Troubleshooting and FAQs for Active Directory (AD) Bridge

Learn how to troubleshoot common Active Directory (AD) issues.

1. Why is my Active Directory (AD) Bridge client connecting to a different domain?

Answer: The domain to which the AD Bridge client is connected is determined from the domain of the signed-in user who is installing the AD Bridge client on the Windows Server. Check whether your user is present in the correct domain through the Active Directory Users and Computers utility.

The following screenshot shows the DummyUser is present in the domain adfs.fed.oracle.com.

2. Why can't I connect to Active Directory on an SSL port?

Answer: Active Directory must be configured for an SSL Connection. Try connecting ldp.exe with Active Directory on SSL. To verify the SSL connection:

1. Ensure that the Windows Support Tools is installed on the Active Directory machine.
   1. Select Start | All Programs | Windows Support Tools | Command Prompt.
   2. Start the ldp tool by typing ldp at the command prompt.
2. From the ldp window, select Connection | Connect and supply the host name and port number (636). Also, select the SSL check box.
   1. If the connection is successful, a window displays listing the information related to the Active Directory SSL connection.
   2. If the connection is unsuccessful, restart your system, and repeat this procedure. If Active Directory still doesn’t connect, complete the following instructions to enable SSL: Enable LDAP over SSL with a third-party certification authority.

3. I received a "Connectivity to AD Bridge restored" email notification. What does it mean?

Answer: Because of network connectivity issues, the AD Bridge server might become disconnected to Oracle Identity Cloud Service. After connectivity is restored, you will get this email notification. Note: Any connectivity issues delay synchronization. Any new data will be synced after connectivity is restored.

If you don’t want to receive these email notifications, change the Notifications settings from the Oracle Identity Cloud Service Admin console. See About Administrator Notificationsto access Administrator notifications. You can choose to turn on the following Administrator AD Bridge connectivity notifications:

• Synchronization job summary
• Notify an administrator when connectivity between AD-ADbridge-Identity domain server is broken.
• Notify an administrator when connectivity between AD-ADbridge-Identity domain server is restored.
• Bridge update available
• Notify an administrator when sync between AD-ADbridge-Identity domain server has succeeded.
• Notify an administrator when sync between AD-ADbridge-Identity domain server has failed.

4. I see an "LDAP Server unavailable" error in the log file. What does it mean?

Answer: The "LDAP Server unavailable" error occurs when the server on which the AD Bridge client in installed is unable to connect to the Active Directory Domain Controller through LDAP. Verify that the Active Directory services are running (In Windows Services list, check the status for AD DS Domain Controller service.) and then try to connect using the client utility ldp.exe.

1. Open a run window from Start.
2. Enter ldp to open the client utility.
3. Select Connection and then New Connection. Complete the details and then check whether the connection is successful.

5. I see the message "ADBridge Unreachable" in the user interface. What does it mean?

Answer: AD Bridge has one-way communication with Oracle Identity Cloud Service. This means that Oracle Identity Cloud Service can't directly communicate with the server on which AD Bridge is installed. Instead, AD Bridge frequently polls Oracle Identity Cloud Service to check whether any operation (like sync) is pending. An "AD Bridge Unreachable" message means that the polling is not being performed. The following are some reasons that the AD Bridge might be unreachable.

• The AD Bridge is not installed.
• The AD Bridge is installed but unable to reach to Oracle Identity Cloud Service over the internet.
  • Check your connection/proxy settings.
  • Test the connectivity using the AD Bridge user interface.
• The background service is stopped.
  • Start “Identity Cloud Service Microsoft Active Directory Bridge Service” from Windows Services.
  • Ensure that the Startup type is Automatic.

After you have determined the cause, restart the AD Bridge service, either from the AD Bridge user interface (Stop/Start buttons) or from Windows Services. Important: Before restarting the AD Bridge service, take a thread dump of the Oracle Identity Cloud Service process and share it with the Oracle Support Team. See 30. How to take thread dump of AD Bridge service on AD Bridge machine? You must resolve this issue for the AD Bridge to function properly. If you don't fix this issue, AD Bridge functionalities including Sync and Delegated Authentication will not work properly.

6. I see "No active sync" in the Admin console. What does it mean?

Answer: This message doesn't indicate an issue. This indicates that currently a sync is not in progress. The next sync will run according to the interval set for the domain through the configuration page. Or, it can be triggered manually. Since the incremental sync only reads changed data, a sync can happen very fast and it might appear that the “No active sync.” message never disappears. You can always verify the last sync status from the Import page for that particular domain.

