Troubleshooting AD Import issues
search cancel

Troubleshooting AD Import issues

book

Article ID: 252977

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Microsoft Active Directory Import (AD Import) is the most common mechanism for many customers to bring resources like Computers and Users from their AD.

Few things to know about AD Import:

  • Over time, AD Import has received important improvements.
  • Important AD Import capabilities that were improved on recent releases:

Import from complex cross-domain scenarios

Import from different types of security groups from a trusted domain

    • Import from Local/ Global/ Universal groups

Added functionality to additionally attempt to import from AD forest root

    • May slightly delay discovery, but provides more reliable data for import
    • Functionality is “ON” by default and controllable through Core setting

Import of resources containing special characters from different containers

    • Organizational Units / Security Groups / Distribution Groups

UI option to select partial or full update of specific data class values allowing better synchronization with AD data.

“Only if resource” – in this drop-down you can select “Any”, “Managed” or “Unmanaged”. Based on this setting, the data class will be populated or updated only for the corresponding computers (managed by the NS, not managed by the NS or every computer regardless of it being managed or not)

“Treat data as Full update”  if this check-box is ticked, then during Update Import data class values for existing resources will be overwritten by the data from AD. If the check-box is not ticked, then during Update Import the DC data for existing resources will be preserved – this is the default behavior and the one present in previous ITMS releases. Note that this only applies for Update Import, Data Class values will always be overwritten when Full Import is run


  • There are some pieces in the UI that you may never touch but you should be aware that exist. For example, since 7.6:
    • Active Directory USER import - define associations UI


  • Optional data transformation for Column Mapping – predefined set of actions


  • For example, since 8.0:
    • The IT Management Suite 8.0 HF1 release introduces a number of enhancements/improvements of the Microsoft Active Directory Import page. See:

ITMS 8.0 HF1 - What has changed in the Symantec Management Console, on the Microsoft Active Directory Import page?

 

Resolution

Things to consider:

  • When troubleshooting AD Import issues, the process is very straight-forward in most cases. AD Import follows very simple steps:
  • Import Rule is defined on the SMP:

Server/Domain to Import from

Container Type, eg. OUs, Distribution Groups, Security Groups,

Credentials

Resource Type, Column Mappings

Schedule Information

  • Connection is established to AD via LDAP queries.
  • Active Directory Services Interface (ADSI) makes a connection to SAM (Security Accounts Manager) similar to how ODBC connection to a SQL/Access database.
  • SAM (Security Accounts Manager)

Each entry in AD has a property called uSNChanged, which is a 64-bit number (the code that will increment as changes are made to the AD User account).

  • If uSNChanged of each record is greater than the maximum in the SMP for that import rule, data is returned.
  • The AD Import information is processed via NSEs in the EventQueue folder.
  • The data in the NSE is processed into the respective data class tables (Inv_xxxx). Some of the related tables are:

DirectoryItemMap

Evt_Directory_Import_Status

Aex_AC_Location 

Inv_Ou_Membership 

Inv_Import_Rule_Imported_Items 

Inv_Global_Active_Directory_Results 

TaskManager

ResourceUpdateSummary

  • If required AD data is missing, the record is not processed. The corresponding resource (if it was imported before) is not immediately deleted.
  • Filters, Folders, and organizational views and groups are created/updated programmatically in the database.
  • No all the issues are the same or can be troubleshot the same way; however, there are patterns that can be followed in almost every case:

Error messages

Areas of failure

Specific steps to cause the issue

  • There are some Core Settings related to AD Import that are not frequently taken into consideration but may help you during troubleshooting:
    • ADDeleteLeftoverCollections

<!-- Allow to delete collections, which objects were not found in AD import. 0 = don't allow, 1 = allow -->

<customSetting key="ADDeleteLeftoverCollections" type="local" value="0" />

This is about filters – if filter is gone, we can leave it in NS: with [X] prefix in name, or delete entirely if setting is “1”

    • ADSuppressCollectionUpdateTrace

<!-- Suppress intensive profile messages of collection updates. 0 = don't suppress, 1 = suppress -->

<customSetting key="ADSuppressCollectionUpdateTrace" type="local" value="1" />

Extra verbosity setting to produce/suppress more traces when processing collections.

