Incomplete AD sync

pmartins · December 3, 2018, 11:09am

We have setup Univention to sync with an existing AD environment.

It has successfully synced the OUs, devices and groups.

However, it has only synced 28 users, and there doesn’t seem to be any pattern. We’re expecting a few hundred.
For any given OU, it may have synced none, some or all users contained.
In some cases it has synced a user buried in a sub-OU, and yet none of the users in parent OUs.

I have installed and setup a 2nd Univention VM just in case something went wrong the first time, but the 2nd exhibits the same issue as the 1st.

Is there an obvious solution to this issue, or steps to trace, identify and resolve this AD sync issue?

Thanks,
Paul

ucsexplorer · December 11, 2018, 6:12am

I am also experiencing the issue. Unable to sync all the AD user objects to UCS. Also installed the second UCS server, only able to sync 5 user objects from AD and it should be about 80 user objects from AD. Awaiting solution to this issue.

automata · June 12, 2019, 10:01pm

Hello, everyone-

I realize this is an old discussion, but I am having the same problem and have not found a solution. So far I have tried the following:

Reinstalling the UCS VM just in case I made a mistake.
Reviewing the AD Connector Troubleshooting Guide. None of the logs seem to suggest anything is wrong.
Changing user data (specifically, incorrectly formatted telephone numbers), as per this post. It helped with one or two users. If bad user data in AD is the reason for the missing users, then is there an easy way to find out?

I would appreciate anybody who can help with this issue. We can’t proceed with using UCS in our environment until all the users sync.

Thank you.

greif · July 8, 2020, 2:45pm

Hi everyone,

Sadly, I can not provide answers. Only the same question again.

In a recent project, I’ve seen that users from AD were rejected due to syntax violations, mostly of the UID attribute. In AD, the username is the CN attribute (no limitations, everything Unicode BMP is allowed), and this value is blindly used as UID (this is restricted by POSIX rules: only 7bit ASCII, no spaces).

It is clear that this will hit more or less all customers who use AD Connector. Trying to solve the problem using the information in AD-Connector - Troubleshooting Guide , they find the message

(ERROR  ): InvalidSyntax: User name: Username must only contain numbers, letters and dots!

in the connector.log file. That’s all. How is the customer supposed to solve this? Shall he “correct” all those objects in AD, just to make the connector work? (and, how to proceed if the data is not under his control, for instance a trusted tree from somewhere else?)

Please, author(s) of the aforementioned Howto, chime in and explain what can be done to fulfill the promise “Switch on AD Connector and enjoy your AD being available to UCS”?

Thank you.

EDIT: While comparing the objects, I have seen that it is the Samaccountname which is used for the UID. But the basic problem remains: the Samaccountname is allowed to contain spaces, the UID is not. Who shall solve this?

Flomo · January 25, 2022, 2:44pm

Thank you very much for the solution. In my case it was simply an e-mail address at the AD users.
I deleted the mail adresses and immediatley the users were online.

Thanks!

bob.russo · November 23, 2023, 2:42am

removing email addresses did it for me as well. This is kind of a deal breaker for me though. Just sharing for anyone that can make this change and wants to.