NS is configured to sync new users from AD once a week on Saturdays at 2:00 AM.
  • A new AD user is added on Monday at 2:00 PM.
  • The user would not be synced to the NS until after 2:00 AM on Saturday morning. For this example, the AD sync takes 30 minutes.
  • The user then appears in NS on Saturday at 2:30 AM.
  • The Helpdesk sync just occurred before the user was synced from AD to the NS. For this example, the default Helpdesk one hour sync interval is used.
  • After an hour has passed, the next Helpdesk sync starts. For this example, this takes 30 minutes.
  • The contact then appears in Helpdesk.
  • Summary For this example, it took approximately 4 days,13 hours for the automatically created user to appear in Helpdesk as a contact. 
     

Example 3

  • The NS is configured to sync updated users from AD once a day at 2:00 AM.
  • A new AD user is added on Monday at 2:00 PM.
  • The user would not be synced to the NS until after 2:00 AM on Tuesday morning. For this example, the AD sync takes 30 minutes.
  • The user then appears in NS on Tuesday at 2:30 AM.
  • The Helpdesk sync just occurred before the user was synced from AD to the NS. For this example, the default Helpdesk one hour sync interval is used.
  • After an hour has passed, the next Helpdesk sync starts. For this example, this takes 30 minutes.
  • The contact then appears in Helpdesk.
  • Summary For this example, it took approximately 13 hours for the automatically created user to appear in Helpdesk as a contact.
     

How can Helpdesk contacts and workers be updated faster?

Depending on the method used to add users to the NS, several things can be done to improve how often Helpdesk workers and contacts are updated:
 

  • If the user is not in the NS but comes in from an automated process, manually perform this process first. For example, if the user is in AD but not in NS, manually perform the AD to NS sync by doing the following:
     
    1. In the Altiris Console, go to the Configuration tab (or View > Configuration if you are using the Console 6.5).
    2. Go to Server Settings > Notification Server Infrastructure > Microsoft Active Directory Import.
    3. Click on the Import Users import rule.
    4. Click on the Run the selected import rule now (Full Import) button.
    5. The Status changes to 0% and updates as the import rule processes.
    6. Once the Status is 100%, verify that the user is now in the NS. In the Altiris Console, go to the Resources tab (or View > Resources if you are using the Console 6.5).
    7. Go to Resources > Organizational Structures.
    8. Go to the domain name that the user is from and then Users. The user should now appear in this list. 
       
  • If the user is in the NS and ready to be synced, manually perform the Helpdesk sync by doing the following:
     
    1. In the Altiris Console, go to the Configuration tab (or View > Configuration if you are using the Console 6.5).
    2. Go to Server Settings > Notification Server Settings > Incident Settings.
    3. Click on the Apply button. This performs a manual sync from the NS to Helpdesk.
    4. After this finishes, which may take several minutes, data (users and assets) are then synced to Helpdesk.
    5. Normally, this process occurs once per hour. This is controlled by the Synchronize resource and incident data with Notification Server setting. By default, this is enabled and set to one hour (3600 seconds) interval. If this is different or disabled, this will affect the sync process. WARNING: This setting should not be shorter than an hour, or at the very least, thirty minutes, in a production environment as it will cause severe performance issues. 
       

Troubleshooting specific issues

The following list of issues are commonly seen by Helpdesk user syncs.

Issue: Contacts and Worker data is not or no longer being updated.
Solution: Before NS user data can be synced to Helpdesk, three user fields are required in addition to the required fields that are needed to save the user (as denoted by the red asterisk symbol while editing a user):
 

  1. UserID.
  2. Domain.
  3. Employee ID.
     

If one or more of these fields are blank or removed, this will result in the contact in Helpdesk no longer being synced, whereas it was successfully originally when the fields contained data. To resolve this, fill in the above required fields in the NS User record.

Note: Helpdesk does not by default sync the Employee ID, but it still requires this to be present. To sync this field to Helpdesk, a customization must be performed. Information about this can be found here:

Employee ID field from the Users are not populated to the Helpdesk contact
http://www.symantec.com/business/support/index?page=content&id=HOWTO5086

Issue: The expected user data is not in the NS because Inventory Forwarding is involved and not working correctly.
Solution: Inventory Forwarding can send inventory, such as for users and computers, from one NS to another. Helpdesk expects the users to be in the NS that it is installed into and have the three required fields (as described above) for the Helpdesk sync to work correctly. If users are missing or these fields are not filled out because Inventory Forwarding did not work correctly, this would be an issue to be addressed by Inventory Forwarding, not Helpdesk, which has no control over this process. If Inventory Forwarding is not working, please contact the Notification Server support team as Helpdesk has no control over this process.

Issue: Users removed from Active Directory or the NS still appear in Helpdesk.
Solution: Users that are removed in AD may or may not be removed from the NS, depending on how the AD sync has been configured. If the end result is that the user is no longer present in NS, whether by removal by the AD sync process or manually deleted, this will not affect the counterpart user in Helpdesk because the sync is permanent (as described above in the How Helpdesk syncs user data from the Notification Server section). Helpdesk users that are no longer wanted can be directly deleted using the Helpdesk console. There is no method to otherwise automatically reconcile the users.