7. I have moved my Domain Controller from its current machine to another machine. What steps do I perform next?

Answer: Moving the Domain Controller should not cause any issues. Verify Domain Controller connectivity by using the Test Connectivity option in the AD Bridge user interface. If there's an issue in the AD Bridge to Domain Controller (LDAP) communication, then click Detect Domain Controller to further detect whether the Domain Controller is accessible. The following screen shots are examples of successful connection tests.

8. I have changed my User credentials to connect to Active Directory. How can I change the credentials in the Active Directory (AD) Bridge client?

Answer: After AD Bridge version 21.3.1, this feature is available in the user interface. Download and install the latest version of AD Bridge. Note: You don't need to uninstall the current binaries. The install upgrades them. See "Update AD credentials" in the following screenshot.

9. My Users are synced, but they are not able to sign in. What could be the problem?

Answer: This depends on which of the three authentication methods (listed below) are being used to sign in Active Directory (AD) users. These methods can be set using the domain configuration page. Sign in functionality works differently in each case.

• Local Authentication (default): After the sync, users will get a welcome notification to change the password for their account. They need to use the provided username (from AD) and password they set to sign in to their account. Action to take: Check whether the user is present in Oracle Identity Cloud Service. (The user sync might have failed Because of invalid data.) If the user exists, try resetting the password from Oracle Identity Cloud Service.
• Delegated Authentication: With local authentication, you can enable delegation from AD. In this method, users won’t create a password but use their existing AD passwords to sign in. Oracle Identity Cloud Service delegates the user authentication to AD through AD Bridge. Action to take: Check whether the user is present in Oracle Identity Cloud Service. Also, check whether the user is active in AD and that the password is not expired.
• Federated Authentication: This method uses a third-party service like Microsoft AD FS to authenticate the user. Action to take: Check the configuration of the third-party service.

Use the following screen shots as a guide.

10. How long will Microsoft Windows Server 2012 be supported? 

Answer: There is no pre-defined support period. Oracle provides six months' notice when compatibility is removed. Otherwise, presume that Oracle will support Windows Server 2012 as long as Microsoft supports it.

11. Why can't I enable Federation?

Answer: Check whether Delegated Authentication is enabled. If Delegated Authentication is enabled, Federated Authentication cannot be enabled. To switch from Delegated to Federated Authentication:

1. Deactivate Delegated Authentication. See Deactivate Delegated Authentication.
2. Turn on Federated Authentication in Directory Integrations.
3. Perform a Full Import.

12. Why can't I enable Delegated Authentication?

Answer: Ensure that Enable local authentication is chosen on the Directory Integrations page. If you have Federated Authentication enabled, turn it off. Then go to the Delegated Authentication settings and activate it for a particular domain.

13. I want to change my sign-in username to an email-address or vice versa. How can I do it?

Answer: To allow sign in using email, you need to map the mail attribute of Active Directory (AD) to User Name in Oracle Identity Cloud Service inbound mapping as shown in screenshot below.

Note: You can either configure sAMAccountName or mail with User Name but not both at same time. If users are already synced, then you need to trigger a Full Import after changing this attribute mapping. A Full Import will sync all users again and this time store mail from AD to User Name in Oracle Identity Cloud Service.

14. We have AD Bridge configured to sync users into Oracle Identity Cloud Service. Sometimes few users are not syncing into Oracle Identity Cloud Service during scheduled sync job, but if we run full import then those missing users appear in Oracle Identity Cloud Service. Why?

Answer: AD Bridge records updates in Active Directory using synchronization tokens and an update sequence number (USN). The previous highest USN value is stored in Oracle Identity Cloud Service and any time an incremental sync is run; Oracle Identity Cloud Service reads the data from the stored USN to the latest USN. Sometimes, because of factors such as a Domain Controller change, USN numbers get corrupted (if a new DC has large USN value than previous DC) causing users not to sync. A Full sync doesn't use tokens that is why the users appear in a Full sync. To fix this issue, Oracle needs to reset the sequence number, which can be done by using the API. Contact Oracle support for the help.

Note: This issue is already handled and won’t come in latest version of AD Bridge. Upgrading AD Bridge will resolve this automatically.

15. Can I use Active Directory (AD) Bridge client to sync with Azure AD?

Answer: No, Azure AD is not supported through AD Bridge. The AD Bridge only works with on-premise Active Directories. Azure AD is supported through Microsoft Azure integration as well as through Azure AD connector.

