AD-Connector stops syncing, if Windows AD was replaced
After the Windows server has been replaced, the usn numbers between AD and UCS no longer match.
On the Active Directory side, the AD Connector recognizes changes based on the usn attributes (usnChanged / usnCreated). Each time an object in the Active Directory is changed, an usn attribute is incremented.
The AD Connector searches the Active Directory every 5 seconds for changes by searching for the last known usn. The usn attributes are DC specific, that means not all objects in the AD have the same usn numbers domain-wide.
To check the USN numbers:
ldapsearch -LLLh $(ucr get connector/ad/ldap/host) -b "" -s base -x highestCommittedUSN dn: highestCommittedUSN: 791672
and compare with
sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;" lastUSN| 42921239
or you use
univention-connetor-list-rejected to get the highestCommittedUSN
The lastUSN is much higher than the highestCommittedUSN
Make sure the connector is in read mode. So changes made in AD are synced to openLDAP:
ucr get connector/ad/mapping/syncmode → read
To transfer all changes to the UCS-Ldap, the connector must be stopped once, the USN number set to 1 and the connector restarted, so that all objects from the AD are written back to the UCS LDAP.
To avoid any problems, we added some checks: You can paste the following lines in your bash shell, or you can copy and paste them in a file and run them with
#!/bin/bash if [ ! -e /etc/univention/connector/internal.sqlite ]; then echo "ERROR: /etc/univention/connector/internal.sqlite missing, Maybe this is not the host that's running the AD-Connector?" elif [ -z "$(ucr get connector/ad/ldap/host)" ]; then echo "ERROR: connector/ad/ldap/host is not set" else ad_ldap_host=$(ucr get connector/ad/ldap/host) hcusn=$(ldapsearch -LLLh "$ad_ldap_host" \ -b '' -s base -x highestCommittedUSN \ | sed -n 's/^highestCommittedUSN: //p') lastusn=$(sqlite3 /etc/univention/connector/internal.sqlite "select value from AD;") if [ -n "$hcusn" ] && [ "$hcusn" -lt "$lastusn" ]; then \ service univention-ad-connector stop echo "INFO: Setting lastUSN to $hcusn" sqlite3 /etc/univention/connector/internal.sqlite \ "update AD set value='$hcusn' where key='lastUSN';" elif [ "$hcusn" -gt "$lastusn" ]; then \ echo "WARNING: highestCommittedUSN is higher than lastUSN, AD-Connector should work normally." elif [ "$hcusn" -eq "$lastusn" ]; then \ echo "INFO: highestCommittedUSN equals lastUSN, AD-Connector should work normally." elif [ -z "$hcusn" ]; then echo "ERROR: highestCommittedUSN of not found on $ad_ldap_host, please check." fi fi
You may want to check again, that this operation was successful by running:
sqlite3 /etc/univention/connector/internal.sqlite "select * from AD;"
If that returns the new number, then you may start the AD-Connector again by running
service univention-ad-connector start
After that the AD-Connector should synchronize the next changes performed on the new DC’s Active Directory.