IDFW Active Directory - Delta Sync Fails to Sync AD Changes After AD Server is Changed, While Full Sync Works
search cancel

IDFW Active Directory - Delta Sync Fails to Sync AD Changes After AD Server is Changed, While Full Sync Works

book

Article ID: 387790

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware NSX Firewall VMware NSX

Issue/Introduction

This issue only occurs after changing the AD servers configured in NSX. 

 

After adding, removing, or editing groups within Active Directory, performing a delta sync from NSX does not sync the changes. The changes are only synchronized once a full sync is performed.


Example:

A new group named "IDFW AD Group" was added into Active Directory and then a delta sync was performed. 

 

From var/log/proton/nsxapi.log on the NSX Manager:


Delta Sync completes very quickly and does not sync the new group:

2025-02-04T16:11:06.937Z  INFO LdapSyncTask LdapSyncContext 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Start to process Delta sync request on domain: xxxxxx
2025-02-04T16:11:06.969Z  INFO LdapSyncTask CompositeConnector 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] try LDAP connector Simple Connector to connect to LDAP server: xxxxxxxx
2025-02-04T16:11:07.582Z  INFO LdapSyncTask AdSearchResultReader 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Start to search for domain: {Domain|  xxxxx }, rootDn: , base on filter: (&(|(objectClass=organizationalUnit)(objectClass=builtinDomain)(objectClass=container))(uSNChanged>=xxxxxxxxx))
2025-02-04T16:11:07.622Z  INFO LdapSyncTask LdapSyncContext 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Finish process Delta sync request for domain (xxxxx) done in 1.684 sec (avg: 1.919 sec), DB update count: 1 (1684.0 ms each)

*The relevance of the uSNChanged number is described in the cause section

 

Then when performing a Full Sync, we can see that the group is synced:

2025-02-04T16:13:13.772Z  INFO LdapSyncTask LdapSyncContext 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Start to process Full sync request on domain: xxxxxx
2025-02-04T16:13:13.775Z  INFO LdapSyncTask CompositeConnector 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] try LDAP connector Simple Connector to connect to LDAP server: xxxxxx
2025-02-04T16:13:23.520Z  INFO LdapSyncWorker-67-1 LdapObjectProcessor 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] populateData(CN=IDFW AD Group,OU=xxxx,O
U=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=xx): dnModified: false
2025-02-04T16:13:35.282Z  INFO LdapSyncTask LdapSyncContext 75657 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Finish process Full sync request for domain (xxxx) done in 22.508 sec (avg: 24.636 sec), DB update count: 5093 (4.4193993 ms each)

Environment

NSX 3.x

NSX 4.x

Cause

NSX utilizes delta synchronization to track object changes in the AD server after the initial full sync. This delta sync relies on the USNChanged value in the AD server to query updates. According to Microsoft documentation on polling for changes using USNChanged, the USNChanged value may differ across AD servers because they are not always in sync with one another. When performing a delta sync query from a different AD server, it is necessary to identify the corresponding USNChanged value on the new AD server and use it to ensure proper synchronization. However, NSX currently does not account for this USNChanged discrepancy between AD servers, and therefore a delta sync on one AD server may work, and not another. 

Resolution

Workaround:

Identify the AD server that can be synced successfully by taking note of the USNChanged value taken from the nsxapi.log, and then issuing the following command from Powershell on each of the AD servers that are configured in NSX. 

 

Get-ADGroup -Filter 'uSNChanged -ge <uSNChanged #>

 

Example:

Get-ADGroup -Filter 'uSNChanged -ge 5123921'

 

One AD server will return a list of groups, while others will not. Remove the "non-working" AD servers from the NSX IDFW AD configuration. 

 

Alternatively, configure 1 AD server at a time within NSX, perform a delta sync, then repeat until you determine which AD server syncs successfully. 

 

Permanent Fix:

A permanent fix will be available in a future NSX release

Powered by Wolken Software