1 2 Previous Next 11 Replies Latest reply on Jan 27, 2010 3:37 PM by scooter

    AD Connector to child domains

      Hello,

      I'm using the AD connector successfully to connect to our parent domain and import users within the parent domain, but am having trouble getting something right to work on user accounts within a child domain that are part of a universal security group within the parent domain.  When running the connector, I can see all the members of the group and it checks to see if each object is a group, but it doesn't add any users.   It also doesn't give any errors within the log.  Here's a snippet of the log:

       

      01/25/2010 04:49:32 PM  Starting synchronization
      01/25/2010 04:49:32 PM  LDAP connection initialized
      01/25/2010 04:49:32 PM  Connecting to dc ...
      01/25/2010 04:49:32 PM  LDAP logon successful
      01/25/2010 04:49:32 PM  Searching...
      01/25/2010 04:49:32 PM  checking search groups list
      01/25/2010 04:49:32 PM  Checking if dn 'CN=UV_Encryption Users,OU=Universal Groups,OU=Company Groups,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:32 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:32 PM  ...getting member attributes.  (Count = 8)
      01/25/2010 04:49:32 PM  Checking if dn 'CN=User1,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:32 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:32 PM  Checking if dn 'CN=User2,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:32 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:32 PM  Checking if dn 'CN=User3,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:33 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:33 PM  Checking if dn 'CN=User4,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:33 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:33 PM  Checking if dn 'CN=User5,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:33 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:33 PM  Checking if dn 'CN=User6,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:33 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:33 PM  Checking if dn 'CN=User7,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:33 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:33 PM  Checking if dn 'CN=User8,OU=Domain Users,DC=child,DC=PARENT,DC=com' is a group
      01/25/2010 04:49:33 PM  ldap reports = 0 (Success)
      01/25/2010 04:49:33 PM  Total 'member' count = 0
      01/25/2010 04:49:33 PM  User objects count = 0
      01/25/2010 04:49:33 PM  Directory search complete.
      01/25/2010 04:49:33 PM  Closing LDAP connection ...
      01/25/2010 04:49:33 PM  checked 0 Endpoint Encryption users (0 updated)
      01/25/2010 04:49:33 PM  added 0 users
      01/25/2010 04:49:33 PM  disabled 0 users
      01/25/2010 04:49:33 PM  removed 0 users
      01/25/2010 04:49:33 PM  Synchronization complete

       

      Any thoughts as to why it will not see User Objects and pull them in?

        • 1. Re: AD Connector to child domains

          LDAP connector needs to get all attributes. Check if the account you use, can pull user GUID attrib.

          1 of 1 people found this helpful
          • 2. Re: AD Connector to child domains

            I verified I can pull ObjectGUID with the account using Softerra LDAP (don't see a UserGUID attrib so I assume you are referring to ObjectGUID).  So that doesn't seem to be the issue.

            • 3. Re: AD Connector to child domains

              I think you'll need a unique connector instance per domain.

              • 4. Re: AD Connector to child domains

                Hmmm...I've created both a seperate AD connector and also a seperate LDAP connector trying to troubleshoot this issue.  Strange thing is that I can get further progress (see's all group accounts) with the LDAP connector versus the AD connector.  The AD connector just bombs out and gives an error.  I'm fine with keeping a seperate connector for my child domains but can't seem to get it setup right to allow it to work.  I'm certain that the root cause of the issue is that I'm using a Universal Security Group with child domain accounts included into it directly (versus group nesting) and referring back to accounts that live in a child domain.  Seems like this should still work though...

                • 5. Re: AD Connector to child domains

                  I think you'll have to use an instance of the connector set to talk to each DC individually.

                  • 6. Re: AD Connector to child domains

                    So in AD connector, what do you have in "General" section -> "search settings" tab -> "BaseDN:"  and "Object filter:" fields?

                    Do you have:
                       DC=child,DC=PARENT,DC=com
                       (&(objectClass=user)(!objectClass=computer))

                     

                    On the same tab, do you have Referrals "Enabled" and you search "Entire subtree" ?


                    Did you put anything into "Search Groups" tab?

                     

                    Be aware that all strings are case sensitive and put them as they show up in your LDAP browser.

                    1 of 1 people found this helpful
                    • 7. Re: AD Connector to child domains

                      In "General" section -> "search settings" tab -> "BaseDN:"  and "Object filter:" fields,

                      I have:
                         DC=PARENT,DC=com
                         (objectClass=organizationalPerson)

                       

                      Yes - I have both Referrals "Enabled" and search "Entire subtree" selected

                       

                      On the "Search Groups" tab I have:  CN=UV_Encryption Users,OU=Universal Groups,OU=Company Groups,DC=PARENT,DC=com - this is where the specific users (from the child domains are members).

                       

                      I've tried your recommended settings on both of my test connectors (one AD and one LDAP) and I get the same results.  AD errors after the first user with this:

                       

                      01/26/2010 07:48:21 AM  abandoning search due to error
                      01/26/2010 07:48:21 AM  error during synch (0x5c000016) - "No connection has been established"

                       

                      LDAP doesn't give an error - same as original entry for this thread.

                       

                      I know I can make this happen with a seperate connector for each child domain and pointing it to a global security group within each child domain, but I was really wanting to make this work against a universal group within the parent domain.

                      • 8. Re: AD Connector to child domains

                        What would happen with AD connector if you use one of your child domains in "Search Groups" tab? If that works, you could add each child domain there.

                        1 of 1 people found this helpful
                        • 9. Re: AD Connector to child domains
                          davei

                          School-boy question, but aren't Universal Groups stored in the Global Catalog?  Is there any difference in querying the Global Catalog rather than what ePO calls a 'Domain Controller'?

                           

                          eg. some applications have a tick-box that enable you to choose whether you query the GC or not.  Only one i can think of right now is ISA 2006, but my point stands!

                           

                          Could be completely irrelevant - in which case sorry.

                           

                          I too have (had?) similar issues, but not involving Universal Groups.  My ePO server is in root domain, all my users and resources are in child domain.  Struggled to get sync tasks working properly in ePO 4.5 or ePO 4.5 P1 and resorted to statically entering the IP address of the nearest child domain DC in the datacentre.  Now my sync tasks work against that one DC.  When using the FQDN of the domain, as suggested is possible in the P1 docs, it still wouldn't work.  "An unknown error occured" was the response when running a sync task, but when hitting 'Test Connection' on the LDAP server registration page it would take a while (i have 40 DCs around the WAN) but would come back with a successful test message.

                           

                          Anyway mine works with the IP of a specific child domain DC - just not with the FQDN of the child domain.  HTH.

                          1 2 Previous Next