General Troubleshooting Guidelines

This section provide general guidelines to help you troubleshoot problems with Identity Synchronization for Windows. It includes the following sections:

Configuring and Using the Logs

Some events are not included in a log file until you adjust the log level to FINE or higher. To adjust the log level, see Configuring Your Log Files in Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide. The log level should be left as INFO during all idsync resync operations.

When troubleshooting a problem, look at the central error log located in the following directory:

isw-hostname/logs/central/error.log

Almost all errors will be reported in the central error log file. Additional information about the error may be available in the audit.log file. To simplify the correlation between related log entries, the audit.log file also contains the information found in the error log.

For the Windows NT SAM Change Detector subcomponent to be effective, you must turn on the NT audit log as follows:

1. From the Start menu, go to Programs, Administrative Tools, then User Manager.

2. Select Policies, then Audit Policies.

3. Select Audit These Events and check the Success and Failure check boxes for User and Group Management.

4. Select Event Log Settings in the Event Viewer, Event Log Wrapping menu. Next, select Overwrite Events as Needed.

Using the idsync printstat Command

The idsync printstatcommand displays the connector IDs and the status of each connector. The output also displays a list of the remaining steps you have to perform to complete the installation and configuration process. This status information can be useful for troubleshooting problems with Identity Synchronization for Windows.

For example, the command is run as follows:

# idsync printstat

Connector ID: CNN100
Type:     Active Directory
Manages:  example.com (ldaps://host2.example.com:636)
State:    READY
Connector ID: CNN101
Type:     Sun Java System Directory
Manages: dc=example,dc=com 
(ldap://host1.example.com:389)
State:    READY
Sun Java System 
Message Queue Status:  Started
Checking the System Manager status over the Sun Java System
Message Queue.
System Manager Status:  Started SUCCESS

If the command lists connectors, then you know that your configuration was saved successfully.

Troubleshooting Quick Checklist

This checklist provides questions to help guide you in your troubleshooting process:

1. Was the Directory Server running during resource configuration?

2. Is the core, including the Message Queue and the System Manager, currently running? On Windows, check for the appropriate service name. On Solaris and Linux, check for the appropriate daemon name. Use the idsync printstat command to verify that the Message Queue and System Manager are active.

3. Was synchronization started from the Identity Synchronization for Windows console or from the command line?

4. Are the directory sources that are being synchronized currently running?

5. Use the Identity Synchronization for Windows console to verify that modifications and creates are synchronized in the expected direction.

6. If synchronizing users and groups that existed in only one directory source, were these users and groups created in the other directory source using the idsync resync command?

   ---

   Note - You must run idsync resync whenever there are existing users and groups. If you do not resynchronize existing users, resynchronization behavior remains undefined.

   ---

7. If synchronizing users that existed in both directory sources, were these users linked using the idsync resync command?

8. If user creates fail from Active Directory or Windows NT to the Directory Server, verify that all mandatory attributes in the Directory Server object class are specified as creation attributes and values for the corresponding attributes are present in the original user entry.

9. If synchronizing creates from Directory Server to Windows NT and the user creation succeeded, but the account is unusable, verify that the user name does not violate Windows NT requirements.

   For example, if you specify a name that exceeds the maximum allowable length for Windows NT, the user will be created on NT but can not be used or edited until you rename the user (User -> Rename).

10. Are the users that fail to synchronize within a Synchronization User List? For example, do they match the base DN and filter of a Synchronization User List? In deployments that include Active Directory, on-demand password synchronization fails silently if the Directory Server entry is not in any Synchronization User List. This most often occurs because the filter on the Synchronization User List is incorrect.

11. Were the synchronization settings changed? If the synchronization settings changed from only synchronizing users from Active Directory to Directory Server to synchronizing users from the Directory Server to Active Directory, then the Active Directory SSL CA certificate must be added to the connector’s certificate database. The idsync certinfo command reports what SSL certificates must been installed based on the current SSL settings.

12. Are all host names properly specified and resolvable in DNS? The Active Directory domain controller should be DNS-resolvable from the machine where the Active Directory Connector is running and the machine where the Directory Server Plug-in is running.

13. Does the IP address of the Active Directory domain controller resolve to the same name that the connector uses to connect to it?

14. Are multiple Synchronization User Lists configured? If so, are these in conflict? More specific Synchronization User Lists should be ordered before less specific ones using the Console.

15. If flow is set to bidirectional or from Sun to Windows and there are Active Directory data sources in your deployment, are the connectors configured to use SSL communication?

16. If you are creating or editing the Directory source, and the Directory Server does not display in the Choose a known server drop-down list, check that the Directory Server is running. The Directory Server must be running to appear in the drop down list of available hosts.

    If the server in question is down temporarily, type the host and port into the “Specify a server by providing a hostname and port” field.

    ---

    Note - Identity Synchronization for Windows uses a short host name by default; however, the default host name may not work with your configuration. We recommend using a fully qualified name whenever you are asked to provide a host name.

    ---

Troubleshooting Problems with Identity Synchronization for Windows Installation

Confirm that you installation was performed on a clean machine. If you reinstall and the previous installation was not properly uninstalled, errors may occur. For information about uninstalling Identity Synchronization for Windows, see Chapter 7, Removing the Software, in Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

For information about whether the core installed correctly, see the log file in the following directory:

isw-hostname/logs/central/

If the connector installation failed, but the Identity Synchronization for Windows installation program thinks that the connector is installed, the installation program will not allow you to reinstall the connector.

Run the idsync resetconn command to reset the connector’s state to UNINSTALLED. Next, reinstall the connector.

If you receive the following error while uninstalling the software, you need to increase the size of the swap file mounted at /tmp:

./runInstaller.sh
IOException while making /tmp/SolarisNativeToolkit_5.5.1_1  
executable:java.io.IOException: Not enough space java.io.IOException: Not enough space

After installation, confirm that all of the subcomponents were installed. Directory Server and the Windows NT connectors require subcomponents to be installed after the connector installation. The Directory Server plug-in must be installed in each Directory Server replica.

The Directory Server must be restarted after the Directory Server plug-in is installed. The Windows NT Primary Domain Controller must be restarted after the Windows NT subcomponents are installed.