Problem: AD-Connector stops syncing, if Windows AD was replaced

Knowledge Base Community
, , , ,
#1

Problem:

AD-Connector stops syncing, if Windows AD was replaced

Investigation:

After the Windows server has been replaced, the usn numbers between AD and UCS no longer match.
On the Active Directory side, the AD Connector recognizes changes based on the usn attributes (usnChanged / usnCreated). Each time an object in the Active Directory is changed, an usn attribute is incremented.
The AD Connector searches the Active Directory every 5 seconds for changes by searching for the last known usn. The usn attributes are DC specific, that means not all objects in the AD have the same usn numbers domain-wide.
To check the USN numbers:

ldapsearch -LLLh $(ucr get connector/ad/ldap/host) -b "" -s base -x highestCommittedUSN
dn:
highestCommittedUSN: 791672

and compare with

sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;" 
lastUSN| 42921239

or you use univention-connector-list-rejected to get the highestCommittedUSN
The lastUSN is much higher than the highestCommittedUSN

Solution:

Make sure the connector is in read mode. So changes made in AD are synced to openLDAP:

ucr get connector/ad/mapping/syncmode
→ read

To transfer all changes to the UCS-Ldap, the connector must be stopped once, the USN number set to 1 and the connector restarted, so that all objects from the AD are written back to the UCS LDAP.
To avoid any problems, we added some checks: You can paste the following lines in your bash shell, or you can copy and paste them in a file and run them with /bin/bash filename.

#!/bin/bash
if [ ! -e /etc/univention/connector/internal.sqlite ]; then
  echo "ERROR: /etc/univention/connector/internal.sqlite missing,
               Maybe this is not the host that's running the AD-Connector?"
elif [ -z  "$(ucr get connector/ad/ldap/host)" ]; then
  echo "ERROR: connector/ad/ldap/host is not set"
else
  ad_ldap_host=$(ucr get connector/ad/ldap/host)
  hcusn=$(ldapsearch -LLLh "$ad_ldap_host" \
            -b '' -s base -x highestCommittedUSN \
            | sed -n 's/^highestCommittedUSN: //p')
  lastusn=$(sqlite3 /etc/univention/connector/internal.sqlite "select value from AD;")
  if [ -n "$hcusn" ] && [ "$hcusn" -lt "$lastusn" ]; then \
    service univention-ad-connector stop
    echo "INFO: Setting lastUSN to $hcusn"
    sqlite3 /etc/univention/connector/internal.sqlite \
         "update AD set value='$hcusn' where key='lastUSN';"
  elif [ "$hcusn" -gt "$lastusn" ]; then \
    echo "WARNING: highestCommittedUSN is higher than lastUSN, AD-Connector should work normally."
  elif [ "$hcusn" -eq "$lastusn" ]; then \
    echo "INFO: highestCommittedUSN equals lastUSN, AD-Connector should work normally."
  elif [ -z "$hcusn" ]; then
    echo "ERROR: highestCommittedUSN of not found on $ad_ldap_host, please check."
  fi
fi

You may want to check again, that this operation was successful by running:

sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;"

If that returns the new number, then you may start the AD-Connector again by running

service univention-ad-connector start

After that the AD-Connector should synchronize the next changes performed on the new DC’s Active Directory.

Tags:
ntlmauth failed

2 Likes
#2
Mastodon