Identity Manager-Delay when try to modify AD accounts from Identity Manager UI
book
Article ID: 108060
calendar_today
Updated On:
Products
CA Identity ManagerCA Identity GovernanceCA Identity Portal
Issue/Introduction
When access the option Users > Modify User's Endpoint Accounts > select User, list all accounts, from Active Directory account, in the Action button, select Modify User account, it will take a long time to retrieve account details, other endpoints is faster.
Cause
One of the possible problems, it could be some Active Directory Domain Controllers are not available, which generates a delay to retrieve AD account details.
Environment
Identity Manager 12.6.x and 14.x
Resolution
To solve this problem you must check your ADS log file.
1) The file location will depend on the Identity Manager version, Virtual Appliance or Standard version.
For Virtual Appliance: - Go to the Windows machine where you installed the "CA Identity Manager - Connector Server C++" service - Go to the folder: X:\...\CA\Identity Manager\Connector Server\jcs\logs\ADS
For Standard Version: X:\...\CA\Identity Manager\Provisioning Server\logs\ADS
2) Open this file and search for string below, without quotes, to know if you have any DC with the problem. "Reason: Server Down"
Check the day this message occurs, searching for the string below, search for the last days, no only the current day. ******* MM/DD/YY
Sample: ******* 06/26/18
A sample of "Server Down" message: Thread 0x3360 Connection to Server: my-dc-hostname.my-domain.com; Port: 636 Credentials: The-Account-DN-Used-In-ADS-Endpoint Return Code: 81 --- Reason: Server Down
Note: If you have the "Reason: Server Down" message in the last days, you can proceed with the next steps. If you don't have this message, please, open a new case in CA Support to better analyze the root cause.
You need to create a configuration file that lists the domain controllers with the message: Return Code: 0 --- Reason: Success
Sample of Success Thread 0x3ba0 Connection to Server: my-dc-hostname.my-domain.com; Port: 636 Credentials: The-Account-DN-Used-In-ADS-Endpoint Return Code: 0 --- Reason: Success
3) You need to copy all DCs names with Success message with this information, you need to know the right SiteName for each DC
In the same file, search for string "Original Server/Site List from GUI" It has a list of all DCs retrieved from DNS, and you'll find all DC names.
Sample: If you found a Success DC with name "XPTO123.my-domain.com" you will find a string like below, but with the information about the Site Name 000;The-DC-SiteName.Sites.Configuration.my-domain.com;XPTO123.my_domain.com;R
4) Create a new file with the name of your AD endpoint and extension .dns
5) The location file will depend on the Identity Manager version
For Virtual Appliance, in your Windows machine where you installed "CA Identity Manager - Connector Server C++", create the file under folder: X:\...\CA\Identity Manager\Connector Server\ccs\data\ads
For Standard version: X:\...\CA\Identity Manager\Provisioning Server\data\ads
6) In this folder, there is a sample file, directory-name.dns, create a copy of it and rename it with your AD Endpoint name, as displayed in your Provisioning Manager.
7) From the new file, remove the Site1 and Site2 lines
8) You need to add the SiteName and Server-Name as below, space between them, removing the Identifier, 000 and ";" semi-colon, and also the "R" at the end of the line. Using the sample from step #3
9) Save the file and restart "CA Identity Manager - Connector Server C++" service
Additional Information
More information about the DNS file, see the section "Troubleshooting the List of Backup Domain Controllers" from the link below: https://docops.ca.com/display/IMGC10/Set+Up+Failover+for+Active+Directory