    • ADAutoEnqueueSeconds

<!-- AD import will force data processor doing auto-enqueue, if idled for some time and has data in the queue buffer. 0 = OFF -->

 <customSetting key="ADAutoEnqueueSeconds" type="local" value="0" />

When import is long and slow, we don’t “batch” for 100 (or so, default value) resources discovered in AD, but build NSE of any amount, collected due to the time. For example, when we import fast and get 100 – we batch it out into NSE generator, but when we are slow and found only 10 resources in 1 hour, we can set to “enqueuer” every 10 seconds – might be 1-2 resources, but we do it.

    • ADScopesUpdate

 <!-- How AD import will update scopes on partial import. 0 = only new scopes will be created, 1 = full update will be performed (slower) -->

 <customSetting key="ADScopesUpdate" type="local" value="0" />

The comment is quite explanatory for this one.

    • ADPreDeleteMembership

<!-- Force membership cleanup prior to full import. This could be slow and while import goes, old resource membership is not available, which is quite bad for roles and accounts. -->

<customSetting key="ADPreDeleteMembership" type="local" value="0" />

Don’t touch this one! There was always too much of an issue when AD import did “cleanup” of the current mappings/memberships before importing, so it’s legacy stuff…

    • ADEnsureNseSequence

<!-- Deliver NSEs in the way, they are sequenced by each rule and will not run in parallel. This will help to avoid deadlocks, 0=OFF, 1=ON  -->

<customSetting key="ADEnsureNseSequence" type="local" value="0" />

NSE processing can either: process AD data NSE’s in parallel or sequentially. Parallel is faster, but can bring some deadlocks on heavy loaded system. If you experience too much deadlocks – you can make it “1” and ensure the AD NSE’s to be worked out sequentially. It will be longer, but less pressure to the DB.

 

Troubleshooting

How to collect the NSEs generated for the AD Import and extra information for the AD Import process:

  1. Open NS Configurator (under ...\Program Files\Altiris\Notification Server\Bin\Tools) or go directly to CoreSettings.config file.
  2. Search for "ADSaveDiscoveryResults" and click on Enabled (or set it to 1 on CoreSettings.config). Save change.
    Note: For more detailed logging for the AD Import process, you can set "ADVerboseLevel"  to 3. This is for Ultra verbose for AD import
  3. Run the desired AD Import rule and let it finish.
  4. Go to C:\ProgramData\Symantec\SMP\ and find "DirectoryServices" folder. Review.
  5. Disable "ADSaveDiscoveryResults"
  • You should see the NSEs that are created from the LDAP call and what we are receiving back.

 

Also:

  • Please enable the 'Ultra' log mode for the Altiris Log Viewer:
  1. Go to Options>Extended Verbosities>SMP Core>Common>Active Directory. Set to Ultra. Save.
  2. Go to Options>Log Options> and make sure Trace, Verbose, and Debug are also selected. Click OK.
  • With these options enable in the logs and the ADSaveDiscoveryResults on, run the AD Import and review the files created and the NS logs just for that period of time.
  • Please verify these registry values reflect the changes done above:
    • HKLM\SOFTWARE\Altiris\eXpress\Event Logging\LogFile
      • "Severity" should be 1F(Hex)    --Error, Warning, Info, Trace, & Profile (FF works to)
      • "SeverityStreams" should be 18(Hex)    -- Trace & Profile maintain their own set of files
    • HKLM\SOFTWARE\Altiris\eXpress\Notification Server
      • "ADVerboseLevel"  should be 3


  • In some instances, it is advised to target a specific Domain Controller rather than the whole domain. Some Domain Controllers may not be in sync due to data propagation delays.
  • The NS logs in Trace mode usually show what domain controller is connecting to:

    4/8/2022 7:25:04 AM

    RoleAccountMembership

    		    

    Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

    4/8/2022 7:25:01 AM

    RolesAndAccounts

    		    

    [2/3] Building preimport directory map from 12 discovered containers in ‘domain.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

    4/8/2022 7:25:01 AM

    LDAPExporter::GetDirectoryDataFromGroups

    		    

    Importing directory group members from server: ‘MyServer-DC01.example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})


  • Let them stick to particular DC of their choice and data should be consistent.