Also, Helpdesk will continue to sync users from the Notification Server even if the counterpart users in AD were removed or disabled. As long as the users are in NS, these will continue to be synced to Helpdesk. To change this behavior, remove the users in NS first, then remove the contacts in Helpdesk. Note: As workers cannot be deleted, this will need to instead be set to inactive.

Internally, when users are no longer able to be synced in Helpdesk with their NS counterparts, such as if the user is deleted in NS, the contact's resource guid is set to all zeroes. The following example SQL query demonstrates how to find these:

USE Altiris_Incidents
SELECT *
FROM contact
WHERE is_imported = 1
AND resourceguid LIKE '%00000000%'
ORDER BY name

The results could be used to help identify which contacts may need to be deleted, if so desired, to reconcile with the NS users. Note: This is usually not recommended, because incidents and other work the user has performed in Helpdesk will become orphaned. For example, if this user has many incidents, these will no longer be associated with that contact. It is therefore recommended to simply leave these "obsolete" contacts as-is in Helpdesk because of this.

Issue: A contact's NT ID (name or domain) or email address was changed in AD or the NS and is now not syncing correctly to Helpdesk.
Solution: Depending on what and where this change took place, different solutions on how to resolve this. For example, if  a user's name was changed in AD and then imported into the NS by the AD sync, Helpdesk would later sync this as a new user, as the original still exists in the NS. The AD sync should be set to remove old records (which it is not by default) to prevent the duplicate from occurring in the NS. Next, the following article would need to be used to reconcile the "different" user in NS to its existing Helpdesk counterpart user:

How to change Helpdesk worker or contact names, email addresses and NT IDs
http://www.symantec.com/business/support/index?page=content&id=HOWTO36855

Additional information on how AD users affect Helpdesk users can be found here:

Does setting a user's Active Directory account to be inactive cause Helpdesk worker accounts to also become inactive?
http://www.symantec.com/business/support/index?page=content&id=HOWTO55905

Issue: A Helpdesk user was changed but the changes are reverted back later when the next Helpdesk sync occurs.
Solution: Change the user in the NS and then the next Helpdesk sync will update the counterpart record. Information on this can be found here:

Changes made to a Helpdesk worker or contact are later reverted back
http://www.symantec.com/business/support/index?page=content&id=TECH154835

Additional troubleshooting

  • Does manually creating a new temporary user in CMDB (Resources > Organizational Types > Users) and entering an NT ID and email address for successfully sync to Helpdesk as a test? If so, there is an issue with the ones that fail to sync; the Helpdesk sync process is not the issue.
  • Ensure that the Incident Settings sync is enabled and set to a realistic value.
  • Allow sufficient time to elapse for the user to sync to Helpdesk.
  • Is the correct user name being searched for in Find Contacts?
  • If a worker or contact is manually edited, certain data will revert back on the next sync. This should instead be changed in NS or where the user is being brought in from. For AD, this change should be applied there, which will later sync to NS, and finally sync to Helpdesk.
  • Manually created users must have the UserID field populated or the sync will not occur.
  • If the NT ID and email address for a worker is not unique, sync issues will occur. The following describes how to correct this:
    1. Edit the correct worker and change their NT ID and email address to something temporary and set them to be inactive. Save the worker.
    2. Edit the duplicate workers and change their NT ID and email address to non-used ones. For example, Joe_Smith@company.com could become Joe_Smith-unused@company.com. Note: Workers and queues cannot be deleted. Changing and inactivating duplicates is the only way to remove these from the sync process. Save the duplicate.
    3. Edit the original correct worker and change their NT ID and email address back to the correct ones. Save the worker.
    4. Perform the manual sync by going to Incident Settings and clicking the Apply button. (This process is described in a previous section.)
    5. This should now correctly sync to the correct worker.
       
  • Other issues may also be present, such as no syncs occur at all, etc. Additional troubleshooting can be found in the Knowledge Base, for example:

    Users with new domain not updating in Helpdesk
    http://www.symantec.com/business/support/index?page=content&id=TECH12041

    KNOWN ISSUE: Helpdesk is resynchronizing the same users every hour
    http://www.symantec.com/business/support/index?page=content&id=TECH17688
     
  • Checking the Altiris logs should show if syncs are failing, or if records are being synced, when a sync occurs. This process appears in the logs as:

    5 assets and 2 User resources were added to or updated in the Incidents database.

    If this type of line never appears in the logs, the sync is either not occurring (possibly because of a customized nssource.xml file, refer to the next section) or has been turned off in Incident Settings. Note: This line will occur even if there are 0 assets and resources to sync, but which will list them simply as "0" each.
     
  • If customizations are in place, specifically a customized nssource.xml file, this can cause issues with the sync. The nssource.xml file is found in the <Altiris_installation_drive>:\Program Files\Altiris\Helpdesk\AeXHD\templates folder, and should be dated from around 5/29/2007. If the date is later than that, it has likely been customized which may be the root cause of the issue. The only way to restore this file to its default settings is to copy it from another unmodified version, such as from a different Helpdesk.
     

Related Article

Where can I find technical support for the discontinued Altiris Helpdesk 6 product?
http://www.symantec.com/business/support/index?page=content&id=HOWTO59201

 



Legacy ID



46223


Article URL http://www.symantec.com/docs/TECH41705


Terms of use for this information are found in Legal Notices