+1
Completed
Bob Bradley 1 year ago • updated 4 weeks ago 10

The native AD MA for the FIM Sync service has long had an optional configuration section for preferred DCs, so that administrators can nominate an ordered list of preferred DCs to connect to for imports/exports. When this is used with Event Broker, especially in forests where there are delays in AD replication between DCs, the result can be that Event Broker detects a change before it is replicated to the DC from which FIM is connecting. This generally results in a missed change.


A feature to configure the AD agent exactly in line with that in the corresponding AD MA is suggested here.

+1
Under review

Thanks Bob, it's on our backlog (VSTS), it just never got prioritised. Could you explain how it'd work in a little more detail? Are we talking about the AD check changes operation? What is the trigger for attempting the operation on a different connection? An exception, a timeout, not finding a change?


Thanks.

+1

Yes the AD check changes operation is the one Adam. As with FIM, the trigger is a failed connection on either error or timeout - not finding a change should count as a success. The reason this came up is because @CSODBB the list of preferred DCs had remained misconfigured for a long time after several DCs were decommissioned. See attached

I just remembered that uSNChanged isn't replicated, so this won't work nicely for AD Changes operation. We could have it store different values, but then it'd always trigger a change if any of the servers can't be connected to. AD Sync changes should work as I believe the mechanism is replicated.

+1

Yes that's correct about the replication issue - this would be for the AD Sync changes mechanism I always use wherever I can now. However this will STILL be of benefit in AD Changes operation too ... simply aligning the FIM AD MA with Event Broker will mean both FIM and Event Broker are reading the same uSNChanged value 99/100. And if Event Broker fails to connect and flicks to the second in the list, so should FIM right?

+1

Thanks, I'll update the details on the issue and increase the priority.

Just adding that now for QBE this problem is very real, and such a feature would drastically improve the solution IMHO.

Consider the listen operation on fail:

System.DirectoryServices.Protocols:
 System.DirectoryServices.Protocols.DirectoryOperationException: The server is unavailable.
    at System.DirectoryServices.Protocols.LdapPartialResultsProcessor.GetPartialResults(LdapPartialAsyncResult asyncResult)
    at Unify.Product.EventBroker.OpenLDAPListenPlugIn.ResultsCallback(IAsyncResult result)

Other related exceptions written to the EvB logs:

Subject: MIM (PROD): 20160809 - UNIFY FIM Event Broker:Operations
Importance: High

Operation 9fcae6b2-dad4-456a-9afd-7e8b12579c9c failed in
operation list with id b7e59dbc-3c7e-42a6-bff8-344e6a95ddfa for the following
reason. This is retry number 0: System.DirectoryServices.DirectoryServicesCOMException
(0x800700EA): More data is available.
   at
System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
   at
System.DirectoryServices.SearchResultCollection.get_InnerList()
   at System.DirectoryServices.SearchResultCollection.get_Count()
   at
Unify.Product.EventBroker.ADSyncChangesPlugIn.GetChanges(DirectorySearcher
searcher)
   at
Unify.Product.EventBroker.ADChangesPlugInBase.Check()
   at
Unify.Product.EventBroker.OperationListExecutorBase.RunCheck(ICheckOperationFactoryInformation
checkOperation)


Subject: MIM (PROD): 20160807 - UNIFY FIM Event
Broker:OpenLDAPTriggerPlugIn.ResultsCallback.Error (au.qbe.pri
[176bac1b-68cc-4360-a1c8-1ed4e9e41929])
Importance: High
System.DirectoryServices.Protocols:
System.ArgumentException: The async result is invalid.
   at
System.DirectoryServices.Protocols.LdapPartialResultsProcessor.GetPartialResults(LdapPartialAsyncResult
asyncResult)
   at
Unify.Product.EventBroker.OpenLDAPListenPlugIn.ResultsCallback(IAsyncResult
result)