Grouping Changes in Active Directory group membership take hours to update PGP Encryption Server

Products

Encryption Management Server Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Changes in Active Directory group membership are not reflected on the PGP Encryption Server immediately. Making some of the changes for Grouping may take some time depending on different variables at play.

If the Grouping operation is taking longer than is acceptable, reach out to Broadcom Encryption Support for guidance and we can work with you to speed up these groupings.

Environment

PGP Encryption Server (Symantec Encryption Management Server) 10.5 and above.

Resolution

PGP Encryption Server synchronizes with Active Directory every 21,600 seconds (6 hours) by default.

Some domain controllers can be many times faster or slower than others. In a large environment this can mean the difference between regrouping taking a few hours or even days.

Regrouping performance depends on the number of requests that the domain controller is having to service and the network latency involved in the connection from the PGP Encryption Server.

If performance is very slow, using a domain controller that is physically near to PGP Encryption Server may help improve performance overall.

Pointing the PGP Encryption Server to a Read Only Domain Controller (RODC) may provide improved performance, especially if the RODC is lightly used.

In addition, some organizations may use a load balancer to ensure optimum distribution of requests to a pool of domain controllers. Pointing the PGP Encryption Server to the address of such a load balancer, if one is available, may offer improved performance.

In a clustered environment only one cluster member will perform the synchronization with Active Directory each time it runs, so if you have 4 servers in a cluster, only one node will handle grouping, and all the changes will then be replicated to each additional cluster node. This is done to reduce the amount of grouping operations to domain controllers.

To check how long regrouping is taking, from the administration console:

Click on Reporting, then Logs.
Select the Groups log.
Search for Starting periodic regrouping of all consumers to find out the date and time regrouping last started.
Search for Completed periodic regrouping of all consumers to find out the date and time regrouping last completed.

Note: When using Directory Synchronization, always use port 636 and the Fully Qualified Domain Name (FQDN) for proper TLS communication from the PGP Encryption Server to the domain controller to ensure all communications are encrypted. Using IP addresses for LDAP is not recommended and many domain controllers will reject the connections if this is done.

If you wish to always synchronize more frequently, some parameters could be modified to help. Reach out to Broadcom Encryption Support and we can work with you on this operation.

Additional Information

222563 - Grouping Changes in Active Directory group membership take hours to update PGP Encryption Server
161727 - Symantec Encryption Management Server Groups log displays "PGP Universal groupd group membership queue service is disabled in global pref"
153663 - Grouping and Group Membership on the PGP Encryption Server (Symantec Encryption Management Server)
247593 - Users not grouped properly if certificates from Active Directory are rejected (PGP Server Unable to Group Users)

EPG-24718
EPG-29401