Sun Directory Server Enterprise Edition 7.0 Troubleshooting Guide

Using the idsync printstat Command

The idsync printstatcommand displays the connector IDs and the status of each connector. The output also displays a list of the remaining steps you have to perform to complete the installation and configuration process. This status information can be useful for troubleshooting problems with Identity Synchronization for Windows.

For example, the command is run as follows:

# idsync printstat

Connector ID: CNN100
Type:     Active Directory
Manages: (ldaps://
State:    READY
Connector ID: CNN101
Type:     Sun Java System Directory
Manages: dc=example,dc=com 
State:    READY
Sun Java System 
Message Queue Status:  Started
Checking the System Manager status over the Sun Java System
Message Queue.
System Manager Status:  Started SUCCESS

If the command lists connectors, then you know that your configuration was saved successfully.

Troubleshooting Quick Checklist

This checklist provides questions to help guide you in your troubleshooting process:

  1. Was the Directory Server running during resource configuration?

  2. Is the core, including the Message Queue and the System Manager, currently running? On Windows, check for the appropriate service name. On Solaris and Linux, check for the appropriate daemon name. Use the idsync printstat command to verify that the Message Queue and System Manager are active.

  3. Was synchronization started from the Identity Synchronization for Windows console or from the command line?

  4. Are the directory sources that are being synchronized currently running?

  5. Use the Identity Synchronization for Windows console to verify that modifications and creates are synchronized in the expected direction.

  6. If synchronizing users and groups that existed in only one directory source, were these users and groups created in the other directory source using the idsync resync command?

    Note –

    You must run idsync resync whenever there are existing users and groups. If you do not resynchronize existing users, resynchronization behavior remains undefined.

  7. If synchronizing users that existed in both directory sources, were these users linked using the idsync resync command?

  8. If user creates fail from Active Directory or Windows NT to the Directory Server, verify that all mandatory attributes in the Directory Server object class are specified as creation attributes and values for the corresponding attributes are present in the original user entry.

  9. If synchronizing creates from Directory Server to Windows NT and the user creation succeeded, but the account is unusable, verify that the user name does not violate Windows NT requirements.

    For example, if you specify a name that exceeds the maximum allowable length for Windows NT, the user will be created on NT but can not be used or edited until you rename the user (User -> Rename).

  10. Are the users that fail to synchronize within a Synchronization User List? For example, do they match the base DN and filter of a Synchronization User List? In deployments that include Active Directory, on-demand password synchronization fails silently if the Directory Server entry is not in any Synchronization User List. This most often occurs because the filter on the Synchronization User List is incorrect.

  11. Were the synchronization settings changed? If the synchronization settings changed from only synchronizing users from Active Directory to Directory Server to synchronizing users from the Directory Server to Active Directory, then the Active Directory SSL CA certificate must be added to the connector’s certificate database. The idsync certinfo command reports what SSL certificates must been installed based on the current SSL settings.

  12. Are all host names properly specified and resolvable in DNS? The Active Directory domain controller should be DNS-resolvable from the machine where the Active Directory Connector is running and the machine where the Directory Server Plug-in is running.

  13. Does the IP address of the Active Directory domain controller resolve to the same name that the connector uses to connect to it?

  14. Are multiple Synchronization User Lists configured? If so, are these in conflict? More specific Synchronization User Lists should be ordered before less specific ones using the Console.

  15. If flow is set to bidirectional or from Sun to Windows and there are Active Directory data sources in your deployment, are the connectors configured to use SSL communication?

  16. If you are creating or editing the Directory source, and the Directory Server does not display in the Choose a known server drop-down list, check that the Directory Server is running. The Directory Server must be running to appear in the drop down list of available hosts.

    If the server in question is down temporarily, type the host and port into the “Specify a server by providing a hostname and port” field.

    Note –

    Identity Synchronization for Windows uses a short host name by default; however, the default host name may not work with your configuration. We recommend using a fully qualified name whenever you are asked to provide a host name.