Video Screencast Help

Directory Sync Not Work???

Created: 16 Feb 2011 • Updated: 16 Feb 2011 | 5 comments

Hello all,

I need a little help. I have created a OU (named AltirisTest) and a computer account in Active Directory. The computer account was manually created and does not belong to a physical computer. I performed an AD Import on the NS (NS 6) I then went to Resource Management>Resources>Organizational Structures>mydomain.com>AltirisTest and I see that the AD Import pulled in the new OU and computer account. I then went to AD and deleted the computer account from the AltirisTest OU. I went back to the NS and performed a new AD Import and then set the Directory Synchronization Schedule to every Half-Hour. I let all of this cook overnight, this am I was expecting to see the computer account gone from Resource Management>Resources>Organizational Structures>mydomain.com>AltirisTest BUT it was not. I manually performed a Purge Maintenance by selecting the "Purge Now" button. The computer is still there and its status is Active. This computer is not showing up in the computers that need the Agent collection because no Basic Inventory could be run to verify the OS and it is not in the All Computers collection because it is not managed. I can create a collection based on vComputer.Name and IsManaged=0 and the computer is there. It is not marked for deletion in the ItemResource table. The import rule is still active. I know Purge Maintenance would not delete it because it is not managed (I had to try though) so why is it not being deleted by Directory Sync? Does this highlight a problem with Directory Sync or is it even working? Thanks.

Comments 5 CommentsJump to latest comment

KSchroeder's picture

There have been several hotfixes for AD Import; are you running any of those?  The latest one was released along with the "R13" update for NS6 last year; you can see where to download it from here (it should be in Solution Center as well, don't recall where it shows up exactly though...maybe Hotfixes or Updates when viewing available Solutions):
http://www.symantec.com/docs/DOC2031 <update link: http://www.symantec.com/docs/DOC1963 >

In particular you need that if you have a 2008 native AD implementation.

What results do you get with "real" computer objects, which are tied to a managed machine?  Your example is all well and good, but it is not very real-world.

In my experience, you must do a "full import" to get proper collection membership updates; the Update import just doesn't seem to work very well.  If you watch the NS logviewer while the Directory Resync process runs, does it remove teh computer?  Also, are you pointing to the domain in general (ad.mycompany.com) or a particular DC?  Generally you get better results by targetting a particular DC, i.e. mydc1.ad.mycompany.com.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

KSchroeder's picture

...I don't normally create "dummy" computer objects this way, but can you specify OS information about a "dummy" object like this when you create it?  When AD Import runs it will load OS information gleaned from AD about the computer, which of course is normally populated into AD when you connect an actual operational OS to that computer account.  This could be interfering as well.  I would really suggest using a "real" computer accout for your testing purposes.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

mclemson's picture

Try targeting the specific DC for troubleshooting, in case this is a replication issue between DCs in a domain.  Though I always point to a generic reference (subdomain.domain.com) as opposed to a particular controller (dc01.subdomain.domain.com) for redundancy.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

jharings's picture

can you try the same behavior with a REAL account (meaning the associated computer has logged onto AD)? I'm just wondering if the fact that it's never been activated is the reason for the issue (in addition to the two fine gentleman's comments above).

Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.

Like2Code's picture

Thanks for all of your responses, sorry I could not answer any sooner. I will answer your questions below.

There have been several hotfixes for AD Import; are you running any of those? 

I just applied KB34704 AD Connector update. Of several things this update was going to fix the problem of AD Import failing after a previously know OU was missing during the LDAP query. I created the test OU and fake computer account to test this behavior but I have now been sidetracked with this issue. I plan on applying Rollup 13 in a few days.

What results do you get with "real" computer objects, which are tied to a managed machine? 

That is mixed and is why I applied this update. Previously I have had several (230 or so) AD Imported computers (1800 total computers) set to “Retired” by the NS as opposed to being deleted by Directory Sync and are not being purged because they are Retired.

If you watch the NS logviewer while the Directory Resync process runs, does it remove the computer?

The logviewer appears to show Directory Resync working. The only errors associated with Directory Resync are with deleting a collection that says it has dependencies but none are present.  If I look in the ItemReference table it has an entry with a ReferenceType=0 to a collection that in the item table shows ProductUninstalled=0. I searched the entire NS for that collection and I cannot find it. Should I delete that entry from the ItemReference table? Could this hold up the processing of the rest Directory Resync, it hangs on that error?

Also, are you pointing to the domain in general (ad.mycompany.com) or a particular DC? 

This is a 2003 domain and I’m pointing to a particular server, I know the redundancy is better to a domain but I feel I get better results this way. I always do Full Imports on computer objects.

Can you specify OS information about a "dummy" object like this when you create it?

It appears not.

Can you try the same behavior with a REAL account (meaning the associated computer has logged onto AD)?

I’m trying too but the only computer I could test with was a managed computer, so I removed the agent using the NS Console however the computer  is still showing as IsManaged=1 and I don’t have access to it anymore. Long story…busy IT shop.  If I could manually force IsManaged=0 like you can force Unmanaged Mode in ForeFront I would be set.