16. Can I change the attribute mapping at any time?

Answer: Yes, attribute mappings can be changed at any time. Ensure that you perform a Full sync after saving the new configuration. User data will be updated by the Full sync. If you don't do a Full sync, existing user data remains the same and new users will have updated data. It is NOT recommended that you change attribute mapping frequently.

17. My sync hasn't completed for days. What should I do to terminate it?

Answer: Use the Abort option on the Import page to quit the unresponsive job. This will mark your previous stuck sync as Failed. Submit a new sync and then check connectivity from the Windows Server (on which AD Bridge is installed) to Oracle Identity Cloud Service. If the problem persists, contact Oracle support.

18. I want to suppress certain auto-generated emails / notifications. How can I do it?

Answer: Oracle Identity Cloud Service provides full control over notifications. Go to Settings, then Notifications. Here you can see three tabs:

• Configure: Select which notifications to send.
• Recipients: To limit users to send notifications to. Don’t make changes here unless you are sure.
• Email Templates: Change the design or the contents of the email sent to the customers.

19. Where can I check to see which user/group failed to sync and the reason for the failure?

Answer: Currently, this can only be traced through AD Bridge Logs. You can find the log files from the AD Bridge client user interface. Search for your username or group name to see what failures occurred during the sync.

The following example shows one user that was successfully synced and another where the sync failed.

20. What does Delinking mean?

Answer: Oracle Identity Cloud Service keeps a mapping of all the AD users (Oracle Identity Cloud Service identifier mapped to AD identifier). When the user is removed from the active sync because of a new filter condition, for example, the record in Oracle Identity Cloud Service is kept and just the mapping is removed. The removal of mapping is called Delinking. This case is different from deletion as user is not deleted from AD, if filters are reset, the user will be linked again.

21. A new version of Active Directory (AD) Bridge client is available. Should I install it?

Answer: You should always upgrade to a new version. Make sure you are not installing the current version again. Reinstalling the current version removes the existing Bridge and may lead to authentication and sync failures. Verify the version number from the AD Bridge user interface.

22. Do I need to uninstall the existing Active Directory (AD) Bridge installation in order to upgrade?

Answer: You do not need to uninstall the existing Active Directory (AD) Bridge to upgrade to a newer version.

23. How many Bridges can I install for a given domain?

Answer: A tenant can configure a maximum of 10 domains and for every domain a maximum of 5 Bridges can be configured, only when high availability (HA) is enabled for a tenant. This limit is defined in configuration at Oracle Identity Cloud Service.

24. Can I install more than one Bridge on the same Windows Server machine?

Answer: No, only a single Bridge can be installed, similar to a program in Windows. To use HA, you need multiple machines connected to the same AD Domain.

25. When we upgrade our Active Directory (AD) Bridge client  does my first sync after that need to be a Full sync?

Answer: No, existing data will not be impacted because of an upgrade. You can perform an incremental sync. Also, the sync schedule won’t be affected, and next sync will be performed as configured.

26. Can I downgrade my Active Directory (AD) Bridge client?

Answer: This is not recommended. If you want to downgrade the client, you need to uninstall the current one first. This leads to a downtime of services (sync, delegated authentication, etc.). You can then install the version you want.

27. A few of my users/groups are NOT getting synced. What should I do?

Answer: Use any of the following troubleshooting methods to determine the cause.

• Check the OU configuration on the Directory Integrations page. You need to select the OUs for groups and users separately. Even if you have the same OU for groups and users, select them separately. Make sure to save the configuration page after you make the changes.
• Confirm the filter used in users/groups on the configuration page. Use PowerShell to execute the filter and check whether your users are visible there.
• Check the network connectivity from AD Bridge client to Oracle Identity Cloud Service. (Only if some all records are failing.)
• Check the IDBridge log file (“View logs” from AD Bridge user interface). Look for an error like the following:

28. Which version of Windows Server do I need on my Windows machine.  2012, 2016?

Answer: Any version above 2012 R2 is supported. Recommendation is to use Windows Server 2016.

29. How do I enable AD Bridge trace mode logging?

To enable trace mode:

1. Go to the AD Bridge installation folder. The default location is: C:\Program Files\Oracle\IDBridge.
2. Open the file log4net.config.
3. Change this line <level value="info" /> to <level value="trace" />.
4. If you get a permissions error, open the editor with Administrator privileges. If you are using Notepad, search for Notepad in the Start menu, right click, and choose “Run as Administrator”, then open the log file to make changes. Note: The log level change does NOT require restart of AD Bridge client.

