• State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 96 subscribers
  • Views 3848 views
  • Users 0 members are here
Options
Related

removing coss-domain AD memberships

Christian Stevens
over 6 years ago

We are observing a strange behavior with the AD provisioning in 7.1.3, that might be a basic configuration issue.

We have different AD domains configured via variable sets in the same sync project.
We can add users and computers to AD groups of  different realms, however, we can not remove them.

From IM point of view, the memberships have been removed just fine. The provisioning logs state that the action for the AD group has been successful for Update vrtMembersSID  with a minus (-) and the SID of the object to be removed, as expected. The problem is, that the membership in question still remains in AD, although is was "successfully" deprovisioned.

I understand there are some implications when dealing with cross-domain memberships, that need to be taken into account. I assumed that the AD connector handles these things. Did we miss something? It is particulalry strange that we can ADD but not REMOVE such memberhsips. Is there a way to enable more detailed provisioning logs?

  • 0 over 6 years ago

    Hi Christian,

    What are the domain relationships?  IE, parent-child; same forest, different forest?  Two transitive trust?  Etc.

    What do you mean by "configured via variable sets in the same sync project"?

    The instructions to enable TRACE logging are here: https://support.oneidentity.com/identity-manager/kb/261074/how-to-enable-trace-logging

    Trevor

  • 0 over 6 years ago in reply to Trevor Pike

    Hi Trevor,

    the domains in question are in the same forest, at the same level under the tree root. Transitive trusts of type "Shortcut" are present in both directions between the two domains.

    We have one sync project for both domains, using variable sets to specify only different CP_ADRootDN and CP_ADServer for each domain (the domains are managed though different servers). The project was created in 7.0.1 and  we haven't applied any patches (7.1.3 now), there are warnings under the vrtMembersSID mapping rule (yellow triangle): "...There is no mapping for this schema type, which was defined for the many-to-many mapping", but the provisioning works generally.

    I don't understand how we are able to add, but not to remove group memberships using projection. Can this be caused by mis-configuration at all? I can manually remove the memberships using "Active Directory Users and Computers", using the same user account that the sync project uses. I suspect there could be an issue resolving the object from the other domain, but shouldn't the same issue then apply when adding the membership?

    I enabled Trace level logging but couldn't find any obvious errors from my understanding. The most  suspicious lines I found were along "There are no differences of failed objects to the previous execution of step (group)! These failures do not cause a retry!"

  • 0 over 6 years ago in reply to Christian Stevens

    I strongly suggest to re-create you synchronization project in 7.1.3 as it has changed quite a bit between the two versions mentioned.

    Starting from that, you are able to patch your sync project if necessary in the future (Sync project patching has first been introduced with version 7.1).

  • 0 over 5 years ago

    We are currently experiencing the same behaviour in version 8.0.2

    AD cross domain membership added successfully. Deleting this membership gives no error in Synchronization log, no error in jobservice log, but gives the following errors in StdioProcessor.log

    2019-06-25 09:40:39.1026 INFO (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Error 80072035 writing object was tolerated because the object is a system object and cannot be changed.
    2019-06-25 09:40:39.1026 ERROR (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   The server is unwilling to process the request.
     
    2019-06-25 09:40:39.1026 WARN (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Object not committed successfully. Retrying using single property commit.
    2019-06-25 09:40:39.1182 INFO (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Error 80072035 writing object was tolerated because the object is a system object and cannot be changed.
    2019-06-25 09:40:39.1182 INFO (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Error 80072035 writing property vrtMembersAllDn was tolerated because the value to delete is already included.

  • 0 over 5 years ago in reply to Thilo.Fischer

    I have stumbled upon the follwoing suport article:

    https://support.oneidentity.com/de-de/kb/263513/users-are-not-removed-from-universal-groups-by-identity-manager

    However we cannot apply this hotfix in our version. Maybe it helps in your case

  • 0 over 5 years ago in reply to Christian Stevens

    Thank you very much, Christian! Slight smile

    The hotfix did solve the Problem indeed, even though our domains are not in a parent/child relation as mentioned in the KB article.