Things to consider:

• When troubleshooting AD Import issues, the process is very straight-forward in most cases. AD Import follows very simple steps:
• Import Rule is defined on the SMP:

–Server/Domain to Import from

–Container Type, eg. OUs, Distribution Groups, Security Groups,

–Credentials

–Resource Type, Column Mappings

–Schedule Information

• Connection is established to AD via LDAP queries.
• Active Directory Services Interface (ADSI) makes a connection to SAM (Security Accounts Manager) similar to how ODBC connection to a SQL/Access database.
• SAM (Security Accounts Manager)

–Each entry in AD has a property called uSNChanged, which is a 64-bit number (the code that will increment as changes are made to the AD User account).

• If uSNChanged of each record is greater than the maximum in the SMP for that import rule, data is returned.
• The AD Import information is processed via NSEs in the EventQueue folder.
• The data in the NSE is processed into the respective data class tables (Inv_xxxx). Some of the related tables are:

–DirectoryItemMap

–Evt_Directory_Import_Status

–Aex_AC_Location 

–Inv_Ou_Membership 

–Inv_Import_Rule_Imported_Items 

–Inv_Global_Active_Directory_Results 

–TaskManager

–ResourceUpdateSummary

• If required AD data is missing, the record is not processed. The corresponding resource (if it was imported before) is not immediately deleted.
• Filters, Folders, and organizational views and groups are created/updated programmatically in the database.
• No all the issues are the same or can be troubleshot the same way; however, there are patterns that can be followed in almost every case:

–Error messages

–Areas of failure

–Specific steps to cause the issue

• There are some Core Settings related to AD Import that are not frequently taken into consideration but may help you during troubleshooting:
• ADDeleteLeftoverCollections

<!-- Allow to delete collections, which objects were not found in AD import. 0 = don't allow, 1 = allow -->

<customSetting key="ADDeleteLeftoverCollections" type="local" value="0" />

–This is about filters – if filter is gone, we can leave it in NS: with [X] prefix in name, or delete entirely if setting is “1”

• ADSuppressCollectionUpdateTrace

<!-- Suppress intensive profile messages of collection updates. 0 = don't suppress, 1 = suppress -->

<customSetting key="ADSuppressCollectionUpdateTrace" type="local" value="1" />

–Extra verbosity setting to produce/suppress more traces when processing collections.

• ADAutoEnqueueSeconds

<!-- AD import will force data processor doing auto-enqueue, if idled for some time and has data in the queue buffer. 0 = OFF -->

 <customSetting key="ADAutoEnqueueSeconds" type="local" value="0" />

–When import is long and slow, we don’t “batch” for 100 (or so, default value) resources discovered in AD, but build NSE of any amount, collected due to the time. For example, when we import fast and get 100 – we batch it out into NSE generator, but when we are slow and found only 10 resources in 1 hour, we can set to “enqueuer” every 10 seconds – might be 1-2 resources, but we do it.

• • ADScopesUpdate

 <!-- How AD import will update scopes on partial import. 0 = only new scopes will be created, 1 = full update will be performed (slower) -->

 <customSetting key="ADScopesUpdate" type="local" value="0" />

–The comment is quite explanatory for this one.

• • ADPreDeleteMembership

<!-- Force membership cleanup prior to full import. This could be slow and while import goes, old resource membership is not available, which is quite bad for roles and accounts. -->

<customSetting key="ADPreDeleteMembership" type="local" value="0" />

–Don’t touch this one! There was always too much of an issue when AD import did “cleanup” of the current mappings/memberships before importing, so it’s legacy stuff…

• • ADEnsureNseSequence

<!-- Deliver NSEs in the way, they are sequenced by each rule and will not run in parallel. This will help to avoid deadlocks, 0=OFF, 1=ON  -->

<customSetting key="ADEnsureNseSequence" type="local" value="0" />

–NSE processing can either: process AD data NSE’s in parallel or sequentially. Parallel is faster, but can bring some deadlocks on heavy loaded system. If you experience too much deadlocks – you can make it “1” and ensure the AD NSE’s to be worked out sequentially. It will be longer, but less pressure to the DB.

Troubleshooting

How to collect the NSEs generated for the AD Import and extra information for the AD Import process:

1. Open NS Configurator (under ...\Program Files\Altiris\Notification Server\Bin\Tools) or go directly to CoreSettings.config file.
2. Search for "ADSaveDiscoveryResults" and click on Enabled (or set it to 1 on CoreSettings.config). Save change.
   Note: For more detailed logging for the AD Import process, you can set "ADVerboseLevel"  to 3. This is for Ultra verbose for AD import
3. Run the desired AD Import rule and let it finish.
4. Go to C:\ProgramData\Symantec\SMP\ and find "DirectoryServices" folder. Review.
   