30. How do I take a thread dump of the AD Bridge service on an AD Bridge machine?

1. Open Task manager on A machine where the AD Bridge client binary is installed.
2. Go to the Processes tab.
3. Search for the process with the name "Identity Cloud Service Microsoft Active Directory Bridge" in the process list.
4. Right click the process and select the option Create dump file.
5. After a few seconds. the display dump location and dump file name display.

31. What additional steps I need to follow if I have changed my filter? Does changing the filter have an impact on my functionality?

Answer: Filters might prevent new users and groups from syncing into Oracle Identity Cloud Service. Complete the following tasks before adding or modifying filters:

1. Verify the filters by running them using PowerShell commands. Ensure that all data is included.
2. Always run a Full sync after changing filters. This will make sure any previously ignored entries are synced. Also, this will cleanup existing redundant mappings.
3. Existing users/groups will not be deleted. Even if they are out of filter, they will be delinked, but kept in Oracle Identity Cloud Service.

32. What will happen to my Delegated Authentication Request when any of below is true:

a. AD Bridge client is down

b. AD Bridge client is NOT able to connect to Oracle Identity Cloud Service Cloud.

c. Active Directory is down

d. AD Bridge client is busy processing other delegated authentication requests

Answer: In all the cases, the authentication request will fail, except if the password caching is enabled and the password is available in the cache. For first three scenarios (a,b,c), service will recover when the downstream system/connectivity issue resolves. For the last scenario (d), service will recover after the concurrent request load decreases.

33. If I have enabled password caching, then which password will be used for delegated authentication:

a. Cached Password or

b. Actual Password stored in Active Directory.

Answer: First, the actual password will be used to authenticate the users. The request will go to the Active Directory through AD Bridge and the Oracle Identity Cloud Service stored password will not be used. But, if this request fails because of any of reasons mentioned in previous question, then authentication will be tried using the password stored in cache. Fallback to the Oracle Identity Cloud Service cached password can be enabled or disabled from the Delegated Authentication settings.

34. When do we cache password in Oracle Identity Cloud Service and for how long it is kept in cache?

Answer: If password caching is enabled and there is no cached password or the cache password is expired, then, we store password next time when the user successfully logs in the system. Default expiry window of a password is five days but can be changed from delegated authentication settings.

35. Why is my AD Bridge installation failing with this message "ID Bridge Installer is failing"?

Answer: You've breached the number of domains or the number of Bridge clients allowed for your tenancy. Default limits are specified in question 23.

36. Where are installation log files are created, to triage issue with installation?

Answer: Installer logs from under %TEMP% folder on the Windows machine where the installation was attempted. From Windows start menu, open run prompt and enter "%TEMP%"

You will see three files per install:

• Identity_Cloud_Service_Microsoft_Active_Directory_Bridge_<timestamp>.log
• Identity_Cloud_Service_Microsoft_Active_Directory_Bridge_<timestamp>_Internal.log
• Identity_Cloud_Service_Microsoft_Active_Directory_Bridge_<timestamp>_ad_id_bridge.msi.log

Provide the latest files to Oracle support when you raise a service request.

37. I'm unable to see my AD attribute in "Configure Attribute Mapping" section?

Answer: Note that the Directory User Attribute input is not a dropdown menu selection, but a suggestive text box. You can write anything to the text box, even if that attribute is not present in your AD. Ensure you type the correct attribute exactly (including the uppercase and lowercase characters) the way the attribute name appears in Active Directory. By not doing this, you will not get an error at mapping save time, but your AD sync will be impacted. It will not be able to pull this attribute from Active Directory.

The suggestion are based on frequently used AD attributes only. The Oracle Identity Cloud Service attributes is a dropdown menu selection, and you will see all the attributes there.

Refer to following screen shots:

1. Write your attribute name, for example, "someAdAttribute".
2. Save your row.

38. Why does my domain show that it's partially configured and the import option is disabled?

Answer: A partially configured domain indicates that no OU is selected on the configuration page. Any OU selection for users, groups or both is required for configuring domain for sync. Till then there is nothing to import and import will stay disabled.

To configure a domain:

1. Click the domain to open it.
2. Select any OU to fetch users and groups from. Note: Users and groups OU selection must be done separately.
3. You can choose a different set of OUs for users and groups.
4. Any OU selection for a user or a group will enable the import option.