Role and Account AD Import Rule: Users imported are gone randomly.
search cancel

Role and Account AD Import Rule: Users imported are gone randomly.

book

Article ID: 163181

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

While setting up a Role and Account AD Import rule to bring users from 12 global security groups that need access to their SMP, you have noticed that randomly those users are gone from Settings>Security>Account Management>Roles>members tab.

These are not nested security groups nor cross-domain imports. You run this import rule every hour since you need to have these users added in order to grant the permissions on the Console that you need.
 

The NS logs show that the AD import is occurring:

Entry 1:
[2/3] Building preimport directory map from 12 discovered containers in 'example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

Entry 2:
Processed 12 previously known memberships, changes: joins=0, leaves=0, known=12, unchanged=12, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

Entry 3:
Completed importing 0 resources from groups.

 

When you got it working, the logs looked like this :

Entry 1:
[2/3] Building preimport directory map from 12 discovered containers in 'example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

Entry 2:
Processed 12 previously known memberships, changes: joins=0, leaves=0, known=12, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

Entry 3-6:
Loaded roles and accounts: total=12 in 00:00:00.2499739, speed=48 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=100 in 00:00:00.6874274, speed=145 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=100 in 00:00:00.5624411, speed=177 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=3 in 00:00:00.0624929, speed=48 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

Entry 7:
Completed importing 215 resources from groups.

Environment

ITMS 7.x, 8.x

Cause

This issue was caused by a bad domain controller not synching up the right AD membership.

While looking at the NS logs, we were able to notice the following:

1. The NS logs showed that “leaving” members were only happening when this Domain Controller server was used:

4/8/2016 7:25:04 AM

RoleAccountMembership

AeXSVC.exe

174

Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanexampleged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

4/8/2016 7:25:01 AM

RolesAndAccounts

AeXSVC.exe

174

[2/3] Building preimport directory map from 12 discovered containers in 'example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

4/8/2016 7:25:01 AM

LDAPExporter::GetDirectoryDataFromGroups

AeXSVC.exe

174

Importing directory group members from server: 'example-DC01.example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

2. None of the imports from example-DC02 removed members.

Resolution

To fix this issue, the following was suggested:

1. Change the AD Import Rules rather than importing using the domain name, use the specific domain controller name.

After that, the AD Import was consistent and no unexpected loss of users after imports.

Note:
If the above doesn't work, try unchecking  "Use Global Catalog for cross-domain searches" option for the Roles and Accounts AD Import Rule and run the rule one more time.