2 Replies Latest reply on Jan 28, 2009 2:03 AM by SBAdmin

    AD Connector problem

      Hi all,

      I am still running version 4.2 of Safeboot and I have a problem while manually running the Active Directory Connector sync:

      The login of the AD Connector account works and it finds/lists all relevant users based on a group membership in the "Run Now" window. But while syncing I receive the following message for all users: "...change attribute older than current users: Ignoring other changes".

      I should add the we use Smartcards (Aladdin eToken) with certificates. That means the certificates are published in AD and the information about the certificates should be sync'ed to Safeboot by the AD Connector that worked very well last time. But for some reason the connector does not recognize the changes. I currently have a user who's certificate was updated but the information is not syncronized.

      I should also definitely add that I moved my SB database to a new machine about two weeks ago. I did not use the AD connector since then so I guess the problem is likely related to the move.

      Does anybody have an idea why this could happen?

      Thanks in advance
      Daniel
        • 1. RE: AD Connector problem
          Hi Daniel,

          Problem is that the change attribute value in the SafeBoot database is higher than the one the user(s) have in the actual Active Directory.

          You can check this for instance, with an LDAP Browser, by looking at a useraccount in the AD and look at the usnchanged attribute.
          Now, compare this one to the binding attribute under "Bindings" and you will see that the useraccounts binding in the safeboot database is higher.
          This means that the connector assumes that the safeboot useraccount is newer / more recently updated than the one within the Active Directory, and is therefore ignoring the changes.

          If you were to simply alter the bindingvalue in the safeboot database back to zero, and resync, it will update it again as you were to run the connector.

          If you have many users in the directory which have this issue (most-likely all of them as you've moved the ad, resetting their usnchanged attribute), you can script this -- but this a bit more tricky and not straightforward , if so i would like you to give a call to techsupport, raise a ticket and make sure it gets escalated to me (Eelco, Tier 2 netherlands) on my request.

          Hope this helps.
          • 2. RE: AD Connector problem
            Hi Eelco,

            thanks a lot for your response. You solved my problem. Safeboot support is the best I have ever talked to. We use Safeboot since 3 years now and you support guys were always quick and helpful. I hope McAfee will keep you.

            Actually the error message was pretty clear and I already had a look at the binding attributes but was not sure if I could change these right away.

            Best regards
            Daniel