search cancel

Role and Account AD Import Rule: Users imported are gone randomly.

book

Article ID: 163181

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Customer reported that he has setup a Role and Account AD Import rule to bring from 12 global security groups some users that they need to have access to
their SMP.
They have noticed that randomly those users are gone from Settings>Security>Account Management>Roles>members tab.

These are not nested security groups nor cross-domain imports. They run this import rule every hour since they need to have these users added in order to
grant the permissions on the Console that they need.
 

The NS logs shows that the AD import is occurring:

Entry 1:
[2/3] Building preimport directory map from 12 discovered containers in 'LostDomain.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

Entry 2:
Processed 12 previously known memberships, changes: joins=0, leaves=0, known=12, unchanged=12, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

Entry 3:
Completed importing 0 resources from groups.

 

When they go it working, the logs looks like this :

Entry 1:
[2/3] Building preimport directory map from 12 discovered containers in 'LostDomain.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

Entry 2:
Processed 12 previously known memberships, changes: joins=0, leaves=0, known=12, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

Entry 3-6:
Loaded roles and accounts: total=12 in 00:00:00.2499739, speed=48 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=100 in 00:00:00.6874274, speed=145 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=100 in 00:00:00.5624411, speed=177 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=3 in 00:00:00.0624929, speed=48 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

Entry 7:
Completed importing 215 resources from groups.

Cause

This issue was caused by a bad domain controller not synching up the right AD membership.

While looking at the NS logs, we were able to noticed the following:

1. The NS logs showed that “leaving” members were only happen when this Domain Controller server was used:

4/8/2016 7:25:04 AM

RoleAccountMembership

AeXSVC.exe

174

Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

4/8/2016 7:25:01 AM

RolesAndAccounts

AeXSVC.exe

174

[2/3] Building preimport directory map from 12 discovered containers in 'LostDomain.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

4/8/2016 7:25:01 AM

LDAPExporter::GetDirectoryDataFromGroups

AeXSVC.exe

174

Importing directory group members from server: 'LostServer-DC01.LostDomain.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

2. None of the imports from 'LostServer-DC02 removed members.

Resolution

In order to fix this issue, the following was suggested:

1. Change the AD Import Rules rather than importing using the domain name, use the specific domain controller name.

After that the AD Import were consistent and no unexpected lost on users after imports.

Note:
If the above doesn't work, try unchecking  "Use Global Catalog for cross-domain searches" option for the Roles and Accounts AD Import Rule and run the rule one more time.