Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide

ProcedureTo Troubleshoot Issues with Identity Synchronization for Windows 6.0

  1. Are there any problems reported in the central error.log?


    Almost all errors will be reported in the central error log file. Also, additional information about any error is usually available in the audit.log file. To ease correlation of related log entries, the audit.log file also includes all entries in the error log.

  2. Is this problem explained as a known issue in the Release Notes document?

  3. Was the installation performed on a clean machine? Problems might occur when this product is reinstalled if the uninstallation of the previous configuration was not complete. Please refer to Chapter 9, Removing the Software.

  4. Was the Core properly installed? If Core installation completed successfully, then log files will exist in the isw-hostname/logs/central/ directory.

  5. Was the Directory Server running during resource configuration?

  6. Is the Core, including the Message Queue and the System Manager, currently running? On Windows, check for the appropriate service name. On Solaris and Linux, check for the appropriate daemon name. Use the idsync printstat command to verify that the Message Queue and System Manager are active.

  7. Was a configuration saved successfully? If the idsync printstat command lists connectors, then a configuration was saved successfully.

  8. Were all connectors installed? One connector must be installed for each directory source being synchronized.

  9. Were all subcomponents installed? Directory Server and Windows NT Connectors require subcomponents to be installed after the Connector installation. The Directory Server Plug-in must be installed in each Directory Server replica.

  10. Were post-installation procedures followed? The Directory Server must be restarted after the Directory Server Plug-in is installed. The Windows NT Primary Domain Controller must be restarted after the Windows NT subcomponents are installed.

  11. Was synchronization started either from the Console or command line?

  12. Are all connectors currently running?

  13. Verify that all connectors are in the SYNCING state using the Console or idsync printstat.

  14. Are the directory sources being synchronized currently running?

  15. Verify using the Console that modifications and/or creates are synchronized in the expected direction(s).

  16. If synchronizing users and groups that existed in only one directory source, were these users and groups created in the other directory source using the idsync resync command?

    Note –

    You must run idsync resync whenever there are existing users and groups. If you do not resynchronize existing users, resynchronization behavior remains undefined.

  17. If synchronizing users that existed in both directory sources, were these users linked using the idsync resync command?

  18. If user creates fail from Active Directory or Windows NT to the Sun Java System Directory Server, verify that all mandatory attributes in the Directory Server objectclass are specified as creation attributes and values for the corresponding attributes are present in the original user entry.

  19. If synchronizing creates from Directory Server to Windows NT and the user creation succeeded, but the account is unusable, verify that the user name does not violate Windows NT requirements.

    For example, if you specify a name that exceeds the maximum allowable length for Windows NT, the user will be created on NT but will remain unusable and uneditable until you rename the user (User -> Rename).

  20. For the Windows NT SAM Change Detector subcomponent to be effective, you must turn on the NT audit log. Select Start -> Programs -> Administrative Tools -> User Manager, and then select Policies -> Audit Policies. Select Audit These Events and then both the Success and Failure boxes for User and Group Management.

    Select Event Log Settings in the Event Viewer -> Event Log Wrapping, and then select Overwrite Events as Needed.

  21. Are the users that fail to synchronize within a Synchronization User List? For example, do they match the base DN and filter of a Synchronization User List? In deployments that include Active Directory, on-demand password synchronization fails silently if the Sun Java System Directory Server entry is not in any Synchronization User List. This most often occurs because the filter on the Synchronization User List is incorrect.

  22. Were the synchronization settings changed? If the synchronization settings changed from only synchronizing users from Active Directory to the Sun Java System Directory Server to synchronizing users from the Directory Server to Active Directory, then the Active Directory SSL CA certificate must be added to the connector’s certificate database. The idsync certinfo command reports what SSL certificates must been installed based on the current SSL settings.

  23. Are all host names properly specified and resolvable in DNS? The Active Directory domain controller should be DNS-resolvable from the machine where the Active Directory Connector is running and the machine where the Sun Java System Directory Server Plug-in is running.

  24. Does the IP address of the Active Directory domain controller resolve to the same name that the connector uses to connect to it?

  25. Does the source connector detect the change to the user? Use the central audit.log to determine if the connector for the directory source where the user was added or modified detects the modification.

  26. Does the destination connector process this modification?

  27. Are multiple Synchronization User Lists configured? If so, are these in conflict? More specific Synchronization User Lists should be ordered before less specific ones using the Console.

  28. If flow is set to bidirectional or from Sun to Windows and there are Active Directory data sources in your deployment, are the connectors configured to use SSL communication?

  29. If memory problems are suspected on Solaris or Linux environments check the processes. To view which components are running as different processes, enter

    /usr/ucb/ps -gauxwww | grep

    The output gives the full details including the ID of connectors, system manager and central logger. This can be useful to see if any of the processes are consuming excessive memory.

  30. If you are creating or editing the Sun Java System Directory source, and the Directory Server does not display in the Choose a known server drop-down list, check that the Directory Server is running. The Directory Server must be running to appear in the drop down list of available hosts.

    If the server in question is down temporarily, type the host and port into the Specify a server by providing a hostname and port field.

    Note –

    Identity Synchronization for Windows uses a short host name by default; however, the default host name may not work with your configuration. We recommend using a fully qualified name whenever you are asked to provide a host name.

  31. Do you receive the following error while running uninstaller program?

    IOException while making /tmp/SolarisNativeToolkit_5.5.1_1 Not enough space Not enough space

    Increase the size of the swap file mounted at /tmp.