Changes going from eDirectory to AD are immediately changed back

  • 7002124
  • 29-Mar-2012
  • 26-Apr-2012

Environment

Novell Identity Manager 3.6.1
Novell Identity Manager 4.0
Novell Identity Manager Driver - Active Directory

Situation

Changes made in eDirectory are not showing up in Active Directory even though the trace shows a success.

Resolution

Fix the time sync between the Active Directory Domain Controllers.  Then you will need to fix the driver storage attribute on the driver and the state*.xml file because they will be invalid.  This attribute and file determine what changes need to be synced from AD to eDirectory.  The state*.xml file is like the *.tao file on the engine side.  Normally you can fix the problem with the following steps:
- stop the driver and the remote loader instance.
- delete the state file.  By default this file is found in the c:\Novell\RemoteLoader directory.  The name of the file is state_(fully distinguished name of driver).xml
- delete the driver storage attribute on the driver.  In iManager go to the properties of the driver.  Click on the General tab.  In the 'Valued Attributes' column, highlight the DirXML-DriverStorage attribute and click on the Delete button.
- Restart the Remote Loader instance and then restart the driver.
At that point any new changes made in AD should be picked up by the driver.  Prior changes made in AD will not sync over.  A sync of the driver will pick up any lost modifies.  You can specify the date going back to when the problem first happened so that you do not sync all the users.  For any new users in AD that were missed, you can either go back and migrate all the users over or just modify any existing new users.
 
In some rare cases the users still do not come over.  In this case you do the same steps but with this one change.  Instead of deleting the DirXML_Driverstorage attribute so the following:
- edit the attribute and change the state value to something else.  The part of the attribute to change is the part between the <cookie>...</cookie> statement.  You can change the last letter or number in the string to a different value.
- When you start the driver make sure that you have trace turned on and only allow one event over from AD.  Then stop the driver.  Note what the change was in the driver trace in case you need to undo it.  If you leave the driver running, it will do a complete re-sync from AD.  This is because the driver saw the attribute value as invalid and will try to do a full sync from AD.
- Now delete the DirXML driver storage attribute and the State file again.
- Restart the driver and it should start picking up new changes in AD.

Cause

This can happen if the time on the Domain Controller in Active Directory gets out of sync with other Domain Controllers.  What is happening is that the changes are being made but when the Domain Controller syncs the change to other DCs the changes are refused and the original values are sent back to the Domain Controller where the Remote Loader is located.  Then the changes are sent back to eDirectory removing the original change.