5. Disable "ADSaveDiscoveryResults"

• You should see the NSEs that are created from the LDAP call and what we are receiving back.

Also:

• Please enable the 'Ultra' log mode for the Altiris Log Viewer:

1. Go to Options>Extended Verbosities>SMP Core>Common>Active Directory. Set to Ultra. Save.
   
2. Go to Options>Log Options> and make sure Trace, Verbose, and Debug are also selected. Click OK.
   

• With these options enable in the logs and the ADSaveDiscoveryResults on, run the AD Import and review the files created and the NS logs just for that period of time.

• Please verify these registry values reflect the changes done above:
  • HKLM\SOFTWARE\Altiris\eXpress\Event Logging\LogFile
    • "Severity" should be 1F(Hex)    --Error, Warning, Info, Trace, & Profile (FF works to)
    • "SeverityStreams" should be 18(Hex)    -- Trace & Profile maintain their own set of files
  • HKLM\SOFTWARE\Altiris\eXpress\Notification Server
    • "ADVerboseLevel"  should be 3
      
      
      
• In some instances, it is advised to target a specific Domain Controller rather than the whole domain. Some Domain Controllers may not be in sync due to data propagation delays.
• The NS logs in Trace mode usually show what domain controller is connecting to:
  

  4/8/2022 7:25:04 AM	RoleAccountMembership
  Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf
  4/8/2022 7:25:01 AM	RolesAndAccounts
  [2/3] Building preimport directory map from 12 discovered containers in ‘domain.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})
  4/8/2022 7:25:01 AM	LDAPExporter::GetDirectoryDataFromGroups
  Importing directory group members from server: ‘MyServer-DC01.example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

  
  
  
• Let them stick to particular DC of their choice and data should be consistent.

Understanding NS log entries

The following is an example of usual NS log entries for the AD Import process:

• Entry 1:

Task is starting... (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 141, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImportTask::DoDirectoryImportTask

• Entry 2:

Configuring import rule {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}, server=example.com, type=AD

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 141, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImportSettings::ConfigureImportRule

• Entry 3:

[1/3] Discovering import tree from: symantec.com (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 268, Module: AeXSVC.exe

Priority: 4, Source: DirectoryItemImporter:DiscoverTree

• Entry 4:

[2/3] Building preimport directory map from 11 discovered containers in ‘example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 268, Module: AeXSVC.exe

Priority: 4, Source: RolesAndAccounts

• Entry 5:

Processed 11 previously known memberships, changes: joins=0, leaves=0, known=11, unchanged=11, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1560), Thread ID: 268, Module: AeXSVC.exe

Priority: 4, Source: RoleAccountMembership

• Entry 6:

Loaded roles and accounts: total=11 in 00:00:00.2968950, speed=37 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 57, Module: AeXSVC.exe

Priority: 4, Source: SecureDataProcessor

• Entry 7:

Loaded roles and accounts: total=100 in 00:00:03.8600602, speed=25 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 21, Module: AeXSVC.exe

Priority: 4, Source: SecureDataProcessor

• Entry 8:

Completed importing 111 resources from groups.

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 62, Module: AeXSVC.exe

Priority: 4, Source: LDAPExporterThread

• Entry 9:

Resource import has completed for rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 62, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImporter

• Entry 10:

************** Directory Import Id {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF} has completed creating items and NS messages for data loading. Note: not all exported resources will appear in the NS console until the NS has completed loading all the data from the exported NS messages.

-----------------------------------------------------------------------------------------------------

Process: AeXSvc (1632), Thread ID: 62, Module: AeXSVC.exe

Priority: 4, Source: DirectoryImporter

If you have the Verbose level on NS logs while doing AD Import, you should also see what is the LDAP query used to bring the desired resources:

AD Search: GcBatchedPreloadThreadEntry.LoadMembers
root: GC://AM.example.com
 batch: domain=DC=AM,DC=example,DC=com, count=7

 filter: (&(|(objectCategory=user)(objectCategory=person)(objectCategory=inetOrgPerson)(objectCategory=foreignSecurityPrincipal))(|(memberOf=CN=LLY_AltirisSWDAdminsP,OU=Universal Groups,OU=Groups,DC=AM,DC=domain,DC=com)(primaryGroupID=685302)(memberOf=CN=LLY_AltirisReportsUsersR,OU=Universal Groups,OU=Groups,DC=AM,DC=domain,DC=com)(primaryGroupID=685310)(memberOf=CN=LLY_AltirisReportsAdminsP,OU=Universal Groups,OU=Groups,DC=AM,DC=domain,DC=com)(primaryGroupID=685304)(memberOf=CN=LLY_AltirisRDMUsersR,OU=Universal Groups...
properties(10): objectGUID, objectClass, uSNChanged, objectSid, primaryGroupID, distinguishedName, memberOf, displayName, mail, sAMAccountName