 

Understanding NS log entries

The following is an example of usual NS log entries for the AD Import process:

  • Entry 1:

Task is starting... (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 141, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImportTask::DoDirectoryImportTask

  • Entry 2:

Configuring import rule {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}, server=example.com, type=AD

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 141, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImportSettings::ConfigureImportRule

  • Entry 3:

[1/3] Discovering import tree from: symantec.com (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 268, Module: AeXSVC.exe

Priority: 4, Source: DirectoryItemImporter:DiscoverTree

  • Entry 4:

[2/3] Building preimport directory map from 11 discovered containers in ‘example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 268, Module: AeXSVC.exe

Priority: 4, Source: RolesAndAccounts

  • Entry 5:

Processed 11 previously known memberships, changes: joins=0, leaves=0, known=11, unchanged=11, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 268, Module: AeXSVC.exe

Priority: 4, Source: RoleAccountMembership

  • Entry 6:

Loaded roles and accounts: total=11 in 00:00:00.2968950, speed=37 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 57, Module: AeXSVC.exe

Priority: 4, Source: SecureDataProcessor

  • Entry 7:

Loaded roles and accounts: total=100 in 00:00:03.8600602, speed=25 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 21, Module: AeXSVC.exe

Priority: 4, Source: SecureDataProcessor

  • Entry 8:

Completed importing 111 resources from groups.

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 62, Module: AeXSVC.exe

Priority: 4, Source: LDAPExporterThread

  • Entry 9:

Resource import has completed for rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 62, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImporter

  • Entry 10:

************** Directory Import Id {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF} has completed creating items and NS messages for data loading. Note: not all exported resources will appear in the NS console until the NS has completed loading all the data from the exported NS messages.

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 62, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImporter

 

If you have the Verbose level on NS logs while doing AD Import, you should also see what is the LDAP query used to bring the desired resources:

AD Search: GcBatchedPreloadThreadEntry.LoadMembers
root: GC://AM.example.com
 batch: domain=DC=AM,DC=example,DC=com, count=7

 filter: (&(|(objectCategory=user)(objectCategory=person)(objectCategory=inetOrgPerson)(objectCategory=foreignSecurityPrincipal))(|(memberOf=CN=LLY_AltirisSWDAdminsP,OU=Universal Groups,OU=Groups,DC=AM,DC=domain,DC=com)(primaryGroupID=685302)(memberOf=CN=LLY_AltirisReportsUsersR,OU=Universal Groups,OU=Groups,DC=AM,DC=domain,DC=com)(primaryGroupID=685310)(memberOf=CN=LLY_AltirisReportsAdminsP,OU=Universal Groups,OU=Groups,DC=AM,DC=domain,DC=com)(primaryGroupID=685304)(memberOf=CN=LLY_AltirisRDMUsersR,OU=Universal Groups...
properties(10): objectGUID, objectClass, uSNChanged, objectSid, primaryGroupID, distinguishedName, memberOf, displayName, mail, sAMAccountName

-----------------------------------------------------------------------------------------------------

Tick Count: 522231859 (6.01:03:51.8590000), Size: 1019 B
Process: AeXSvc (1344), Thread ID: 101, Module: AeXSVC.exe
Priority: 16, Source: GcBatchedPreloadThreadEntry
File: C:\ProgramData\Symantec\SMP\Logs\a.log

 

Knowing when resources are removed from AD Import

NS log example when resources are removed:

  • Entry 1:
    [2/3] Building preimport directory map from 12 discovered containers in ‘exampleDC1.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})
    -----------------------------------------------------------------------------------------------------
    Source: RolesAndAccounts

  • Entry 2:
    Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf
    -----------------------------------------------------------------------------------------------------
    Source: RoleAccountMembership

 

NS log example when resources remain:

  • Entry 1:

[2/3] Building preimport directory map from 12 discovered containers in ‘exampleDC2.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Source: RolesAndAccounts

  • Entry 2:

    Processed 219 previously known memberships, changes: joins=0, leaves=0, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

-----------------------------------------------------------------------------------------------------

Source: RoleAccountMembership

 

Missing Computers on OU Filters after AD Import

Use case:

Customer noticed that some computers are not been placed in the proper OU filters after they did an AD Import. The computer is present in the Manage>Computers and the AD Import Reports showed that these machines were imported by that AD Import Rule.

