Identity Firewall (IDFW) Active Directory Organizational Unit ( OU ) isn't displayed when selecting OU's to sync
Article ID: 436536
Updated On:
Products
Issue/Introduction
While using the Identity Firewall (IDFW) with large Active Director environments, users must select individual OU's but some OU's are not displayed and are unable to be selected.
Cause
- When setting up the Identity Firewall, users must create an Identity Firewall AD. In large Active Directory environments, user must select specific Organization Units to keep the number of Group and Users objects within supported numbers.
- After clicking on "All" the following screen is shown but some OU's are missing from the list.
- We need to test permissions of the user used to sync the AD server. This user is found in the LDAP server config
- Test the permissions by using dsquery from a Windows machine, not Get-ADUser, as dsquery does an LDAP lookup which mimics how NSX works. Get-ADUser can return data even if they LDAP query doesn't have permission Preferably test from an Active Directory server.
- Log into a powershell window as the sync user from the screenshot above.
- Run PS C:\Users\Administrator> dsquery ou OU=########,DC=####,DC=####
- If the user has permission,it will show
"OU=########,DC=####,DC=####" - If the user does not have permission, it will show
dsquery failed:The specified directory service attribute or value does not exist.
type dsquery /? for help.
- If the user has permission,it will show
Resolution
- Either add permissions to the OU to allow the sync user to read it or- Create a new sync user with the appropriate permissions
- Perform a full sync, after the permission change
- The OU should now appear
Feedback
