Problem: AD-Connector stops syncing, if Windows AD was replaced

ad-connection
sync
lastusn
dc

#1

Problem:

AD-Connector stops syncing, if Windows AD was replaced

Investigation:

After the Windows server has been replaced, the usn numbers between AD and UCS no longer match.
On the Active Directory side, the AD Connector recognizes changes based on the usn attributes (usnChanged / usnCreated). Each time an object in the Active Directory is changed, an usn attribute is incremented.
The AD Connector searches the Active Directory every 5 seconds for changes by searching for the last known usn. The usn attributes are DC specific, that means not all objects in the AD have the same usn numbers domain-wide.
To check the USN numbers:

ldapsearch -LLLh WIN-F27D13R84RG.sunshinead.ad -b "" -s base -x highestCommittedUSN
dn:
highestCommittedUSN: 791672

and compare with

sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;" 
lastUSN| 42921239

The lastUSN is much higher than the highestCommittedUSN

Solution:

Make sure the connector is in read mode. So changes made in AD are synced to openLDAP:

ucr get connector/ad/mapping/syncmode
→ read

To transfer all changes to the UCS-Ldap, the connector must be stopped once, the USN number set to 1 and the connector restarted, so that all objects from the AD are written back to the UCS LDAP.

# service univention-ad-connector stop
# sqlite3 /etc/univention/connector/internal.sqlite "update AD set value=1 where key='lastUSN';"
# sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;"
lastUSN|1
# service univention-ad-connector start

After all objects have been synced, the value of lastUSN should match the AD’s value.


closed #2