What to collect?

    1. Go to coreSettings.config (under c:\programdata\symantec\smp\settings) or from the SMP Console>Notification Server>Core Setting

    2. Search for "ADSaveDiscoveryResults" and change the value from '0' to '3'. Save change.

    3. Please enable the 'Ultra' log mode for the Altiris Log Viewer: Go to Options>Extended Verbosities>SMP Core>Common tab>Active Directory. Set to Ultra. Save. 

    4. Go to Options>Log Options>NS Settings and make sure Trace, Verbose, and Debug are also selected. Click OK.
      As well, check the Trace and Verbose options under Severity Streams are selected. It will allow to make a copy of those entries in their own set of log files.


    5. Run the Computer AD Import rule and let it finish and try to duplicate the issue.

    6. Change back "ADSaveDiscoveryResults" to its default value (which is '0'). As well as remove the extra logging.

    7. Go to C:\ProgramData\Symantec\SMP\ and find "DirectoryServices" folder. Zip the folder and review what is been populated.

    8. Grab the NS logs for that period of time and review the AD Import process. You should see the NSEs that are created from the LDAP call and what we are receiving back.


What to check?

  1. Check Resource Manager for one of those machines and  under Views>Inventory>Data Classes>Directory Connector you may notice that these missing computers in the AD Import Filter, OU Membership was missing
  2. Look at the “Reports>Notification Server Management>Microsoft Active Directory>Resources Imported Per Import Rule” and select the import rule used to bring these machines and check if these machines were actually imported in the past and recently under the 'Modified Date' column
  3. Check the 'ResourceUpdateSummary' table using the GUIDs for some of the missing machines and you may find that these machines are either missing a DataHash entry or it has not been updated recently for this Inv_OU_Membership dataclass.
  4. The following query should find what machine resources are affected by this:

    select * from ResourceUpdateSummary rus
    left join Inv_OU_Membership ou on ou._ResourceGuid = rus.ResourceGuid
    where InventoryClassGuid = '7FDC0F4A-6B51-44CB-9287-F69A2CCD2B9E‘
    and ou._ResourceGuid is null
    and rus.[RowCount] != '0'
  5. Clear out those out-dated entries and then let AD Import to repopulate them as needed. We used the following query to clean them out:

    delete rus from ResourceUpdateSummary rus
    left join Inv_OU_Membership ou on ou._ResourceGuid = rus.ResourceGuid
    where InventoryClassGuid = '7FDC0F4A-6B51-44CB-9287-F69A2CCD2B9E‘
    and ou._ResourceGuid is null
    and rus.[RowCount] != '0'
  6. Run a Delta AD Import and let Delta Resource Update schedule run.
  7. See "If machines or users are manually moved to a different OU in Active Directory, the change is not reflected in the ITMS Console after an AD Import"  KB 162662

 

Additional Information

  • HOWTO84090 "Active Directory Import FAQ "
  • TECH233666 "If machines are manually moved to a different OU in Active Directory, the change is not reflected in the ITMS Console after an AD Import"
  • TECH234772 "AD import computers rule: Removing OU from import and adding it back later only adds 30% of computers in corresponding organizational group"
  • TECH234242 "Unable to add custom dataclass to AD Import Default Column Mappings: they are not listed for selection"
  • INFO3712 "AD Import in a Hierarchy "
  • HOWTO100338 "Filters with a [x] in front of their name"
  • TECH223837 "Filters created during Active Directory import (OU or Security Groups) are displayed with distinguished name instead of canonical name"
  • TECH234636 "Importing a Security Group under a Role and Account AD Import Rule is not creating an AD Import Filter"
  • TECH233402 "Computers that are deleted from Active Directory are not being deleted from the Symantec_CMDB“
  • ITMS 8.0 HF1 - What has changed in the Symantec Management Console, on the Microsoft Active Directory Import page?
  • TECH234748 "Role and Account AD Import Rule: Users imported are gone randomly"

 

Powered by Wolken Software