When to delete the DirXML-DriverStorage attribute on the AD driver and how it works

  • 7015605
  • 28-Aug-2014
  • 28-Aug-2014


NetIQ Identity Manager Driver - Active Directory


Problem picking up the correct changes from AD.  How does the AD driver know what changes to get from the Active Directory driver.  Does it use the DirXML-DriverStorage attribute?


The Active Directory driver keeps track of changes with the DirXML-DriverStorage attribute on the driver object.
The following is how the driver uses the attribute.
ADSI provides an operational property called ADS_DIRSYNC_COOKIE that gives us the current high water mark in Active Directory as a blob of binary data. We do a base64 encoding of the blob so that we can store it as text within the XDS XML document. We then store it inside the DirXML-DriverStorage attribute.  When the driver restarts, we initialize our publisher search with the blob value. We recommend deleting the publisher driver state when rolling to a new domain controller or when you do a restore on your domain controller to deal with some ambiguities about how the blob is handled in AD. If we present the blob to a different domain controller, or a domain controller after a restore operation has been applied, AD may elect to void the cookie and replay events from the beginning of time. This is likely not what you would want, hence the recommendation to delete the driver state. If would also just like to have the driver start working changes from the time the driver is started the you could just delete this attribute.  Then on the next restart of the driver, we get the current value of the blob from AD and recreate the DirXML-DriverStorage attribute with the new value.
As changes happen on the Domain Controller through syncs from other DCs or from changes on the DC itself, the DC will increase the value of the high water mark.
When the driver polls for changes, it checks to see if the current value of our blob is less than the value on the DC.  If it is lower, the driver requests all the new changes.  Those changes are stored in the state file on the remote loader until the driver can process them.  So if you delete the DirXML-DriverStorage attribute you should also delete the state file created by the driver.  The state file is found in the Remote Loader directory and has a name of state<name of driver>.xml