AD-Connector stops syncing, if Windows AD was replaced
After the Windows server has been replaced, the usn numbers between AD and UCS no longer match.
On the Active Directory side, the AD Connector recognizes changes based on the usn attributes (usnChanged / usnCreated). Each time an object in the Active Directory is changed, an usn attribute is incremented.
The AD Connector searches the Active Directory every 5 seconds for changes by searching for the last known usn. The usn attributes are DC specific, that means not all objects in the AD have the same usn numbers domain-wide.
To check the USN numbers:
ldapsearch -LLLh WIN-F27D13R84RG.sunshinead.ad -b "" -s base -x highestCommittedUSN dn: highestCommittedUSN: 791672
and compare with
sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;" lastUSN| 42921239
The lastUSN is much higher than the highestCommittedUSN
Make sure the connector is in read mode. So changes made in AD are synced to openLDAP:
ucr get connector/ad/mapping/syncmode → read
To transfer all changes to the UCS-Ldap, the connector must be stopped once, the USN number set to 1 and the connector restarted, so that all objects from the AD are written back to the UCS LDAP.
# service univention-ad-connector stop # sqlite3 /etc/univention/connector/internal.sqlite "update AD set value=1 where key='lastUSN';" # sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;" lastUSN|1 # service univention-ad-connector start
After all objects have been synced, the value of lastUSN should match the AD’s value.