Identity Manager-Delay when try to modify AD accounts from Identity Manager UI
search cancel

Identity Manager-Delay when try to modify AD accounts from Identity Manager UI

book

Article ID: 108060

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

When access the option Users > Modify User's Endpoint Accounts > select User, list all accounts, from Active Directory account, in the Action button, select Modify User account, it will take a long time to retrieve account details, other endpoints is faster.

Environment

Identity Manager 12.6.x and 14.x

Cause

One of the possible problems, it could be some Active Directory Domain Controllers are not available, which generates a delay to retrieve AD account details.

Resolution

To solve this problem you must check your ADS log file.

1) The file location will depend on the Identity Manager version, Virtual Appliance or Standard version.

For Virtual Appliance:
- Go to the Windows machine where you installed the "CA Identity Manager - Connector Server C++" service
- Go to the folder:
X:\...\CA\Identity Manager\Connector Server\jcs\logs\ADS

For Standard Version:
X:\...\CA\Identity Manager\Provisioning Server\logs\ADS


2) Open this file and search for string below, without quotes, to know if you have any DC with the problem.
"Reason: Server Down"

Check the day this message occurs, searching for the string below, search for the last days, no only the current day.
******* MM/DD/YY

Sample:
******* 06/26/18

A sample of "Server Down" message:
Thread 0x3360 Connection to Server: my-dc-hostname.my-domain.com; Port: 636
 Credentials: The-Account-DN-Used-In-ADS-Endpoint
 Return Code: 81 --- Reason: Server Down

Note: If you have the "Reason: Server Down" message in the last days, you can proceed with the next steps. If you don't have this message, please, open a new case in CA Support to better analyze the root cause.

You need to create a configuration file that lists the domain controllers with the message:
Return Code: 0 --- Reason: Success 

Sample of Success
Thread 0x3ba0 Connection to Server: my-dc-hostname.my-domain.com; Port: 636
 Credentials: The-Account-DN-Used-In-ADS-Endpoint
 Return Code: 0 --- Reason: Success

 
3) You need to copy all DCs names with Success message with this information, you need to know the right SiteName for each DC

In the same file, search for string "Original Server/Site List from GUI" 
It has a list of all DCs retrieved from DNS, and you'll find all DC names.

Sample:
If you found a Success DC with name "example.my-domain.com" you will find a string like below, but with the information about the Site Name
000;The-DC-SiteName.Sites.Configuration.my-domain.com;example.my_domain.com;R 


4) Create a new file with the name of your AD endpoint and extension .dns


5) The location file will depend on the Identity Manager version

For Virtual Appliance, in your Windows machine where you installed "CA Identity Manager - Connector Server C++", create the file under folder:
X:\...\CA\Identity Manager\Connector Server\ccs\data\ads

For Standard version:
X:\...\CA\Identity Manager\Provisioning Server\data\ads


6) In this folder, there is a sample file, directory-name.dns, create a copy of it and rename it with your AD Endpoint name, as displayed in your Provisioning Manager.


7) From the new file, remove the Site1 and Site2 lines


8) You need to add the SiteName and Server-Name as below, space between them, removing the Identifier, 000 and ";" semi-colon, and also the "R" at the end of the line. 
Using the sample from step #3

The-DC-SiteName.Sites.Configuration.my-domain.com      example.my-domain.com


9) Save the file and restart "CA Identity Manager - Connector Server C++" service

 

Additional Information

More information about the DNS file, see the section "Troubleshooting the List of Backup Domain Controllers" from the link below:
https://docops.ca.com/display/IMGC10/Set+Up+Failover+for+Active+Directory 
Powered by Wolken Software