using ntdsutil.exe to resolve AD aggegration exceptions

  • 7011213
  • 20-Jun-2011
  • 02-Nov-2012


NetIQ Access Governance Suite


using ntdsutil.exe to resolve AD aggegration exceptions


The Access Governance Suite aggregation operation features several hooksfor running rules to process and to format the info into an identity-friendly resource object. As a side effect, each per-account processing takes some time and so the time per page grows directly with the number of accounts to aggregate. Under some conditions, the time to process a page of accounts exceeds the AD server's timeout settings. This results in a timeout exception when fetching the next page of accounts from the AD server.

To fix this scenario, either
1) rework the rules to shorten the processing;
2) redefine Access Governance Suite's application settings to fetch fewer accounts in a single page;
3) redefine IIQ's application settings to fetch the entire account list in a the initial page;
4) re-cfg the AD server to allow sufficient time to process a page of accounts.

While the Access Governance Suite UI provides fields to accomplish the first 3 options, yet the final option requires an AD admin tool.  The "ntdsutil.exe" tool displays the AD policy settings.  For example, this MS-Support link detail the tool/policy:
MaxConnIdleTime - The maximum time in seconds that the client can be idle before the LDAP server closes the connection.  If a connection is idle for more than this time, the LDAP server returns an LDAP disconnect notification.

Default value: 900 seconds