As part of the CA Identity Manager (IM) onboarding process, Active Directory (AD) accounts are moved from one OU to another, sometimes a few hundred of them in a batch using a Bulk Task.
Prior to 14.3 CP2 this activity has taken a long time to complete and impacted system performance, but it did complete. After deploying CP2 and issuing the Bulk Task, the individual move account tasks got stuck in In Progress and did not complete. When the CCS AD log was inspected it contained messages like the examples below:
11:23:00 - Connection Pool: TID:0x9be4 All 10/10 connections are busy. Sleeping for 157 milliseconds.
11:23:00 - Connection Pool: TID:0x62c4 All 10/10 connections are busy. Sleeping for 369 milliseconds.
12:43:14 - Connection Pool: TID:0x57c8 All 10/10 connections are busy. Sleeping for 323 milliseconds.
12:43:14 - Connection Pool: TID:0xa274 All 10/10 connections are busy. Sleeping for 425 milliseconds.
What has changed in 14.3 CP2 that causes this issue?
Release : 14.3 CP2, 14.4.0
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
Starting with 14.3 CP2 we have added the option to make multiple connections to Active Directory Domain Servers:
Multiple connections supported from C++ Connector Server to the Active Directory Domain Server
Identity Manager now supports multiple active connections from C++ Connector Server (CCS) to Active Directory Domain Server. The default maximum connections allowed in a connection pool per endpoint is 10. The extended connection support allows multiple operations to in parallel, improving the overall scalability and stability of the application.
Since 14.3 GA the connections can be set in the provisioning schema. If you connect via JXplorer or similar and connect to the AD Endpoint you can configure the eTADSMaxConnectionsInPool values.
Details to connect:
Host: Provisioning Server hostname or IP address
Level: User + Password
User DN: eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta
Password: etaadmin's password
Setting the eTADSMaxConnectionsInPool value between 100 and 200 should be sufficient for heavy volumes of movements. This should allow bulk tasks to complete more quickly - however load tests should be made on the specific environment to see the actual behavior with the chosen value.
The default setting in releases prior to 14.3 CP1 was 1.
Please note that the changes to the 'eTADSMaxConnectionsInPool' settings are per AD Endpoint. You may need to modify the settings across multiple endpoints depending upon the environment.