-----------------------------------------------------------------------------------------------------

Tick Count: 522231859 (6.01:03:51.8590000), Size: 1019 B
Process: AeXSvc (1344), Thread ID: 101, Module: AeXSVC.exe
Priority: 16, Source: GcBatchedPreloadThreadEntry
File: C:\ProgramData\Symantec\SMP\Logs\a.log

Knowing when resources are removed from AD Import

NS log example when resources are removed:

• Entry 1:
  [2/3] Building preimport directory map from 12 discovered containers in ‘exampleDC1.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})
  -----------------------------------------------------------------------------------------------------
  Source: RolesAndAccounts
  
  
• Entry 2:
  Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf
  -----------------------------------------------------------------------------------------------------
  Source: RoleAccountMembership

NS log example when resources remain:

• Entry 1:

[2/3] Building preimport directory map from 12 discovered containers in ‘exampleDC2.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})

-----------------------------------------------------------------------------------------------------

Source: RolesAndAccounts

• Entry 2:
  
  Processed 219 previously known memberships, changes: joins=0, leaves=0, known=219, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf

-----------------------------------------------------------------------------------------------------

Source: RoleAccountMembership

Missing Computers on OU Filters after AD Import

Use case:

Customer noticed that some computers are not been placed in the proper OU filters after they did an AD Import. The computer is present in the Manage>Computers and the AD Import Reports showed that these machines were imported by that AD Import Rule.

What to collect?

1. 1. Go to coreSettings.config (under c:\programdata\symantec\smp\settings) or from the SMP Console>Notification Server>Core Setting

   2. Search for "ADSaveDiscoveryResults" and change the value from '0' to '3'. Save change.

   3. Please enable the 'Ultra' log mode for the Altiris Log Viewer: Go to Options>Extended Verbosities>SMP Core>Common tab>Active Directory. Set to Ultra. Save. 
      

   4. Go to Options>Log Options>NS Settings and make sure Trace, Verbose, and Debug are also selected. Click OK.
      As well, check the Trace and Verbose options under Severity Streams are selected. It will allow to make a copy of those entries in their own set of log files.
      
      
      

   5. Run the Computer AD Import rule and let it finish and try to duplicate the issue.

   6. Change back "ADSaveDiscoveryResults" to its default value (which is '0'). As well as remove the extra logging.

   7. Go to C:\ProgramData\Symantec\SMP\ and find "DirectoryServices" folder. Zip the folder and review what is been populated.
      

   8. Grab the NS logs for that period of time and review the AD Import process. You should see the NSEs that are created from the LDAP call and what we are receiving back.

What to check?

1. Check Resource Manager for one of those machines and  under Views>Inventory>Data Classes>Directory Connector you may notice that these missing computers in the AD Import Filter, OU Membership was missing
2. Look at the “Reports>Notification Server Management>Microsoft Active Directory>Resources Imported Per Import Rule” and select the import rule used to bring these machines and check if these machines were actually imported in the past and recently under the 'Modified Date' column
3. Check the 'ResourceUpdateSummary' table using the GUIDs for some of the missing machines and you may find that these machines are either missing a DataHash entry or it has not been updated recently for this Inv_OU_Membership dataclass.
4. The following query should find what machine resources are affected by this:
   
   select * from ResourceUpdateSummary rus
   left join Inv_OU_Membership ou on ou._ResourceGuid = rus.ResourceGuid
   where InventoryClassGuid = '7FDC0F4A-6B51-44CB-9287-F69A2CCD2B9E‘
   and ou._ResourceGuid is null
   and rus.[RowCount] != '0'
5. Clear out those out-dated entries and then let AD Import to repopulate them as needed. We used the following query to clean them out:
   
   delete rus from ResourceUpdateSummary rus
   left join Inv_OU_Membership ou on ou._ResourceGuid = rus.ResourceGuid
   where InventoryClassGuid = '7FDC0F4A-6B51-44CB-9287-F69A2CCD2B9E‘
   and ou._ResourceGuid is null
   and rus.[RowCount] != '0'
6. Run a Delta AD Import and let Delta Resource Update schedule run.
7. See "If machines or users are manually moved to a different OU in Active Directory, the change is not reflected in the ITMS Console after an AD Import"  KB 162662